STOP WASTING PAID TOKENS. START POOLING ACCOUNTS TODAY. [ GET YOUR VAULT ]

The Key Vault

The vault is where provider API keys live — encrypted at rest, organized by brand, and usable by every request that needs that provider. It's the answer to keys scattered across .env files. You manage it on the Vault tab at /dashboard/gate/vault.

Pool keys vs. your own keys

SpiderGate draws provider keys from two places, and your own keys always win:

  • Pool keys — shared, SpiderGate-managed keys available to everyone. You can call the gateway out of the box without adding anything.

  • Brand keys (BYOK) — keys you add to your vault, scoped to your workspace. When present, your keys are tried before the shared pool, so your quota and billing are used first.

A key you add can optionally be shared with the pool — making it available to other brands — or kept private to yours. Private is the default.

Adding a key

On the Vault tab, browse the provider catalog (30+ providers across categories like Popular, LLM, Enterprise, and Media), pick a provider, and paste your API key. A Test connection action verifies the key before you save. A free-only toggle and signup links help you stand up free-tier accounts quickly.

Keys are encrypted with Fernet symmetric encryption before they're stored; SpiderGate keeps only a masked preview (e.g. sk-o…xyz) for display.

Inviting a contributor

Sometimes the person who owns a key isn't the admin. The Invite Contributor flow handles that without anyone sharing a raw secret:

  1. From the Vault, send an invite (email + provider + an optional message). SpiderGate emails a signed link, valid for 72 hours.

  2. The contributor opens the link, lands on a public page (no login required), and either pastes their API key or completes an OAuth sign-in in their own browser.

  3. The encrypted credential lands in your vault. The admin never sees the contributor's raw key.

This is also how you add keys for providers that use OAuth rather than a pasted key.

Re-authenticating a key

When an OAuth credential stops working (for example, a refresh token is revoked), SpiderGate auto-disables it after repeated failures and emails the contributor a re-authentication link. They re-login or paste a fresh key, and the existing vault entry is updated in place — same key id, same sharing and limits, history preserved — and the engine hot-reloads so it works again without a restart. Each vault key card also has a Re-authenticate action you can trigger manually.

Note: The multi-modal endpoints (images, audio, embeddings) require an OpenAI key in the vault. Until one is registered, those calls return 503 with code no_openai_key. Add an sk-… key via the contributor invite flow. See Images, Audio & Embeddings.

Health and rotation

Every key's health is tracked. After repeated failures a key is marked unhealthy and skipped during routing, and SpiderGate reorders fallback chains so healthy providers are preferred. Adding multiple keys per provider lets SpiderGate rotate across them — exhausting each free tier before moving on.

Next steps

  1. Mint tokens that use these keys — Agent Keys.

  2. See which providers are configured — Models & Direct Routing.

  3. Add an OpenAI key to unlock Images, Audio & Embeddings.