Security classification (API keys)
API keys carry the same security classification model as the web chat. See Security classifications for the full product behavior.
Levels
| Level | Typical use |
|---|---|
| Public | Non-sensitive automation |
| Internal | Internal business data |
| Confidential | Confidential business data |
| Secret | Highest sensitivity |
Ordering is strict: Public < Internal < Confidential < Secret.
At key creation
When you create an API key in Settings → API Keys, you choose a classification. That choice is your responsibility — pick the lowest level that still protects the data you send.
Provider matching
Each enabled inference provider in Settings → Providers has its own classification. For a completion or model list:
- The backing provider must be at or above the API key’s classification.
- Models on weaker providers are hidden from
GET /v1/modelsand rejected onPOST /v1/chat/completionswith403/insufficient_security_classification.
API vs chat
- Web chat can raise a conversation’s required classification when you pick a stronger provider.
- API keys use a fixed classification set at creation; they do not auto-elevate.
Recommendations
- Create a dedicated API key for each integration or workload so you can revoke or rotate keys independently.
- Revoke unused keys promptly.
- For Secret-tier data, prefer BYOK providers you control and mark them Secret in provider settings.
Last updated on