> ## Documentation Index
> Fetch the complete documentation index at: https://gcore.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Inference deployment with API key authentication

API key authentication restricts access to a deployment endpoint. Without it, anyone with the endpoint URL can query the model. With authentication enabled, every request must include a valid `X-API-Key` header — requests without a valid key receive an HTTP 401 response.

API keys are managed at the project level in Everywhere Inference > API Keys. A single key can be linked to multiple deployments, and a deployment can have multiple keys linked simultaneously.

## API key creation

In the [Gcore Customer Portal](https://portal.gcore.com/), navigate to **Everywhere Inference** > **API Keys** and click **Create API Key**.

<Frame>
  <img src="https://mintcdn.com/gcore/yKie2I_xdaIxD6qJ/images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-1.png?fit=max&auto=format&n=yKie2I_xdaIxD6qJ&q=85&s=0eb5a06776ec217c2b75a1e7f18f8b57" alt="API Keys page" width="1275" height="487" data-path="images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-1.png" />
</Frame>

The **Add API Key** dialog opens. Fill in the fields:

* **Name** — a label to identify the key across deployments.
* **Description** — optional note describing the key's purpose or owner.
* **Expires at** — set a fixed expiration date or leave as **Never expire** for a permanent key.

<Frame>
  <img src="https://mintcdn.com/gcore/yKie2I_xdaIxD6qJ/images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-2.png?fit=max&auto=format&n=yKie2I_xdaIxD6qJ&q=85&s=f3bd83254a787d64a4c36b5e237325a9" alt="Add API Key dialog" width="1400" height="900" data-path="images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-2.png" />
</Frame>

Click **Add**. The key value appears once — copy it immediately and store it securely. It cannot be retrieved later.

<Frame>
  <img src="https://mintcdn.com/gcore/yKie2I_xdaIxD6qJ/images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-3.png?fit=max&auto=format&n=yKie2I_xdaIxD6qJ&q=85&s=c493cca6ceb61aaaadb9b9e15b4cada9" alt="API key value shown once after creation" width="1400" height="900" data-path="images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-3.png" />
</Frame>

## Deployment authentication

API key authentication is configured during deployment. The steps below use **meta-llama/Llama-3.2-1B-Instruct** deployed from the [Application Catalog](/edge-ai/everywhere-inference/ai-models/deploy-from-catalog). The same **Additional options** section is available when deploying a [custom model](/edge-ai/everywhere-inference/ai-models/deploy-a-custom-model).

### Step 1. Deployment form

In the [Gcore Customer Portal](https://portal.gcore.com/), navigate to **Everywhere Inference** > [**Application Catalog**](/edge-ai/everywhere-inference/application-catalog), select a model, and click **Deploy Application**. The Create Deployment form opens.

### Step 2. Additional options

Scroll to the **Additional options** section and enable the **Enable API Key authentication** toggle. A dropdown labeled **API keys** appears, showing all keys created in the project. Select one or more keys to link to this deployment.

<Frame>
  <img src="https://mintcdn.com/gcore/yKie2I_xdaIxD6qJ/images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-4.png?fit=max&auto=format&n=yKie2I_xdaIxD6qJ&q=85&s=4a0698d667c9fddfee6206b6b880b23a" alt="Enable API Key authentication toggle with key selected" width="863" height="337" data-path="images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-4.png" />
</Frame>

Complete the remaining deployment fields (region, flavor, deployment name) and click **Deploy model**. Once the deployment reaches **Deployed** status, the endpoint accepts only requests that include a linked key.

## Authenticated requests

Include the API key in the `X-API-Key` header on every request. The endpoint rejects requests that omit the header or provide a key not linked to the deployment.

<CodeGroup>
  ```bash curl theme={null}
  ENDPOINT_URL="https://model-<deployment-name>.<project>.ai.gcore.dev"
  API_KEY="<api-key>"
  MODEL="meta-llama/Llama-3.2-1B-Instruct"

  curl "${ENDPOINT_URL}/v1/chat/completions" \
    -H "Content-Type: application/json" \
    -H "X-API-Key: ${API_KEY}" \
    -d '{
      "model": "'"${MODEL}"'",
      "messages": [{"role": "user", "content": "Explain gradient descent in two sentences."}]
    }'
  ```

  ```python Python theme={null}
  from openai import OpenAI

  ENDPOINT_URL = "https://model-<deployment-name>.<project>.ai.gcore.dev"
  API_KEY = "<api-key>"
  MODEL = "meta-llama/Llama-3.2-1B-Instruct"

  client = OpenAI(
      base_url=f"{ENDPOINT_URL}/v1",
      api_key="unused",
  )

  response = client.chat.completions.create(
      model=MODEL,
      messages=[{"role": "user", "content": "Explain gradient descent in two sentences."}],
      extra_headers={"X-API-Key": API_KEY},
  )

  print(response.choices[0].message.content)
  ```

  ```javascript JavaScript theme={null}
  const ENDPOINT_URL = "https://model-<deployment-name>.<project>.ai.gcore.dev";
  const API_KEY = "<api-key>";
  const MODEL = "meta-llama/Llama-3.2-1B-Instruct";

  const response = await fetch(`${ENDPOINT_URL}/v1/chat/completions`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-API-Key": API_KEY,
    },
    body: JSON.stringify({
      model: MODEL,
      messages: [{ role: "user", content: "Explain gradient descent in two sentences." }],
    }),
  });

  const data = await response.json();
  console.log(data.choices[0].message.content);
  ```
</CodeGroup>

<Info>
  The OpenAI Python client requires a non-empty `api_key` parameter even when the endpoint does not validate it. Pass any string, and provide the actual key via `extra_headers`.
</Info>

## API Keys authentication tab

The **API Keys authentication** tab on the deployment detail page shows which keys are currently linked and allows adding or removing keys without redeploying. Changes take effect on the next request after saving.

<Frame>
  <img src="https://mintcdn.com/gcore/yKie2I_xdaIxD6qJ/images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-5.png?fit=max&auto=format&n=yKie2I_xdaIxD6qJ&q=85&s=2b44bacc26ae52f3bf08952577d8b246" alt="API Keys authentication tab on deployment detail page" width="1257" height="494" data-path="images/docs/edge-ai/everywhere-inference/api-keys/create-inference-deployment-with-auth/create-auth-5.png" />
</Frame>

To add a key, open the **API keys** dropdown and select a key from the project-level list. To unlink a key, deselect it from the same dropdown. Click **Save changes** to apply.

Disabling the **Enable API Key authentication** toggle on this tab removes the authentication requirement from the deployment entirely — all requests are accepted regardless of headers.
