Skip to main content
The Management API uses Better Auth session tokens for authentication. You must be logged in to the LLM Gateway dashboard to obtain a session token.

Session-Based Authentication

All Management API requests require a valid session token in the Authorization header: 
Authorization: Bearer YOUR_SESSION_TOKEN

Obtaining a Session Token

  1. Log in to the LLM Gateway dashboard at https://llmgateway.io
  2. Open your browser’s developer tools (F12)
  3. Go to the Network tab
  4. Make any API request from the dashboard
  5. Look for the Authorization header in the request
  6. Copy the token value (without the “Bearer ” prefix)
Session tokens are tied to your user account and inherit your permissions. Keep them secure and never share them publicly.

Development Mode

For local development and testing, you can use the test token: 
Authorization: Bearer test-token
This special token is only available in development environments.

Example Requests

curl -X GET https://api.llmgateway.io/keys/api \
  -H "Authorization: Bearer YOUR_SESSION_TOKEN" \
  -H "Content-Type: application/json"

Authentication Errors

401 Unauthorized

Returned when the session token is missing, invalid, or expired: 
{
  "message": "Unauthorized"
}
Solutions:
  • Verify your session token is correct
  • Check if your session has expired (log in again)
  • Ensure the Authorization header is properly formatted

403 Forbidden

Returned when you don’t have permission to access the resource: 
{
  "message": "You don't have access to this project"
}
Solutions:
  • Verify you have the correct role (owner/admin/developer)
  • Check if you’re accessing resources from your organization
  • Contact your organization owner if you need elevated permissions

Security Best Practices

Treat session tokens like passwords. Never expose them in:
  • Public repositories
  • Client-side code
  • Browser localStorage
  • Server logs

Recommendations

  1. Store securely: Use environment variables or secure secret management
  2. Rotate regularly: Log out and back in to refresh your session
  3. Monitor usage: Check audit logs for unexpected API activity
  4. Use HTTPS: Always use HTTPS in production to encrypt token transmission
  5. Limit scope: Use service accounts with minimal permissions when possible

Session Expiration

Session tokens expire after a period of inactivity. When your session expires:
  1. You’ll receive a 401 Unauthorized response
  2. Log back in to the dashboard to obtain a new token
  3. Update your API client with the new token
Consider implementing automatic token refresh logic in your application to handle session expiration gracefully.

Build docs developers (and LLMs) love

Get started for freeTalk to us