Skip to main content

Responses Proxy keys

Responses Proxy data-plane requests require an org-scoped proxy key. Send the key as the Authorization bearer on POST /v1/responses.

Admin auth and data-plane auth are separate:

  • Admin and registry routes use Morph org auth or a Morph service delegation token.
  • Data-plane routes use proxy keys minted for the owning Morph organization.

Create a key in the console

Open the Responses page in the Morph Cloud console and switch to Proxy Keys. In the current console, this tab is shown to org admins.

  1. Enter a key name such as ci-pipeline.
  2. Click Create key.
  3. Copy the full secret immediately.

The full key is shown only once. Later lists show only metadata such as name, prefix, created time, last used time, and enabled/revoked state.

Create a key with the admin API

Direct admin calls require Morph bearer auth for the target organization. The backend allows the roles configured by PROXY_ADMIN_ALLOWED_ROLES, which defaults to org:admin,org:member.

export RESPONSES_PROXY_BASE_URL="https://agent-responses-proxy.svc.cloud.morph.so"
export ADMIN_HEADER="Authorization: Bearer ${SEELE_ORG_ADMIN_MORPH_API_KEY}"

Mint a key:

curl -sS -X POST "$RESPONSES_PROXY_BASE_URL/admin/keys" \
  -H "$ADMIN_HEADER" \
  -H "content-type: application/json" \
  -d '{"name":"ci-pipeline"}'

The response includes the secret once:

{
  "key": {
    "id": "key_...",
    "name": "ci-pipeline",
    "prefix": "rpx_...",
    "enabled": true
  },
  "secret": "rpx_..."
}

Store secret in your client environment.

Use a key

export RESPONSES_PROXY_API_KEY="rpx_..."

curl -sS "$RESPONSES_PROXY_BASE_URL/v1/responses" \
  -H "Authorization: Bearer $RESPONSES_PROXY_API_KEY" \
  -H "content-type: application/json" \
  -d '{
    "model": "openai/gpt-mini",
    "input": "Reply with exactly: key ok"
  }'

The key binds the request to its owning org. Routing is scoped to that org's providers and aliases.

List and revoke keys

curl -sS -H "$ADMIN_HEADER" "$RESPONSES_PROXY_BASE_URL/admin/keys"

curl -sS -X DELETE \
  -H "$ADMIN_HEADER" \
  "$RESPONSES_PROXY_BASE_URL/admin/keys/<key-id>"

Revoked keys stop authenticating data-plane requests. Key secrets are stored hashed and are never returned after creation.