Keys & workspace

API keys

Zelyx uses two types of key: provider keys (your real OpenAI / Anthropic / Google secrets, stored encrypted in the vault) and Zelyx keys (what developers put in their code).

Provider keys

Provider keys are managed by workspace admins on the API Keys page under Provider keys. Developers never see or hold them.

Adding a provider key

Go to API Keys → Provider keys → Add key.
Select the provider or enter a custom slug.
Paste your API key. Zelyx infers the provider from the key prefix and rejects obvious mismatches (e.g. an Anthropic key submitted as OpenAI).
Optionally give it a label (e.g. anthropic-prod) and run an upstream validation call to confirm the key is active.
Click Save. The key is validated, encrypted (AES-256-GCM), and stored. The plaintext is never persisted.

TipYou can register multiple keys per provider using a custom label as the provider ID (e.g. openai-team-a and openai-team-b). Use the label as the provider when making calls.

Supported provider key formats

Prefix	Provider
`sk-proj-…`	OpenAI
`sk-ant-…`	Anthropic
`AIza…`	Google
`gsk_…`	Groq
`xai-…`	xAI
`sk-or-…`	OpenRouter
`fw_…`	Fireworks
`pplx-…`	Perplexity
(any other)	Together, Mistral, DeepSeek, or custom slug

Revealing a key

Workspace admins can reveal the stored key prefix (first 8 characters) for identification. The full key cannot be recovered from the UI — if you need to rotate it, add the new key and delete the old one.

Zelyx keys (nk_…)

Each developer creates their own Zelyx key under Zelyx proxy keys on the API Keys page. The key is tied to the signed-in user for per-person attribution in the Team analytics page.

Key format

nk_<12-char-id>_<43-char-secret>
 │   │              └── 256 bits of entropy, URL-safe base64
 │   └── Public lookup prefix (stored in DB, used to find the key record)
 └── Literal prefix

The raw key is shown once on creation — copy it immediately. Only a SHA-256 hash is stored, so there is no way to retrieve the secret later. If you lose it, revoke and generate a new one.

Creating a Zelyx key

Go to API Keys → Zelyx proxy keys → New proxy key.
Add a label (e.g. laptop, ci-pipeline, prod-agent).
Optionally set a daily budget, team, project, or model restrictions.
Click Generate. Copy the key immediately.

Per-key settings

These constraints are applied by the gate on every call made with the key.

Setting	Effect
Daily budget (USD)	Blocks calls once this key's daily spend reaches the cap. Resets at midnight UTC.
Team	Default team tag for all calls. Overrideable with X-Zelyx-Team header.
Project	Default project tag for all calls. Overrideable with X-Zelyx-Project header.
Allowed models	Whitelist. If set, only models matching one of the listed prefixes are allowed. Example: `claude-3`, `gpt-4o`.
Blocked models	Blacklist. Calls to these model prefixes are rejected with HTTP 403. Example: `gpt-4` blocks all GPT-4 variants.
Max tokens per call	Rejects requests where `max_tokens` exceeds this value. Useful for limiting single-call cost.

NoteAllowed and blocked model lists use prefix matching. Adding claude-3 to the allowed list permits claude-3-5-sonnet-20241022, claude-3-haiku, etc.

Revoking a key

Click the trash icon next to the key on the API Keys page. Revocation is immediate — in-flight requests with the key will still complete, but no new requests will be authenticated. Revocation is soft-delete: the key record remains for audit purposes.

Team & roles →

Invite teammates and assign IAM roles

Budget overview →

Company, team, project, and per-key daily caps