ToRouter DocsRotate or revoke a key
Replace a leaked ToRouter API key, or instantly revoke one you no longer need.
ToRouter does not support regenerating an existing key — the plaintext is hashed at creation time and never recoverable. To rotate, you create a new key, switch traffic over, then delete the old one. Revocation is instant.
Rotate (recommended on any suspected leak)
Create a replacement
API Keys → Create key → same name + -v2 (or your convention) → copy the new sk-***. See Create a key.
Switch your application
Update the OPENAI_API_KEY / ANTHROPIC_API_KEY / GEMINI_API_KEY env var (or equivalent) in every place that uses the old key — .env, secrets manager, CI, Cursor/Cline config.
Roll the deploy. Confirm the new key works by hitting any endpoint:
curl https://portal.torouter.ai/v1/models \
-H "Authorization: Bearer sk-***"Delete the old key
API Keys → row of the old key → Delete. The old key returns 401 from the next request onward.
Deletion is immediate and irreversible. Make sure no production traffic still uses the old key.
Revoke (no replacement)
If a key is no longer needed — or you want to kill it right now — just delete it. Any in-flight request finishes; subsequent requests fail with 401.
When to rotate
- The key appeared in a commit, log, screenshot, support ticket, or chat transcript
- A teammate with the key left the project
- Scheduled rotation (e.g. every 90 days for production)
- The key was issued without restrictions and you now want a scoped replacement