- Deploy models, Chains, and training projects with the Truss CLI.
- Call model endpoints for inference.
- Use the management API.
API key types
Baseten supports two types of API keys: Personal API keys are tied to your user account. Actions performed with a personal key are attributed to you. Use personal keys for local development and testing. Personal keys are revoked when a user is deprovisioned, so don’t use them for production workloads. Team API keys are not tied to an individual user. When your organization has teams enabled, team keys can be scoped to a specific team. Team keys can have different permission levels:- Full access: Deploy models, call endpoints, and manage resources.
- Inference only: Call model endpoints but cannot deploy or manage.
- Metrics only: Export metrics but cannot deploy or call models.
Environment-scoped API keys
Environment-scoped API keys are team API keys restricted to specific environments. Use them for least-privilege access when sharing keys with external partners or production integrations. You can scope a key in two ways:- By environment: The key can only call models in the selected environments (for example,
productiononly, orproductionandstaging). - By environment and model: The key can only call specific models within the selected environments.
Create an API key
- Personal
- Team
To create a personal API key:
- Sign in to your workspace at app.baseten.co and go to API keys in your account settings.
- Choose Create API key.
- Select Personal and choose Next.
- Enter a name for the key (lowercase letters, numbers, and hyphens only).
- Choose Create API key.
baseten auth login, then
create a personal key, tied to your account and its permissions:
baseten org api-key for the
other key types (workspace-manage-all, workspace-export-metrics).
To create a key from the Management API:
Creating a key over the API requires an existing key, so create your first
one in the console or CLI. The type value is uppercase here: PERSONAL,
WORKSPACE_MANAGE_ALL, WORKSPACE_INVOKE, or WORKSPACE_EXPORT_METRICS:
Use API keys with the CLI
The first time you runtruss push, the CLI prompts you to choose how to authenticate. Choose Paste an API key to use a key from this page, or Log in via browser (OAuth) to authenticate without a long-lived secret on disk:
truss login (or its alias truss auth login). For details on credential storage, OAuth, and managing multiple remotes, see truss auth.
To configure or update an API key manually, edit ~/.trussrc:
BASETEN_API_KEY
from the environment, or a stored profile from
baseten auth login.
Use API keys with endpoints
Set your key as an environment variable, or store it in your secret manager:Authorization header using the Bearer scheme:
Bearer works with OpenAI-style clients and AI gateways such as LiteLLM and OpenRouter without extra configuration. Baseten also accepts the legacy Api-Key scheme on every endpoint, so existing scripts using Authorization: Api-Key <key> continue to work:
Frontier Gateway federated API keys are the exception: they only accept the
Api-Key scheme. Workspace API keys used to manage gateway groups still accept either scheme.Manage API keys
The API keys page shows all your keys with their creation date and last used timestamp. Use this information to identify unused keys.View and revoke keys as an organization Admin
Organization Admins see every key in the workspace: all team API keys plus every member’s personal API keys. The Owner / Team column shows who each key belongs to: the owning member for personal keys, or the team for team keys. Use the Member, Team, and Type filters to narrow the list. Organization Admins can revoke any key in the workspace, including other members’ personal keys. Admins can’t rename other members’ personal keys. To see who created a team API key, check the audit log. All other roles see their own personal keys and any team keys they created. Team Admins also see every key scoped to their teams. The list API keys endpoint follows the same visibility rules. Each personal key in the response includes anowner object with the owning member’s user_id, email, and name, so Admins can tell whose key each one is.
Rename, rotate, or revoke keys
API keys don’t automatically expire. To maintain security, rotate keys periodically and revoke any that are no longer in use. To rename a key, select the pencil icon next to the key name. To rotate a key, create a new key, update your applications to use it, then revoke the old key. To revoke a key, select the trash icon next to the key. Revoked keys cannot be restored. You can also revoke a key programmatically, by its visible prefix:baseten org api-key delete --prefix <prefix>
from the CLI, or the
delete API key endpoint.
Security recommendations
- Store API keys in environment variables or secret managers, not in code.
- Never commit API keys to version control.
- Use environment-scoped keys to limit access to specific environments and models.
- Use team keys with minimal permissions for production applications.
- Rotate keys periodically and revoke unused keys.
- Monitor key creation, deletion, and use through the audit log.