Provider Key API

Provider Key API

Use the Provider Key API to manage upstream credentials used for model access. Only the primary account administrator can call these endpoints.

export BASE_URL="https://api.xaicontrol.com"
export API_KEY="sk-Xvs..."

Endpoints

Method and pathDescription
GET /x-keys?fields=summaryList Provider Keys
GET /x-keys/{id}?fields=summaryGet one Key
POST /x-keysAdd a Key
PUT /x-keys/{id}Update a Key
DELETE /x-keys/{id}Delete a Key
POST /x-keys/{id}/sleepPause a Key
POST /x-keys/{id}/wakeResume a Key

Query Keys

Always prefer fields=summary; it omits the complete Provider Secret and sensitive configuration.

curl "$BASE_URL/x-keys?fields=summary&page=1&size=20" \
  -H "Authorization: Bearer $API_KEY"

Optional filters:

ParameterDescription
idKey ID
levelKey group
providerProvider URL
page / sizePagination

Summary response:

[
  {
    "ID": 42,
    "Name": "OpenAI Primary",
    "Level": 1,
    "Provider": "https://api.openai.com",
    "PartialKey": "...last-20-characters",
    "NoSleep": false,
    "Status": true,
    "Sleeping": false,
    "CreatedAt": "2026-07-18T08:00:00Z"
  }
]

Pagination metadata is returned in X-Total-Count, X-Total-Pages, X-Page, and X-Per-Page response headers.

Add a Key

POST /x-keys
curl -X POST "$BASE_URL/x-keys" \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "Name": "OpenAI Primary",
    "Level": 1,
    "Provider": "https://api.openai.com",
    "SecretKey": "sk-provider-secret-xxxxxxxx",
    "Status": true,
    "NoSleep": false,
    "config": {"provider_type": "standard"}
  }'
FieldRequiredDescription
ProviderYesUpstream HTTPS Base URL; it cannot point back to this Router
SecretKeyYesUpstream credential, at least 20 characters
NameNoHuman-readable label
LevelYesKey group; use a positive integer
StatusYesWhether the Key is enabled; set it to true for normal use
NoSleepNoPrevent automatic sleeping for this Key
configNoProvider type and cloud-specific options

Standard OpenAI, Anthropic, and similar bearer/API-key services normally use provider_type: standard. Use the console form for Azure, AWS, Vertex, and other cloud-specific fields. Never log SecretKey or sensitive config values.

Update a Key

PUT /x-keys/{id}

Send only fields that need to change:

curl -X PUT "$BASE_URL/x-keys/42" \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "Name": "OpenAI Production",
    "Status": true,
    "NoSleep": true
  }'

Submit a new SecretKey to rotate the upstream credential. The Router refreshes the corresponding Key cache and scheduling state after a successful update.

Pause and resume

curl -X POST "$BASE_URL/x-keys/42/sleep" \
  -H "Authorization: Bearer $API_KEY"

curl -X POST "$BASE_URL/x-keys/42/wake" \
  -H "Authorization: Bearer $API_KEY"
  • sleep removes the Key from normal scheduling immediately.
  • wake clears the sleeping state and schedules recovery.
  • For a long-term disable, update the Key with Status: false.

Delete a Key

curl -X DELETE "$BASE_URL/x-keys/42" \
  -H "Authorization: Bearer $API_KEY"

Deletion cannot be undone. Before deleting a Key, make sure another usable Key remains in the same Level.

Security guidance

  • Use fields=summary for list queries.
  • Use separate Provider Keys for separate environments.
  • Rotate upstream credentials regularly and disable unused Keys promptly.
  • Never place Provider Secrets in frontend code, URLs, logs, or support tickets.
  • Apply least privilege and budget limits to cloud credentials.