Access Keys and Authentication for IDE Integration
When your IDE AI assistant connects to the Keeptrusts gateway, it needs to authenticate. This page explains the key types, how to configure them in your IDE, and best practices for secure credential storage.
Use this page when
- You are working through Access Keys and Authentication for IDE Integration as an implementation or operating workflow in Keeptrusts.
- You need the practical steps, expected outcomes, and related validation guidance in one place.
- If you need exact field-by-field reference instead of a workflow page, use the linked reference pages in Next steps.
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Key Types
Keeptrusts uses two types of keys relevant to IDE integration:
Access Keys
Access keys authorize application and developer traffic through gateways. They are the recommended authentication method for IDE integrations.
- Created in the console under Settings → Access Keys
- Scoped to an organization
- Can be assigned to specific teams for attribution
- Provide full audit trail — every request is attributed to the key holder
- Revocable at any time from the console
Gateway Keys
Gateway keys authorize the gateway runtime itself to communicate with the Keeptrusts control-plane API. They are not used for IDE authentication.
- Authorize the gateway process to report events and fetch configuration
- Managed separately from access keys
- Not relevant to IDE setup
For IDE integration, you always use access keys, not gateway keys.
Creating an Access Key
- Log in to the Keeptrusts console
- Navigate to Settings → Access Keys
- Click Create Access Key
- Give the key a descriptive name (e.g., "Jane's VS Code", "Team Frontend Dev")
- Optionally assign the key to a team for cost attribution
- Copy the key value — it is shown only once
The key format looks like: kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Using Access Keys in IDE Extensions
Pass the access key as the API key in your IDE extension's configuration. The gateway validates the key and attributes all traffic to the key holder.
In Extension Settings
{
"aiExtension.apiKey": "kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"aiExtension.apiBaseUrl": "http://localhost:41002/v1"
}
As an Authorization Header
If the extension makes raw HTTP requests, the key is sent as a Bearer token:
Authorization: Bearer kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Via Environment Variables
Some extensions read the OPENAI_API_KEY environment variable:
export OPENAI_API_KEY="kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Using Provider API Keys Directly
If you are not using Keeptrusts access keys, you can pass your provider API key (e.g., OpenAI, Anthropic) directly. The gateway forwards it to the upstream provider:
{
"aiExtension.apiKey": "sk-your-openai-key",
"aiExtension.apiBaseUrl": "http://localhost:41002/v1"
}
In this mode:
- The gateway still applies all policies (redaction, blocking, etc.)
- Events are logged but attributed to the provider key, not a named user
- Cost attribution is limited — you cannot distinguish between developers sharing a key
Access keys are preferred for team environments because they provide per-developer attribution.
Secure Credential Storage
Never commit API keys to version control. Use these approaches to store keys securely:
Environment Variables
Store the key in your shell profile:
# ~/.zshrc or ~/.bashrc
export KEEPTRUSTS_ACCESS_KEY="kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Reference it in extension settings if the extension supports variable interpolation.
.env Files (Git-Ignored)
Create a .env file in your project root:
KEEPTRUSTS_ACCESS_KEY=kt_ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Add .env to your .gitignore:
# .gitignore
.env
.env.local
OS Keychain
For maximum security, store the key in your OS keychain:
macOS Keychain:
security add-generic-password -a "keeptrusts" -s "access-key" -w "kt_ak_xxx..."
Retrieve it in your shell profile:
export KEEPTRUSTS_ACCESS_KEY=$(security find-generic-password -a "keeptrusts" -s "access-key" -w)
Linux (libsecret):
secret-tool store --label="Keeptrusts Access Key" service keeptrusts key access-key
VS Code Secrets
Some extensions integrate with VS Code's built-in secret storage. When prompted for an API key, VS Code stores it in the OS keychain automatically. This is the most secure option when available.
Key Rotation
Rotate access keys periodically or when a team member leaves:
- Create a new access key in the console
- Update all IDE configurations to use the new key
- Verify traffic flows with the new key (
kt events tail) - Revoke the old key in the console
The old key stops working immediately after revocation. Plan rotation during low-activity periods to avoid disrupting developers.
Team-Scoped Keys
Access keys can be assigned to teams for cost attribution and access control:
- Per-developer keys — each developer gets their own key for individual attribution
- Per-team keys — a shared key for the team, with cost attributed to the team
- Per-project keys — a key scoped to a specific project or repository
Recommended Setup
For most organizations:
- Create one access key per developer for individual attribution
- Name keys descriptively: "jane.doe@company.com - VS Code"
- Assign each key to the developer's team
- Track usage in the console dashboard
Audit Attribution from IDE Traffic
Every request through the gateway is logged with the access key's identity. In the console Events view, you see:
- Which developer made the request (key name and team)
- What model was used
- What policies were applied (redaction, blocking)
- Request and response timestamps
- Token count and estimated cost
Use kt events tail to watch attribution in real time:
kt events tail
Output includes the key identity:
[2024-01-15 10:30:12] INPUT openai chat/completions key:jane-vscode team:frontend PASS
Troubleshooting
401 Unauthorized
- Verify the key is active in the console (Settings → Access Keys)
- Check for extra whitespace or truncation when copying the key
- Ensure the key is for the correct organization
403 Forbidden
- The key may lack permissions for the requested model or provider
- Check team-level restrictions in the console
Key Not Attributed in Events
- Confirm the extension sends the key as
Authorization: Bearer <key> - Some extensions use non-standard header names — check extension documentation
- Verify the gateway is configured to validate access keys
Key Exposed in Logs or Settings
- Rotate the key immediately in the console
- Move the key to an environment variable or OS keychain
- Check
.gitignorecovers any files containing the key
For AI systems
- Canonical terms: Keeptrusts, Access Keys and Authentication for IDE Integration, ide-integration.
- Exact feature, config, command, or page names: Access Keys and Authentication for IDE Integration.
- Use the linked audience and reference pages in Next steps when you need deeper source material.
For engineers
- Use the commands, configuration examples, API payloads, or UI steps in this page as the working baseline for Access Keys and Authentication for IDE Integration.
- Validate the result with the expected outcomes, troubleshooting notes, or linked workflow pages in this page and Next steps.
For leaders
- This page matters when planning rollout, governance, support ownership, or operating decisions for Access Keys and Authentication for IDE Integration.
- Use the linked audience, architecture, and workflow pages in Next steps to connect this detail to broader implementation choices.
Next steps
- Setting Up the Gateway for IDE Use — get the gateway running
- IDE Integration Overview — see all supported IDEs and assistants
- VS Code: Continue Extension — the simplest integration path