Truefoundry gateway allows you to configure access control to models for developers, or teams or applications. This can be configured at the provider account level on our UI.
There are two permission levels when granting access to provider accounts:
  1. Provider Account Manager
    • Can modify provider account settings
    • Can add or remove models
    • Can manage access permissions for others
  2. Provider Account User
    • Can use all models within the provider account
    • Cannot change provider account settings
    • Cannot modify access permissions
When you assign these permissions to teams or individual users, everyone in that team (or the specific user) will receive the corresponding level of access.

Access the Models using Truefoundry API Keys

Access Models in Provider Accounts in Gateway To access the models added to the Truefoundry gateway, you don’t need the keys of the original provider account like OpenAI key, or Gemini keys. Instead, you can access them by providing Truefoundry generated keys as follows: 
from openai import OpenAI

client = OpenAI(
  api_key="<Enter Your Truefoundry API Key here>", 
  base_url="https://<truefoundry-gateway-url>/api/llm/api/inference/openai"
)

stream = client.chat.completions.create(
    messages=[
        {"role": "system", "content": "You are an AI bot."},
        {"role": "user", "content": "Enter your prompt here"},
    ],
    model="tfy-ai-bedrock/us-anthropic-claude-sonnet-4-20250514-v1-0",
    stream=true,
    extra_headers={
        "X-TFY-LOGGING-CONFIG": '{"enabled": true}'
    }
)
for chunk in stream:
    if (
        chunk.choices
        and len(chunk.choices) > 0
        and chunk.choices[0].delta.content is not None
    ):
        print(chunk.choices[0].delta.content, end="")
You can generate two types of keys in Truefoundry:
  1. Personal Access Tokens (PATs): A PAT is tied to a user and has access to everything that a user has access to. This is good to be used by individual developers for testing and helps us keep track of the usage per developer.
Screenshot2025 06 25at10 03 32AM Min Pn
  1. Virtual Access Tokens (VATs): Virtual accounts are not tied to a user - instead they are virtual and we can define the entities to which this virtual account has access. We can then generate a key for this virtual account and use it in our application. This also helps us keep track of the usage per application.
Virtual accounts are a good choice to be used in applications. We don’t want to use PATs for application since its tied to a user and if the user leaves the company, the PAT will be invalid. Its recommended to create separate virtual accounts for different applications or services.Virtual accounts can only be created and revoked by an admin in the platform.
You can check the guide below on how to create Virtual Access Tokens:

Rotation of Access Tokens

Personal Access Tokens can be revoked by the user and a new one can be generated and used instead.
When a user is deactivated, all their PATs are revoked automatically.
By default, the PATs never expire - however, you can set an expiry date for the token. Organization admins can also define the maximum validity period for PATs. For Virtual Access tokens, you can also define a validity period for the token. To rotate the token, you will need to create a new virtual account with the same set of permissions as the previous one, get the key for it, add it in your application and then delete the old virtual account.
You can copy the YAML for a virtual account, replace the name and apply it using tfy apply command to easily clone the virtual account.