API Key Auto-Discovery
How SpendLil automatically discovers and tracks your API keys without storing them.
SpendLil discovers your API keys automatically from your first request. There's no setup, no registration, no configuration. You start making requests and keys appear in your dashboard.
How It Works
Every time a request flows through SpendLil, the proxy computes a SHA-256 hash of your provider API key. This hash is used to identify the key without storing the key itself.
- Request arrives with your provider API key in the X-Provider-Key header
- SpendLil computes SHA-256(key) to produce a unique hash
- The hash is checked against your account's existing keys in DynamoDB
- If the hash is new — this is a key SpendLil hasn't seen before — a new record is created
- The record stores: hash, last 4 characters (hint), provider, first-seen timestamp
- Optionally, a NEW_KEY_DETECTED alert fires (if you've configured it)
What's Stored
| Field | Example | Purpose |
|---|---|---|
| Key hash (SHA-256) | a3f2c1d8... | Unique identifier for the key |
| Key hint | ...a1b2 | Last 4 characters — helps you identify which key it is |
| Provider | openai | Determined from the gateway subdomain |
| Label | production | Optional — you can label keys in the dashboard |
| First seen | 2026-04-11T10:00:00Z | When SpendLil first saw this key |
| Last seen | 2026-04-11T14:30:00Z | Most recent request with this key |
| Request count | 1,247 | Lifetime requests through SpendLil |
| Total spend | £42.30 | Lifetime estimated cost |
SpendLil never writes your full API key to any database, log, or file. The SHA-256 hash is a one-way function — the key cannot be recovered from the hash.
Why Auto-Discovery
Traditional API management tools require you to register keys, create agents, and configure each one before you can start tracking. This creates friction and means shadow AI — keys your team uses that aren't registered — goes untracked.
With auto-discovery, every key that flows through SpendLil is tracked from the first request. If someone on your team starts using a new API key, it appears in your dashboard immediately. No setup, no gaps, no shadow AI.
Dashboard View
The Keys page in your dashboard shows all discovered keys with their hint, provider, activity, and spend. You can optionally label them (e.g. 'production', 'dev', 'chatbot') for your own reference, but no configuration is required.
New Key Alerts
You can configure an alert rule to notify you whenever a new API key is detected. This is useful for monitoring who on your team is provisioning new keys and ensuring all AI usage is visible.