Authentication
Every request to the Privian gateway is authenticated with a gateway API key. Bring-your-own-key (BYOK) credentials for downstream providers are configured separately and never travel in the request.
Header
Send your key as a bearer token:
http
Authorization: Bearer sk-gw_live_<random>Or as x-api-key — both are accepted.
Key format
sk-gw_live_…— production key.sk-gw_test_…— non-production key for local or staging use.
The portion after the prefix is opaque randomness — do not parse it. The full key is shown once at creation and cannot be retrieved again.
Storage
- Privian stores only
sha256(key), looked up in constant time on every request. - The plaintext key never leaves your machine after creation.
- Revoking a key takes effect immediately on the next request.
Errors
- Missing, unknown, or revoked key →
401 unauthorized. - Auth is checked before validation, quota, masking, or any provider call.
BYOK provider credentials
Privian forwards masked prompts to providers using credentials configured per organisation in the dashboard — never in the request body. See Concept: BYOK.
Rotation
Create a new key, deploy it to your application, then revoke the old key. Privian does not support in-place rotation of an existing key value.