Every request the Groq provider sends to the Groq API must be authenticated with an API key. The key is transmitted as an HTTPDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/phpaisdk/groq/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer header on each request — there is nothing extra to sign or refresh. This page covers how to obtain a key, how to supply it to the SDK, and how to handle it safely in production.
Obtaining an API Key
API keys are issued through the Groq developer console at console.groq.com. Every key begins with the prefixgsk-, making them easy to spot in logs, .env files, and code reviews.
Sign in to the Groq console
Navigate to console.groq.com and sign in or create a free account.
Create a new API key
Open API Keys in the left sidebar and click Create API Key. Give the key a descriptive name (e.g.
my-app-production) so you can identify and rotate it later.Copy the key immediately
The full key value is shown only once. Copy it to your password manager or secrets store before closing the modal.
Supplying the Key to the SDK
The provider accepts the API key through two channels. Both are equivalent — choose whichever fits your deployment model.Groq::create() without an apiKey key, GroqOptions::fromArray() reads the GROQ_API_KEY environment variable automatically. If neither source provides a value, the provider throws an exception at construction time — before any HTTP request is made — so misconfiguration surfaces immediately.
How the Key Is Sent
Internally,GroqOptions::authHeaders() builds the request headers on every call:
GroqOptions::authHeaders() — from source
headers array are merged in after the Authorization header. Because PHP’s array_merge lets later keys overwrite earlier ones, avoid including an Authorization key in your headers array — it would silently replace the auth header set by the SDK.
Merging Custom Headers Alongside Auth
Use theheaders option when your infrastructure requires extra headers such as tracing IDs or organisation identifiers. They travel alongside the Authorization header on every request.
Custom headers example
Authorization: Bearer gsk-... and your custom headers.
Best Practices
Key hygiene recommendations:- Use environment variables — load credentials with a library like vlucas/phpdotenv in development and use native environment injection (Docker secrets, AWS SSM Parameter Store, Kubernetes secrets) in production.
- Prefer secrets managers in production — retrieve the key at runtime from a dedicated secrets store rather than baking it into container images or CI/CD environment files.
- Scope keys by environment — use separate keys for development, staging, and production so a breach in one environment does not affect others.
- Rotate keys regularly — treat API keys like passwords: rotate them on a schedule and immediately after any suspected exposure.
- Monitor usage — the Groq console shows per-key usage metrics. Unexpectedly high usage can indicate a leaked key.
Validating Your Setup
Once your key is in place, run the snippet below to confirm the provider authenticates successfully. A valid response — even a short one — confirms the key is accepted.Verify authentication
401 Unauthorized response and the SDK throws an exception with the API’s error message, making the problem straightforward to diagnose.