Skip to main content

Documentation Index

Fetch the complete documentation index at: https://doc.hitopen.com/llms.txt

Use this file to discover all available pages before exploring further.

An API token is the credential your application presents when calling Newapi. Every token starts with sk- and is passed in the Authorization: Bearer header, exactly like an OpenAI API key. Newapi validates the token, checks its quota and permissions, and then forwards the request to the appropriate channel. Tokens let you control who can access Newapi and how much they can spend — without sharing your upstream provider credentials.

Creating a token

1

Open Token Management

Log in to the Newapi console and click Token Management in the sidebar.
2

Click New Token

Click the New Token button to open the token creation form.
3

Name the token

Give your token a descriptive name so you can identify it later (e.g., production-backend, dev-alice).
4

Set a quota (optional)

Enter a Quota (credit limit) to cap how much this token can spend. Once the quota is exhausted, the token stops working until an administrator tops it up. Leave blank for unlimited quota.
5

Set an expiry date (optional)

Choose an Expiry date if you want the token to automatically stop working after a certain date. Useful for temporary access or contractor projects.
6

Restrict to specific models (optional)

Enter an Allowed Models list to limit the token to a subset of available models. If left empty, the token can access all models your account has permission to use.
7

Copy your key

After clicking Submit, copy the generated sk- key immediately. Newapi does not display the full key again after you close this dialog. Store it securely (for example, in an environment variable or secret manager).
You cannot retrieve a token’s key after creation. If you lose it, delete the token and create a new one.

Token scoping

Scoping lets you limit what a token can do. Two scoping mechanisms are available: Model restrictions — Specify which models the token is allowed to call. Any request for a model not on the list is rejected with a 403 error. This is useful when you want to prevent a token from accessing expensive models. Quota limits — Set a maximum credit amount. Newapi tracks spending per token and blocks further requests when the quota is reached. This protects against runaway costs from bugs or misuse. You can combine both: a token restricted to gpt-4o-mini with a quota of 100 credits gives you precise control over both model access and spend.

Viewing token usage

To see how much a token has consumed:
  1. Go to Token Management in the console.
  2. Each token row shows its current Used Quota and Remaining Quota.
  3. Click a token to open its detail view, where you can see recent activity.
For detailed per-request logs, see Usage Logs.

Revoking or deleting a token

To immediately stop a token from working:
  • Disable the token by toggling its status to disabled in the Token Management list. The token can be re-enabled later.
  • Delete the token to permanently remove it. Deleted tokens cannot be recovered.
Both actions take effect immediately — in-flight requests authenticated with that token complete normally, but new requests are rejected.

Best practices

Create one token per application or service, not one shared token for everything. This lets you revoke or rotate a single application’s access without affecting others.
  • Set quotas on shared or external tokens. If you give a token to a third party or embed it in a client application, always set a quota to limit potential overspend.
  • Use expiry dates for temporary access. For contractors, experiments, or demo environments, set an expiry so you don’t have to remember to revoke manually.
  • Rotate tokens regularly. Treat tokens like passwords — rotate them periodically and immediately if you suspect a leak.
  • Store tokens as environment variables. Never hardcode a token in source code or commit it to a repository.

Next steps