Skip to main content
Documentation

API Key Health docs

The operating manual for storing API keys, checking provider health, tracking available quota signals, sending alerts, managing workspaces, and preparing secure routing workflows.

Looking for provider-specific setup?

Use Provider guides for individual API key formats, quota notes, and billing caveats. This page explains the platform itself.

Start here

Quickstart

1

Create a workspace

Start with a personal workspace or create a team workspace when multiple people need shared visibility.

2

Add a provider key

Pick the provider, paste the credential, add a nickname, choose the storage workspace, and review what API Key Health can validate for that provider.

3

Run validation

The server checks the provider endpoint, stores safe metadata, and records whether the key is working, invalid, rate-limited, degraded, or needs review.

4

Configure alerts

Choose email, Slack, or Discord, send a test notification, then enable default alert rules for invalid keys, low quota, stale checks, and provider issues.

Mental model

Core concepts

Stored API key

A masked, encrypted credential owned by a user or workspace. Normal dashboard views never return the raw key.

Provider adapter

A validation module that knows how to call a provider endpoint and interpret safe status, quota, reset, and model metadata when exposed.

Alert rule

A workspace rule that decides when API Key Health should notify owners about invalid keys, low quota, stale checks, possible leaks, or provider outages.

Workspace

A personal or team boundary for API keys, members, billing capacity, alert destinations, and operational history.

Adapters

Provider support

Provider adapters use official API responses to validate credentials and store the safest available metadata. Exact quota and credit visibility depends on what each provider exposes.

ProviderTracked signalsImportant note
OpenAICredential validity, model access, rate-limit states where returnedProvider dashboard remains the source for final invoice data
GeminiCredential validity, model access, project quota context, reset window guidanceGoogle does not expose remaining account quota in the model-list response
ElevenLabsCredential validity and available account/user signals based on permissionsBilling visibility depends on ElevenLabs account permissions
SerpApiCredential validity and search quota signalsQuota language follows SerpApi response fields
Google Custom SearchAPI key plus Search Engine ID validationUsers should enter both API key and CX/search engine ID
ApifyCredential validity and account endpoint response stateUsage/billing detail depends on Apify API access
Hunter.ioCredential validity, request/search and verification bucket contextExact commercial plan data can remain provider-side
Notifications

Alerts

Alerts are workspace-scoped. A non-technical user should be able to choose a channel, send a test notification, enable defaults, and see a clear live state.

  • Invalid key or provider rejected the credential
  • Rate-limited or degraded provider response
  • Low quota where the provider exposes quota or remaining credits
  • Stale key when validation has not succeeded recently
  • Possible leak from safe provider/security signals
  • Provider outage from public status intelligence and internal validation failures

Webhook setup path

  1. 1. Choose Slack, Discord, or email.
  2. 2. Paste or connect the destination.
  3. 3. Send a test ping.
  4. 4. Turn on default rules.
  5. 5. Confirm the workspace shows alerts are live.
Teams

Workspaces and access

Personal workspace

Private space for one owner, starter keys, and personal alert preferences.

Team workspace

Shared operational boundary for members, key inventory, alerts, and billing capacity.

Owner controls

Workspace owners manage billing, membership, alert destinations, and sensitive operations.

Plans

Billing and capacity

Free

$0

5 stored keys. No card required.

Advanced

$1/mo

30 stored keys per upgraded workspace.

Enterprise

Custom

Private deployment, custom capacity, and reviewed rollout.

Non-destructive limit behavior: existing keys remain stored and monitored if a workspace is over its limit. New add, move, or duplicate actions into that workspace pause until capacity is available.
Control plane

Routing workflows

Routing is the operational direction for API Key Health: issue scoped proxy credentials, route requests through a controlled endpoint, log outcomes, and support fallback strategies where a workspace explicitly configures them. The docs keep this separate from basic key storage so users can adopt monitoring first and routing later.

Authorization: Bearer akh_proxy_...

1. Client calls the API Key Health routing endpoint
2. The workspace policy checks token, path, method, and scope
3. The server forwards to the approved upstream provider
4. Health, latency, and failures are written to the activity log
Trust model

Security model

Encrypted storage

Stored credentials are encrypted at rest and surfaced as masked values in normal UI paths.

RLS and server checks

Database rules and server authorization guard workspace access and billing writes.

Safe leak checks

The platform should use provider and GitHub secret-scanning signals. It should not submit raw user keys to public code search.

Monitoring cadence

Cron validation can refresh status and trigger alerts without users sitting in the browser.

Reference

API and discovery reference

MethodEndpointPurpose
POST/api/keysCreate an encrypted API key record after validating workspace capacity.
POST/api/keys/validateRun provider validation and write safe health metadata.
POST/api/alerts/testSend a test email, Slack, or Discord notification.
GET/api/billing/summaryReturn workspace plan, subscription, and key-limit status.
POST/api/billing/subscriptionCreate a Razorpay subscription for the Advanced workspace plan.
POST/api/billing/webhookVerify and reconcile signed Razorpay subscription events.
GET/.well-known/openapi.jsonMachine-readable OpenAPI description for agent and API discovery.
Runbook

Operational workflow

  1. Daily checks

    Cron validates active keys, writes history, creates alert events, and delivers notifications for rules that match.

  2. When a key fails

    The inventory marks the key as invalid or needs review, opens an action item, and keeps the owner-facing history intact.

  3. When quota is unknown

    The UI says quota is not exposed instead of fabricating a number. Provider guides explain where the source dashboard lives.

  4. When users upgrade

    Razorpay checkout creates a workspace subscription, the server verifies it, and Advanced capacity activates after provider state is confirmed.

Accuracy

Known limits and honest claims

  • Quota and credit tracking is provider-dependent. If an API does not expose exact values, API Key Health shows the safest available context.
  • Provider invoices and billing dashboards remain the final source for charges.
  • Public leak scanning must be implemented through safe event signals such as GitHub secret scanning, not by posting raw API keys to public search.
  • Routing features require explicit workspace setup before traffic should be routed through API Key Health.
Answers

FAQ

Can API Key Health see my raw API keys in normal dashboard views?

No. Dashboard pages return masked key data and safe metadata. Sensitive operations such as validation and reveal are handled through authorized server-side flows.

Does every provider expose exact credits and spend?

No. API Key Health shows quota, credit, reset, and usage signals only when the provider exposes them through an official endpoint. Provider billing dashboards remain the final source of truth.

What happens when I hit the free key limit?

Free workspaces support 5 keys. Existing keys are not deleted. New add, move, or duplicate operations into that workspace are paused until the workspace upgrades or comes back under the limit.

Can teams share API keys safely?

Team workspaces centralize ownership, membership, activity history, alert delivery, and billing capacity. Access is controlled through workspace membership and server-side checks.