Back to docs
Recipe

API Key Management

Securely create, rotate, and revoke Meridian API keys across your workloads. This recipe walks through provisioning a key for a new service, scoping it to a single model family, and cycling it on a quarterly cadence without dropping inference traffic.

1.Create a scoped key

Open the Meridian dashboard and navigate to Settings → API Keys. Click New Key, give it a descriptive name tied to the calling service, and restrict it to the smallest set of models your workload actually invokes.

curl https://api.getnimbus.net/v1/keys \
  -H "Authorization: Bearer $MERIDIAN_ADMIN_TOKEN" \
  -d '{
    "name": "checkout-service-prod",
    "scopes": ["model:azure/gpt-4o", "model:azure/model-router"],
    "rate_limit_rpm": 600
  }'

2.Store the key safely

Meridian shows the secret value exactly once at creation. Push it straight into your secret manager (AWS Secrets Manager, Vault, 1Password, Doppler) and reference it by name from your runtime. Never bake the literal string into a container image, a commit, or an env file checked into git.

  • Tag the secret with the owning team and on-call rotation.
  • Set an automatic expiration alert 14 days before rotation.
  • Mirror the secret to staging under a distinct Meridian key.

3.Rotate without downtime

When it is time to cycle a key, create the replacement first, roll it out to every consumer, and only then revoke the old credential. Meridian allows multiple active keys per workspace so you always have an overlap window. Audit the access log under Settings → Audit to confirm no service is still calling the retired key before you disable it.