Restrict models, enforce geo-routing, cap spend, set rate limits, hardwire to specific suppliers and maintain a full audit trail — all per API key over the Management API or console.
Example: create a scoped key via API
POST /v1/manage/keys
{
"name": "prod-eu-finance",
"allowed_models": [
"gpt-4o",
"claude-sonnet-4-5"
],
"allowed_regions": ["EU"],
"budget_limit": 500.00,
"budget_period": "monthly",
"rate_limit_rpm": 200
}Returns a scoped key valid only for those models and regions
Enforce the principle of least privilege at the API credential level.
Limit each API key to an explicit allowlist of models. A key issued for a GPT-4o workload cannot call Claude or Gemini — enforced server-side regardless of what the client requests.
Lock a key to one or more regions (EU, US, APAC) or to named supplier endpoints. Requests that would route outside the allowed geography are rejected with a clear error.
Set a hard spending limit per key on a daily, monthly, or cumulative basis. Admins can set per-user budgets and let regular users self-optimise.
Configure requests-per-minute and tokens-per-minute limits independently per key. Prevent a single runaway process from consuming all your organisation's capacity.
Every API call is logged with timestamp, model, token counts, cost, supplier, region, and the key that was used. Exportable via API for SIEM integration or compliance review.
Separate key management from key usage. Admins create and revoke keys; developers receive scoped credentials. Neither role can exceed its own key's restrictions.
Fully programmable through the Management API — or use the console for a guided setup.
Sign up, invite other users or issue them API keys under your TaaS organisation.
Use POST /v1/manage/keys to issue scoped keys. Specify allowed models, regions, budget limits, and rate limits for each workload or team.
Hand each team or application only the key scoped to their needs. No team can access models, regions, or budgets outside their policy — even if they try.
Pull audit logs and usage metrics via API. Adjust budget caps or rate limits in real time without reissuing keys. Revoke instantly when no longer needed.
Create, update, rotate, and revoke keys without touching the console. Integrate key provisioning directly into your onboarding pipelines, CI/CD, or IaC.
# Create a scoped key
curl -X POST https://taas.cloudsigma.com/v1/manage/keys \
-H "Authorization: Bearer $ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "team-analytics-eu",
"allowed_models": ["gpt-4o", "text-embedding-3-large"],
"allowed_regions": ["EU"],
"budget_limit": 250.00,
"budget_period": "monthly",
"rate_limit_rpm": 60
}'
# Revoke a key
curl -X DELETE https://taas.cloudsigma.com/v1/manage/keys/key_abc123 \
-H "Authorization: Bearer $ADMIN_KEY"Retrieve structured audit logs per key, per model, or across your whole organisation. Each record includes cost, token counts, supplier, region, and latency.
# Fetch audit logs for the last 24h
curl "https://taas.cloudsigma.com/v1/manage/logs\
?key_id=key_abc123&since=2024-01-15T00:00:00Z" \
-H "Authorization: Bearer $ADMIN_KEY"
# Example log entry
{
"timestamp": "2024-01-15T14:32:01Z",
"key_id": "key_abc123",
"model": "gpt-4o",
"supplier": "openai-eu",
"region": "EU",
"input_tokens": 512,
"output_tokens": 128,
"cost_usd": 0.0042,
"latency_ms": 843
}TaaS access controls work out of the box — no additional security tooling required. Start with a single admin key and issue scoped credentials in minutes.