TigerGatewayby HackTiger Labs
Get Started

Authentication

TigerGateway uses two kinds of credentials — and your app only ever touches one.

Gateway API keys

Your application authenticates with a single gateway key in the formattg_live_…. Pass it as a Bearer token:

http
Authorization: Bearer tg_live_xxxxxxxxxxxxxxxx

Keys are stored only as a SHA-256 hash — the raw value is shown once at creation. Revoke a key any time from the dashboard.

Provider keys (BYOK)

You connect your own provider keys (OpenAI, Anthropic, etc.) in the dashboard. They are encrypted with AES-256-GCM before being written to the database and are decrypted only server-side, inside the gateway request path — they are never exposed to the client or returned by any API.

Security model

  • Row Level Security isolates every user's keys, requests and logs.
  • Provider credentials are encrypted at rest; gateway keys are hashed.
  • Per-key rate limiting protects against abuse.
  • Every sensitive action is written to an audit log.