API Keys
Manage your own API keys for direct LLM provider access. Understand the gateway-first architecture and 3-tier routing system for maximum flexibility.
Overview
AEO Optima works out of the box without any API keys — all AI model requests are processed through the platform's managed API. However, if you want to use your own provider accounts, the API Keys settings page lets you add, manage, and remove your own keys for direct LLM provider access.
Gateway-First Architecture
Instead of requiring you to set up and manage individual API keys for every AI provider, AEO Optima uses a gateway-first architecture that simplifies key management.
The core idea: you can connect a single OpenRouter gateway key that provides access to all supported AI models through one integration. This eliminates the need to create accounts and manage keys across multiple providers.
Of course, if you prefer direct access to a specific provider, you can also add native provider keys alongside or instead of a gateway key.
3-Tier Routing
When AEO Optima sends a request to an AI model, it determines which API key to use based on a 3-tier priority system:
| Priority | Tier | Description |
|---|---|---|
| 1st | Direct BYOK | If you have added a native API key for the specific provider (e.g., an OpenAI key for GPT-4o), that key is used. |
| 2nd | Gateway BYOK | If no direct key exists but you have an OpenRouter gateway key configured, the request is routed through OpenRouter. |
| 3rd | Platform Managed | If no BYOK keys are configured for the provider, the platform's managed API handles the request. |
This system gives you maximum flexibility. You can mix and match — use your own OpenAI key for direct access, route Anthropic and Google requests through an OpenRouter gateway key, and let the platform handle Perplexity.
Provider Categories
Gateway Providers
| Provider | Coverage |
|---|---|
| OpenRouter | A single API key provides access to models from OpenAI, Anthropic, Google, Perplexity, and many others. One key covers all. |
A gateway key is the simplest way to bring your own access to all models at once.
Direct BYOK Providers
| Provider | Access |
|---|---|
| OpenAI | Native API access to GPT-4o, GPT-4o Mini, GPT-4 Turbo |
| Anthropic | Native API access to Claude Sonnet, Claude Opus, Claude Haiku |
| Native API access to Gemini Flash, Gemini Pro | |
| Perplexity | Native API access to Sonar Large, Sonar Small |
Direct keys connect to the provider's own API without any intermediary. Use these when you have existing agreements with a provider or need guaranteed direct access.
Adding an API Key
- Navigate to Settings in the sidebar
- Open the API Keys section
- Click Add API Key
- Select the provider from the dropdown (OpenAI, Anthropic, Google, Perplexity, or OpenRouter)
- Paste your API key into the key field
- Give the key a descriptive name (e.g., "Production OpenAI Key" or "Team Gateway")
- Click Save
Your key is encrypted before being stored. For security, only the first and last 4 characters of the key are displayed after saving. The full key is never shown again.
Organization-Wide vs. Project-Specific Keys
API keys can be scoped at two levels:
| Scope | Behavior |
|---|---|
| Organization-wide | The key is used by all projects in the organization that do not have their own project-specific key for the same provider. |
| Project-specific | The key is used only for the specified project. It overrides any organization-wide key for the same provider. |
This allows you to set a default key for your organization and override it for specific projects that need different access.
Removing a Key
To remove an API key, navigate to Settings > API Keys, find the key you want to remove, and click the delete action. Removing a key causes that provider to fall through to the next tier in the routing system (gateway, then managed API).
No snapshots or historical data are affected when a key is removed. Only future requests are impacted.
Security
Warning: Keep your API keys confidential. Only organization owners and admins can view, add, or remove API keys. Members and viewers do not have access to the API Keys settings.
- Keys are encrypted at rest and are never stored in plaintext
- Only the first and last 4 characters are displayed in the interface
- Keys are never included in logs, exports, or API responses
- Removing a key immediately revokes its use for future requests