Authentication
The Kilo AI Gateway supports multiple authentication methods depending on your use case.
API key authentication
The primary authentication method is a Bearer token passed in the Authorization header:
Authorization: Bearer <your_api_key>
API keys are JWT tokens tied to your Kilo account. See how to get your API key for step-by-step instructions.
Using your API key
import { createOpenAI } from "@ai-sdk/openai"
const kilo = createOpenAI({
baseURL: "https://api.kilo.ai/api/gateway",
apiKey: process.env.KILO_API_KEY,
})
Organization tokens
When making requests on behalf of an organization, include the organization ID in the request header:
X-KiloCode-OrganizationId: your_org_id
Organization tokens are scoped with a 15-minute expiry and enforce the organization's policies, including model allow lists, provider restrictions, and per-user spending limits.
Anonymous access
The gateway allows unauthenticated access for free models only. Anonymous requests are identified by IP address and are subject to rate limiting (200 requests per hour per IP).
Free models include models tagged with :free in their model ID, such as minimax/minimax-m2.1:free and z-ai/glm-5:free.
Bring Your Own Key (BYOK)
BYOK lets you use your own provider API keys with the Kilo AI Gateway. When a BYOK key is configured, requests are sent to the provider using your key. You are billed directly by the provider -- Kilo does not add any markup.
Supported BYOK providers
| Provider | BYOK Key ID |
|---|---|
| Anthropic | anthropic |
| AWS Bedrock | bedrock |
| Google AI Studio | google |
| Inception | inception |
| OpenAI | openai |
| MiniMax | minimax |
| Mistral | mistral |
| xAI | xai |
| Z.AI | zai |
| BytePlus Coding Plan | byteplus-coding |
| Codestral (FIM) | codestral |
| Kimi Code | kimi-coding |
| Neuralwatt | neuralwatt |
| Z.AI Coding Plan | zai-coding |
How BYOK works
- Add your provider API key in the Kilo dashboard or through your Kilo Code extension settings
- Keys are encrypted at rest using AES-256 encryption
- When you make a request for a model from that provider, the gateway automatically uses your key
- Usage is tracked but not billed to your Kilo balance (cost is set to $0)
- If your BYOK key fails, the request will not automatically fall back to Kilo's keys
BYOK keys can be configured at the personal level or at the organization level. Organization-level keys apply to all members of the organization and require owner or billing manager access to manage.
Request headers
The gateway accepts the following headers:
| Header | Required | Description |
|---|---|---|
Authorization | Yes (unless free model) | Bearer <api_key> |
Content-Type | Yes | application/json |
X-KiloCode-OrganizationId | No | Organization context for org-scoped requests |
X-KiloCode-TaskId | No | Task identifier for prompt cache keying |
X-KiloCode-Version | No | Client version string |
x-kilocode-mode | No | Mode hint for kilo-auto model routing |