A single Wafer Serverless account can carry many API keys. Use one key per environment (dev / staging / prod), one per CI runner, or one per teammate, then revoke individual keys without rotating the others.
All keys on an account share the same credit balance and quota window. Usage from every key counts against the same meter — there is no per-key spending limit.
Where to Manage Keys
Mint, list, name, and revoke keys from the dashboard at app.wafer.ai. The UI surfaces every key on your account with its label, prefix, creation date, and last-used time, and gives you a one-click revoke. The underlying control-plane endpoints live on api.wafer.ai and run behind your signed-in dashboard session — not behind a wfr_… inference key — so this is not a public REST API you call from CI today.
If you need to script key rotation, ask us at emilio@wafer.ai — we are tracking interest in machine-auth for the control plane.
Every key starts with wfr_ followed by a long opaque secret. Wafer Pass keys and Serverless keys share the prefix — the account tier is derived server-side from the key, not its first character. The dashboard always shows the first 12 characters plus … (the key_prefix); the full secret is shown exactly once, on the screen where you mint the key.
The full secret is irrecoverable once you leave the mint screen. Copy it
into your secret store immediately. If you lose it, revoke and mint a new
key.
Limits
The default cap is 25 active keys per account. Hitting the limit returns a clear error message in the dashboard; revoke an unused key and try again. If you need more, reach out at emilio@wafer.ai.
Revoking
Revoking a key takes effect immediately. Inference requests bearing the revoked secret start failing with invalid_api_key (see the Error Reference) on the next request.
Revocation does not refund credits, prorate the current quota window, or affect any other key on the account.
Migration from Single-Key Accounts
Accounts created before multi-key support had exactly one key. After the rollout:
- The original key was automatically migrated and shows up in the dashboard with the label
"Wafer Serverless". The secret itself didn’t change — anything in production that already had the old key still works.
- The legacy rotate flow is no longer supported once the account has more than one active key. The replacement is mint-new-then-revoke-old, which is safer anyway: the new key is verified live before the old one stops working.
Billing
Every key on the account bills against the same credit balance and the same quota window. Inference requests, file uploads, and metric API calls from any key all count toward the same totals shown on app.wafer.ai/usage.
If you need hard per-key spending caps (for cost-control on a noisy CI runner, for example), run separate accounts. Per-key budgets are not on the roadmap. 
