API Key Health docs
The operating manual for storing API keys, checking provider health, tracking available quota signals, sending alerts, managing workspaces, and preparing secure routing workflows.
Looking for provider-specific setup?
Use Provider guides for individual API key formats, quota notes, and billing caveats. This page explains the platform itself.
Quickstart
Create a workspace
Start with a personal workspace or create a team workspace when multiple people need shared visibility.
Add a provider key
Pick the provider, paste the credential, add a nickname, choose the storage workspace, and review what API Key Health can validate for that provider.
Run validation
The server checks the provider endpoint, stores safe metadata, and records whether the key is working, invalid, rate-limited, degraded, or needs review.
Configure alerts
Choose email, Slack, or Discord, send a test notification, then enable default alert rules for invalid keys, low quota, stale checks, and provider issues.
Core concepts
Stored API key
A masked, encrypted credential owned by a user or workspace. Normal dashboard views never return the raw key.
Provider adapter
A validation module that knows how to call a provider endpoint and interpret safe status, quota, reset, and model metadata when exposed.
Alert rule
A workspace rule that decides when API Key Health should notify owners about invalid keys, low quota, stale checks, possible leaks, or provider outages.
Workspace
A personal or team boundary for API keys, members, billing capacity, alert destinations, and operational history.
Provider support
Provider adapters use official API responses to validate credentials and store the safest available metadata. Exact quota and credit visibility depends on what each provider exposes.
| Provider | Tracked signals | Important note |
|---|---|---|
| OpenAI | Credential validity, model access, rate-limit states where returned | Provider dashboard remains the source for final invoice data |
| Gemini | Credential validity, model access, project quota context, reset window guidance | Google does not expose remaining account quota in the model-list response |
| ElevenLabs | Credential validity and available account/user signals based on permissions | Billing visibility depends on ElevenLabs account permissions |
| SerpApi | Credential validity and search quota signals | Quota language follows SerpApi response fields |
| Google Custom Search | API key plus Search Engine ID validation | Users should enter both API key and CX/search engine ID |
| Apify | Credential validity and account endpoint response state | Usage/billing detail depends on Apify API access |
| Hunter.io | Credential validity, request/search and verification bucket context | Exact commercial plan data can remain provider-side |
Alerts
Alerts are workspace-scoped. A non-technical user should be able to choose a channel, send a test notification, enable defaults, and see a clear live state.
- Invalid key or provider rejected the credential
- Rate-limited or degraded provider response
- Low quota where the provider exposes quota or remaining credits
- Stale key when validation has not succeeded recently
- Possible leak from safe provider/security signals
- Provider outage from public status intelligence and internal validation failures
Webhook setup path
- 1. Choose Slack, Discord, or email.
- 2. Paste or connect the destination.
- 3. Send a test ping.
- 4. Turn on default rules.
- 5. Confirm the workspace shows alerts are live.
Workspaces and access
Personal workspace
Private space for one owner, starter keys, and personal alert preferences.
Team workspace
Shared operational boundary for members, key inventory, alerts, and billing capacity.
Owner controls
Workspace owners manage billing, membership, alert destinations, and sensitive operations.
Billing and capacity
Free
$0
5 stored keys. No card required.
Advanced
$1/mo
30 stored keys per upgraded workspace.
Enterprise
Custom
Private deployment, custom capacity, and reviewed rollout.
Routing workflows
Routing is the operational direction for API Key Health: issue scoped proxy credentials, route requests through a controlled endpoint, log outcomes, and support fallback strategies where a workspace explicitly configures them. The docs keep this separate from basic key storage so users can adopt monitoring first and routing later.
Authorization: Bearer akh_proxy_...
1. Client calls the API Key Health routing endpoint
2. The workspace policy checks token, path, method, and scope
3. The server forwards to the approved upstream provider
4. Health, latency, and failures are written to the activity logSecurity model
Encrypted storage
Stored credentials are encrypted at rest and surfaced as masked values in normal UI paths.
RLS and server checks
Database rules and server authorization guard workspace access and billing writes.
Safe leak checks
The platform should use provider and GitHub secret-scanning signals. It should not submit raw user keys to public code search.
Monitoring cadence
Cron validation can refresh status and trigger alerts without users sitting in the browser.
API and discovery reference
| Method | Endpoint | Purpose |
|---|---|---|
POST | /api/keys | Create an encrypted API key record after validating workspace capacity. |
POST | /api/keys/validate | Run provider validation and write safe health metadata. |
POST | /api/alerts/test | Send a test email, Slack, or Discord notification. |
GET | /api/billing/summary | Return workspace plan, subscription, and key-limit status. |
POST | /api/billing/subscription | Create a Razorpay subscription for the Advanced workspace plan. |
POST | /api/billing/webhook | Verify and reconcile signed Razorpay subscription events. |
GET | /.well-known/openapi.json | Machine-readable OpenAPI description for agent and API discovery. |
Operational workflow
Daily checks
Cron validates active keys, writes history, creates alert events, and delivers notifications for rules that match.
When a key fails
The inventory marks the key as invalid or needs review, opens an action item, and keeps the owner-facing history intact.
When quota is unknown
The UI says quota is not exposed instead of fabricating a number. Provider guides explain where the source dashboard lives.
When users upgrade
Razorpay checkout creates a workspace subscription, the server verifies it, and Advanced capacity activates after provider state is confirmed.
Known limits and honest claims
- Quota and credit tracking is provider-dependent. If an API does not expose exact values, API Key Health shows the safest available context.
- Provider invoices and billing dashboards remain the final source for charges.
- Public leak scanning must be implemented through safe event signals such as GitHub secret scanning, not by posting raw API keys to public search.
- Routing features require explicit workspace setup before traffic should be routed through API Key Health.
FAQ
Can API Key Health see my raw API keys in normal dashboard views?
No. Dashboard pages return masked key data and safe metadata. Sensitive operations such as validation and reveal are handled through authorized server-side flows.
Does every provider expose exact credits and spend?
No. API Key Health shows quota, credit, reset, and usage signals only when the provider exposes them through an official endpoint. Provider billing dashboards remain the final source of truth.
What happens when I hit the free key limit?
Free workspaces support 5 keys. Existing keys are not deleted. New add, move, or duplicate operations into that workspace are paused until the workspace upgrades or comes back under the limit.
Can teams share API keys safely?
Team workspaces centralize ownership, membership, activity history, alert delivery, and billing capacity. Access is controlled through workspace membership and server-side checks.