Skip to main content

API Keys

API keys are authentication tokens that let you access LLM provider APIs. AI Supreme Council uses a BYOK (Bring Your Own Key) model -- you get keys directly from each provider and store them in your browser. Keys never pass through any intermediary server.

Where to Get API Keys

Each provider has its own developer console where you can create API keys:

ProviderConsole URLKey FormatFree Tier
Anthropicconsole.anthropic.com/settings/keyssk-ant-api03-...No (prepaid credits required)
OpenAIplatform.openai.com/api-keyssk-proj-... or sk-...No (prepaid credits required)
xAIconsole.x.aixai-...$25 free monthly credit
Google Geminiaistudio.google.com/apikeyAlphanumeric stringYes (generous free tier, no credit card)
OpenRouteropenrouter.ai/keyssk-or-v1-...Yes (20+ free models, no credit card)
DeepSeekplatform.deepseek.com/api_keyssk-...No (prepaid credits required)
Groqconsole.groq.com/keysgsk_...Yes (free tier with rate limits)
Mistralconsole.mistral.ai/api-keysAlphanumeric stringNo
OllamaN/A (local)Not neededYes (runs locally, no key required)
Start Free

Google Gemini and OpenRouter both offer free tiers with no credit card required. Gemini gives you access to Gemini 2.5 Flash and Pro. OpenRouter gives you access to 20+ free models including DeepSeek R1, Llama 3.3, Qwen 3, and more. These are the fastest way to start chatting.

How Keys Are Stored

API keys are stored in your browser's localStorage under provider-specific keys:

localStorage KeyProvider
ais-apikey-anthropicAnthropic (Claude)
ais-apikey-openaiOpenAI (GPT)
ais-apikey-xaixAI (Grok)
ais-apikey-geminiGoogle Gemini
ais-apikey-openrouterOpenRouter
ais-apikey-deepseekDeepSeek
ais-apikey-groqGroq
ais-apikey-mistralMistral

Keys are plain strings in localStorage. They are read synchronously at boot so the app can immediately determine which providers are available.

Setting API Keys

Via the Settings Dialog

  1. Open Settings (gear icon in the sidebar)
  2. Go to the API Keys section
  3. The keys panel shows all providers from the model registry, organized by provider
  4. Enter your key in the field for the relevant provider
  5. Keys are saved immediately on input

Via the Config Panel

  1. Open the config panel (right sidebar)
  2. The API Key field at the bottom shows the key for the currently selected provider
  3. Enter or update the key directly
  4. The key is saved when you change it

Via Browser Console

// Set a key
localStorage.setItem('ais-apikey-anthropic', 'sk-ant-api03-your-key-here');

// Read a key
localStorage.getItem('ais-apikey-openai');

// Remove a key
localStorage.removeItem('ais-apikey-xai');

Security Model

Key Security Guarantees
  1. Keys never appear in URLs -- bot sharing encodes only configuration, never keys
  2. Keys are never exported -- the Export All Data feature explicitly excludes all API keys
  3. Keys never leave your browser -- except when sent directly to the provider's own API endpoint
  4. Keys are not sent to aiscouncil.com -- the app makes zero requests to its own server with your keys
  5. Keys are never logged -- not in console, not in analytics, not in error reports

When you send a message, the API call goes directly from your browser to the provider:

Your Browser  --(HTTPS + API key)-->  api.anthropic.com
Your Browser  --(HTTPS + API key)-->  api.openai.com
Your Browser  --(HTTPS + API key)-->  api.x.ai
Your Browser  --(HTTPS + API key)-->  generativelanguage.googleapis.com

No proxy, no middleware, no intermediary. The key travels over HTTPS directly to the provider and nowhere else.

Global vs Per-Bot API Keys

AI Supreme Council supports two levels of API keys:

Global Keys (per provider)

Set in Settings > API Keys. These are the default keys used by all bots for a given provider. Stored in localStorage as ais-apikey-{provider}.

Per-Bot Keys

Set in the config panel under Per-Bot API Key. This overrides the global key for a specific bot only. Use cases:

  • Different API keys for different projects (separate billing)
  • Testing a new key without affecting other bots
  • Using a key with different rate limits or permissions

Per-bot keys are stored in the bot's config object (the k field) in IndexedDB. They are not included when sharing a bot URL -- the recipient uses their own keys.

Priority: Per-bot key > Global provider key

If a bot has a per-bot key set, it uses that. Otherwise, it falls back to the global key for that provider.

Key Validation

The app does not perform explicit key validation on save. Instead, if a key is invalid, you will see an error when you first try to send a message. Common errors:

ErrorCause
401 UnauthorizedInvalid API key or key has been revoked
403 ForbiddenKey does not have permission for the requested model
429 Too Many RequestsRate limit exceeded (try again later)
402 Payment RequiredInsufficient credits or expired billing

Rotating Keys

To rotate (change) a key:

  1. Generate a new key in the provider's console
  2. Update the key in Settings > API Keys
  3. The old key is immediately replaced -- there is no transition period

The new key takes effect on the next API call. No restart or reload needed.

Provider-Specific Notes

Anthropic

  • Keys start with sk-ant-api03- (third-generation format)
  • Requires prepaid credits before any API usage
  • Supports the anthropic-dangerous-direct-browser-access header for browser-direct calls
  • Rate limits depend on your usage tier (1-4)

OpenAI

  • Project keys start with sk-proj-; legacy keys start with sk-
  • Requires prepaid credits or an active billing plan
  • Some models (GPT-4, o1) require higher usage tiers

xAI (Grok)

  • Keys start with xai-
  • New accounts receive $25/month in free credits
  • Supports vision and function calling

Google Gemini

  • Keys are alphanumeric strings from Google AI Studio
  • The API key is passed as a ?key= query parameter (not a Bearer header) to avoid CORS preflight requests
  • Free tier includes Gemini 2.5 Flash (10 RPM), Gemini 2.5 Pro (5 RPM), and Gemini 2.5 Flash-Lite (30 RPM)
  • No credit card required for free tier

OpenRouter

  • Keys start with sk-or-v1-
  • Provides access to 300+ models from many providers
  • Free models are available immediately (no credit card)
  • Paid models bill through OpenRouter's own billing system

DeepSeek

  • Keys start with sk-
  • Pricing is significantly lower than other providers
  • Supports reasoning (DeepSeek R1) and coding (DeepSeek Coder)

Groq

  • Keys start with gsk_
  • Specializes in fast inference
  • Free tier available with rate limits
  • Supports Llama, Mixtral, and Gemma models

Ollama

  • No API key needed -- Ollama runs locally on your machine
  • The app uses the placeholder value 'ollama' internally
  • Requires Ollama to be installed and running (ollama serve)
  • Set OLLAMA_ORIGINS=* for browser CORS access
  • Models are detected automatically via GET /api/tags

Troubleshooting

"No API key" error

  • Check that you have entered a key for the correct provider in Settings
  • Verify the provider dropdown in the config panel matches the key you set
  • Try pasting the key again -- some password managers may alter the clipboard

"401 Unauthorized" or "Invalid API key"

  • Regenerate the key in the provider's console
  • Make sure the key has not been revoked or expired
  • For Anthropic, ensure you have added credits to your account
  • For OpenAI, ensure your billing plan is active

"429 Too Many Requests"

  • You have hit the provider's rate limit
  • Wait a minute and try again
  • Consider upgrading your usage tier with the provider
  • For free-tier models, rate limits are lower (e.g., Gemini free: 10 RPM)

"402 Payment Required"

  • Your prepaid credits have run out
  • Add more credits in the provider's billing dashboard
  • Switch to a free-tier model (Gemini, OpenRouter free models)

Keys disappear after clearing browser data

  • localStorage is cleared when you clear browser data, site data, or cookies
  • Export your keys before clearing (manually copy them, since they are excluded from data export)
  • Consider using a password manager to store your API keys
danger

Never share your API keys with anyone. Never paste them into public chat messages, forums, or code repositories. If a key is compromised, revoke it immediately in the provider's console and generate a new one.