Best practices for API keys
API keys are used to:
- Deploy models to your Baseten account from the Truss CLI.
- Call models with the
/predictendpoint,truss predictin the CLI, or the Python client. - Make requests to other endpoints such as
/wake.
You can create and revoke API keys from your Baseten account.
API key scope: account vs workspace
There are two types of API keys on Baseten:
- Personal keys are tied to your Baseten account. They have the full permissions associated with your account in the workspace and can be used to deploy, call, and wake models. Every action taken with a personal API key is associated with the matching user account.
- Workspace keys are shared across your entire Baseten workspace. When you create a workspace API key, you can grant it full access to the workspace or limit it to only being able to call and wake selected models.
Use account-level API keys for deploying and testing models and use workspace-level API keys in automated actions and production environments.
Using API keys with Truss
To use an API key for authentication with commands like truss push and truss predict, set it in your ~/.trussrc file:
[baseten]
remote_provider = baseten
api_key = abcdefgh.1234567890ABCDEFGHIJKL1234567890
remote_url = https://app.baseten.co
If you rotate your API key, just open the file in a text editor and paste the new API key to update.
Using API keys with endpoints
To use an API key for requests to model endpoints, pass it as a header in the HTTP request:
curl -X POST https://app.baseten.co/models/MODEL_ID/predict \
-H 'Authorization: Api-Key abcdefgh.1234567890ABCDEFGHIJKL1234567890' \
-d 'MODEL_INPUT'
The header is a key-value pair:
headers = {"Authorization": "Api-Key abcdefgh.1234567890ABCDEFGHIJKL1234567890"}
Tips for managing API keys
Best practices for API key use apply to your Baseten API keys:
- Always store API keys securely
- Never commit API keys to your codebase
- Never share or leak API keys in notebooks or screenshots
The API key list on your Baseten account shows when each key was first created and last used. Rotate API keys regularly and remove any unused API keys to reduce the risk of accidental leaks.