Identity & Security
Virtual AI Key
A governed stand-in for a raw provider API key: a key you issue per team, person, project, or agent that carries its own budget, its own limits, and full attribution — while the real provider key stays hidden. The concept mirrors the virtual credit card, where each card has its own limit and owner. (In Tokenality these are issued as tk_live_… keys.)
Example
Instead of five teams sharing one raw provider key, each gets a distinct Virtual AI Key with a $500 monthly cap. When one team's key leaks or overspends, you freeze that one key — the other four keep working, and you know exactly whose dollar it was.
This is a Tokenality concept. See how it works in the product overview or the live playground.
Related terms
Binding key
A second factor attached to a virtual key so the key string alone isn't enough to spend. A token that leaks without its binding key is a dead key — exfiltrating the string buys an attacker nothing.
Budget cap (hard cap)
A spending limit enforced before a call is sent, not an alert fired after. When the cap is reached, the next call is refused — no spend occurs. A hard cap is a circuit breaker; an alert is a smoke detector that may or may not wake anyone.
BYOK (Bring Your Own Key)
An arrangement where you keep your own provider account and credentials, and the governing layer uses your keys on your behalf rather than reselling access. Your provider relationship, spend, and data path stay yours.
Spend control plane
The layer that governs AI spend across an organization: it issues virtual keys, enforces budgets before calls, attributes every dollar, and produces the audit record. "Observability" tells you what you spent; a control plane decides whether you spend it — the enforcement happens before the call, not after. (This is Tokenality's category.)