Authentication
Ovexa uses two types of API keys: Ovexa API keys for authenticating your requests, and Provider keys for accessing upstream AI providers.
Ovexa API Keys
Your Ovexa API key authenticates every request to the Ovexa API. Keys follow the format:
vpx_live_xxxxxxxxxxxxxxxxxxxxxxxx
vpx_test_xxxxxxxxxxxxxxxxxxxxxxxx
vpx_live_-- Production keys with full accessvpx_test_-- Test keys for development (rate-limited, may use mock responses)
Creating Keys
Create API keys through the dashboard at Settings > API Keys, or programmatically:
curl -X POST https://api.ovexa.ai/v1/keys \
-H "Authorization: Bearer vpx_live_YOUR_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Backend",
"permissions": ["chat:write", "usage:read"]
}'
Listing Keys
curl https://api.ovexa.ai/v1/keys \
-H "Authorization: Bearer vpx_live_YOUR_API_KEY"
Revoking Keys
curl -X DELETE https://api.ovexa.ai/v1/keys/key_id_here \
-H "Authorization: Bearer vpx_live_YOUR_API_KEY"
Revoked keys are invalidated immediately. Any requests using a revoked key will receive a 401 Unauthorized response.
Using Your Key
Include your Ovexa API key in the Authorization header with every request:
Authorization: Bearer vpx_live_YOUR_API_KEY
Provider Keys
Provider keys are your existing API keys for upstream AI providers (OpenAI, Anthropic, Google, etc.). Ovexa stores these securely and uses them to forward your requests.
Adding a Provider Key
curl -X POST https://api.ovexa.ai/v1/provider-keys \
-H "Authorization: Bearer vpx_live_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"provider": "openai",
"api_key": "sk-proj-xxxxxxxxxxxxxxxx",
"name": "OpenAI Production"
}'
Supported providers: openai, anthropic, google, mistral, groq, deepseek, cohere, xai, perplexity.
Listing Provider Keys
curl https://api.ovexa.ai/v1/provider-keys \
-H "Authorization: Bearer vpx_live_YOUR_API_KEY"
Provider keys are never returned in full. The API response shows only the last 4 characters (e.g., sk-...x7fQ) for identification purposes.
Removing a Provider Key
curl -X DELETE https://api.ovexa.ai/v1/provider-keys/pk_id_here \
-H "Authorization: Bearer vpx_live_YOUR_API_KEY"
Security
- AES-256 encryption -- All provider keys are encrypted at rest using AES-256-GCM. Encryption keys are managed via a separate key management service.
- No plain-text storage -- Provider keys are never stored in plain text in the database.
- Minimal access -- Provider keys are decrypted only in memory at the moment a request is forwarded to the upstream provider, then immediately discarded.
- Audit trail -- All key creation, usage, and deletion events are logged for compliance.
Rate Limits
Rate limits depend on your subscription plan:
| Plan | Limits | Models |
|---|---|---|
| Free | 50 req/day, 3000 char limit | gpt-5.4-nano + gemini-flash-lite only |
| Solo | Unlimited UI usage, BYOK | All models |
| Business | 100k req/mo, API access | All models |
| Enterprise | Custom | All models |
Rate limit headers are included in every response:
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1700000000