Key Management

API keys with scoping, rotation, and audit trails

Enterprise-grade key management for AI provider credentials. Per-proxy scoping, automatic rotation, encrypted storage, and role-based access control — all built in.

AES-256

Encryption at rest

Per-proxy

Key scoping

Immutable

Audit logging

Key Lifecycle

Create, rotate, and revoke from one dashboard.

Key	Action	Scope	Age
sk-prod-4o-001	Created	px_acme_prod	12 days
sk-prod-claude-002	Rotated	px_acme_prod	3 days
sk-staging-001	Active	px_acme_staging	45 days
sk-dev-gemini-001	Active	px_acme_dev	8 days
sk-prod-4o-000	Revoked	px_acme_prod	90 days

Rotation Process

Zero-downtime rotation in four steps.

Generate new key

New API key created and encrypted. Old key remains active.

Validate connectivity

Automatic health check confirms the new key works with the provider.

Migrate traffic

Requests gradually shift to the new key. Zero downtime.

Revoke old key

Grace period expires. Old key is permanently revoked and logged.

Access Control

Role-based permissions for every key operation.

Role	View	Use	Rotate	Admin
Developer	✓	✓	—	—
Team Lead	✓	✓	✓	—
DevOps	✓	✓	✓	✓
Security	✓	—	✓	✓

What's included

Security, rotation, and access control — built in

Every API key managed through Bastio gets automatic encryption, scoping, rotation scheduling, and audit logging at no extra configuration.

AES-256 encryption at rest

Per-proxy key scoping

Automatic key rotation

Role-based access control

Immutable audit trails

Environment isolation

BYOK and platform-managed modes

Emergency key revocation

Usage monitoring per key

Cost threshold alerts

Rotation scheduling

Provider key validation

Create API Key

Generate scoped API keys through the dashboard or API. Keys are encrypted and bound to a specific proxy.

curl -X POST https://api.bastio.com/v1/api-keys \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-gpt4o",
    "proxy_id": "px_acme_prod",
    "permissions": ["chat", "embeddings"],
    "rate_limit": 1000
  }'

Store Provider Key

Add your own provider API keys. Keys are AES-256 encrypted before storage and never logged in plaintext.

curl -X POST https://api.bastio.com/v1/provider-keys \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "openai",
    "api_key": "sk-...",
    "proxy_id": "px_acme_prod",
    "label": "OpenAI Production"
  }'

Encrypted Storage

AES-256 encryption at rest. Keys are encrypted before storage and decrypted only at the point of use.

Zero-Downtime Rotation

Automated key rotation with validation and gradual traffic migration. No service interruptions.

Audit Trail

Every key creation, rotation, and access is logged with timestamps, actors, and IP addresses.

Start managing your AI keys securely

Key management included with every plan. Encrypted storage, rotation, and audit trails from day one.

Get started free Read the docs