API Keys
API keys are authentication tokens that let you access LLM provider APIs. AI Supreme Council uses a BYOK (Bring Your Own Key) model -- you get keys directly from each provider and store them in your browser. Keys never pass through any intermediary server.
Where to Get API Keys
Each provider has its own developer console where you can create API keys:
| Provider | Console URL | Key Format | Free Tier |
|---|---|---|---|
| Anthropic | console.anthropic.com/settings/keys | sk-ant-api03-... | No (prepaid credits required) |
| OpenAI | platform.openai.com/api-keys | sk-proj-... or sk-... | No (prepaid credits required) |
| xAI | console.x.ai | xai-... | $25 free monthly credit |
| Google Gemini | aistudio.google.com/apikey | Alphanumeric string | Yes (generous free tier, no credit card) |
| OpenRouter | openrouter.ai/keys | sk-or-v1-... | Yes (20+ free models, no credit card) |
| DeepSeek | platform.deepseek.com/api_keys | sk-... | No (prepaid credits required) |
| Groq | console.groq.com/keys | gsk_... | Yes (free tier with rate limits) |
| Mistral | console.mistral.ai/api-keys | Alphanumeric string | No |
| Ollama | N/A (local) | Not needed | Yes (runs locally, no key required) |
Google Gemini and OpenRouter both offer free tiers with no credit card required. Gemini gives you access to Gemini 2.5 Flash and Pro. OpenRouter gives you access to 20+ free models including DeepSeek R1, Llama 3.3, Qwen 3, and more. These are the fastest way to start chatting.
How Keys Are Stored
API keys are stored in your browser's localStorage under provider-specific keys:
| localStorage Key | Provider |
|---|---|
ais-apikey-anthropic | Anthropic (Claude) |
ais-apikey-openai | OpenAI (GPT) |
ais-apikey-xai | xAI (Grok) |
ais-apikey-gemini | Google Gemini |
ais-apikey-openrouter | OpenRouter |
ais-apikey-deepseek | DeepSeek |
ais-apikey-groq | Groq |
ais-apikey-mistral | Mistral |
Keys are plain strings in localStorage. They are read synchronously at boot so the app can immediately determine which providers are available.
Setting API Keys
Via the Settings Dialog
- Open Settings (gear icon in the sidebar)
- Go to the API Keys section
- The keys panel shows all providers from the model registry, organized by provider
- Enter your key in the field for the relevant provider
- Keys are saved immediately on input
Via the Config Panel
- Open the config panel (right sidebar)
- The API Key field at the bottom shows the key for the currently selected provider
- Enter or update the key directly
- The key is saved when you change it
Via Browser Console
// Set a key
localStorage.setItem('ais-apikey-anthropic', 'sk-ant-api03-your-key-here');
// Read a key
localStorage.getItem('ais-apikey-openai');
// Remove a key
localStorage.removeItem('ais-apikey-xai');
Security Model
- Keys never appear in URLs -- bot sharing encodes only configuration, never keys
- Keys are never exported -- the Export All Data feature explicitly excludes all API keys
- Keys never leave your browser -- except when sent directly to the provider's own API endpoint
- Keys are not sent to aiscouncil.com -- the app makes zero requests to its own server with your keys
- Keys are never logged -- not in console, not in analytics, not in error reports
When you send a message, the API call goes directly from your browser to the provider:
Your Browser --(HTTPS + API key)--> api.anthropic.com
Your Browser --(HTTPS + API key)--> api.openai.com
Your Browser --(HTTPS + API key)--> api.x.ai
Your Browser --(HTTPS + API key)--> generativelanguage.googleapis.com
No proxy, no middleware, no intermediary. The key travels over HTTPS directly to the provider and nowhere else.
Global vs Per-Bot API Keys
AI Supreme Council supports two levels of API keys:
Global Keys (per provider)
Set in Settings > API Keys. These are the default keys used by all bots for a given provider. Stored in localStorage as ais-apikey-{provider}.
Per-Bot Keys
Set in the config panel under Per-Bot API Key. This overrides the global key for a specific bot only. Use cases:
- Different API keys for different projects (separate billing)
- Testing a new key without affecting other bots
- Using a key with different rate limits or permissions
Per-bot keys are stored in the bot's config object (the k field) in IndexedDB. They are not included when sharing a bot URL -- the recipient uses their own keys.
Priority: Per-bot key > Global provider key
If a bot has a per-bot key set, it uses that. Otherwise, it falls back to the global key for that provider.
Key Validation
The app does not perform explicit key validation on save. Instead, if a key is invalid, you will see an error when you first try to send a message. Common errors:
| Error | Cause |
|---|---|
401 Unauthorized | Invalid API key or key has been revoked |
403 Forbidden | Key does not have permission for the requested model |
429 Too Many Requests | Rate limit exceeded (try again later) |
402 Payment Required | Insufficient credits or expired billing |
Rotating Keys
To rotate (change) a key:
- Generate a new key in the provider's console
- Update the key in Settings > API Keys
- The old key is immediately replaced -- there is no transition period
The new key takes effect on the next API call. No restart or reload needed.
Provider-Specific Notes
Anthropic
- Keys start with
sk-ant-api03-(third-generation format) - Requires prepaid credits before any API usage
- Supports the
anthropic-dangerous-direct-browser-accessheader for browser-direct calls - Rate limits depend on your usage tier (1-4)
OpenAI
- Project keys start with
sk-proj-; legacy keys start withsk- - Requires prepaid credits or an active billing plan
- Some models (GPT-4, o1) require higher usage tiers
xAI (Grok)
- Keys start with
xai- - New accounts receive $25/month in free credits
- Supports vision and function calling
Google Gemini
- Keys are alphanumeric strings from Google AI Studio
- The API key is passed as a
?key=query parameter (not a Bearer header) to avoid CORS preflight requests - Free tier includes Gemini 2.5 Flash (10 RPM), Gemini 2.5 Pro (5 RPM), and Gemini 2.5 Flash-Lite (30 RPM)
- No credit card required for free tier
OpenRouter
- Keys start with
sk-or-v1- - Provides access to 300+ models from many providers
- Free models are available immediately (no credit card)
- Paid models bill through OpenRouter's own billing system
DeepSeek
- Keys start with
sk- - Pricing is significantly lower than other providers
- Supports reasoning (DeepSeek R1) and coding (DeepSeek Coder)
Groq
- Keys start with
gsk_ - Specializes in fast inference
- Free tier available with rate limits
- Supports Llama, Mixtral, and Gemma models
Ollama
- No API key needed -- Ollama runs locally on your machine
- The app uses the placeholder value
'ollama'internally - Requires Ollama to be installed and running (
ollama serve) - Set
OLLAMA_ORIGINS=*for browser CORS access - Models are detected automatically via
GET /api/tags
Troubleshooting
"No API key" error
- Check that you have entered a key for the correct provider in Settings
- Verify the provider dropdown in the config panel matches the key you set
- Try pasting the key again -- some password managers may alter the clipboard
"401 Unauthorized" or "Invalid API key"
- Regenerate the key in the provider's console
- Make sure the key has not been revoked or expired
- For Anthropic, ensure you have added credits to your account
- For OpenAI, ensure your billing plan is active
"429 Too Many Requests"
- You have hit the provider's rate limit
- Wait a minute and try again
- Consider upgrading your usage tier with the provider
- For free-tier models, rate limits are lower (e.g., Gemini free: 10 RPM)
"402 Payment Required"
- Your prepaid credits have run out
- Add more credits in the provider's billing dashboard
- Switch to a free-tier model (Gemini, OpenRouter free models)
Keys disappear after clearing browser data
localStorageis cleared when you clear browser data, site data, or cookies- Export your keys before clearing (manually copy them, since they are excluded from data export)
- Consider using a password manager to store your API keys
Never share your API keys with anyone. Never paste them into public chat messages, forums, or code repositories. If a key is compromised, revoke it immediately in the provider's console and generate a new one.