Create and Manage Tokens

Scenario

Create a token when a business application needs to call model APIs. Use a separate token for each application and environment so that quotas, audits, and revocation can be managed independently. After the token is created, the system generates API Key plaintext, and the application uses the API Key to make requests.

Prerequisites

  • The user has permission to create tokens.
  • The target organization exists.
  • At least one model and one channel are available.

Create a Token

  1. Log in to the console.
  2. Go to Token Management.
  3. Click Create Token.
  4. Enter a token name, for example order-service-prod.
  5. Select the owning user and organization.
  6. Configure the allowed model scope.
  7. Configure quota and expiration time.
  8. Configure a client IP allowlist if required.
  9. Click OK.
  10. Copy the API Key plaintext from the result dialog and save it in the application's secret management system.

Field Description

FieldDescription
NameIdentifies the caller. Include the application and environment.
OrganizationUsed for cost ownership and access control.
Allowed ModelsModels that this token can call.
ExpirationThe token becomes unavailable after expiration.
QuotaBudget or usage limit for the token.
IP AllowlistClient addresses allowed to use this token.

Verification

Call a model with the API Key generated by the new token:

curl http://{ROUTER_HOST}:3080/v1/chat/completions \
  -H "Authorization: Bearer {API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [
      {
        "role": "user",
        "content": "health check"
      }
    ]
  }'

After the request succeeds, Usage Log should show the token, user, organization, model, and channel.

Manage Tokens

Administrators can perform these operations from Token Management:

OperationDescription
SuspendTemporarily stop model calls with the token.
EnableRestore a suspended token.
Adjust QuotaChange token budget or usage limit.
Modify Model ScopeChange the models that the token can call.
DeletePermanently delete the token. This cannot be undone.

Notes

  • Do not share one production token or API Key across multiple applications.
  • Suspend or delete the corresponding token immediately if its API Key is leaked, and then create a new token.
  • After changing the model scope, run a test call again.