AI Gateway API key and curl inference
NeuroFace chat, Lightspeed, and scaffolded apps reach LLMs through the AI Gateway (Kuadrant, legacy) on the hub — not the external MaaS endpoint directly. Obtain a Kuadrant API key and test inference with curl. For the recommended Native MaaS path, see Module 09.
AI Gateway configuration
# charts/all/developer-hub/files/software-templates/ai-computer-vision.yaml (excerpt)
maasEndpoint:
default: https://ai-gateway.apps.__HUB_CLUSTER_DOMAIN__/v1
Platform services (Lightspeed, NeuroFace scaffold) use an auto-generated platform API key from Vault (ai-gateway-platform-keys). Workshop users request their own key through Developer Hub.
Obtain your API key
-
Open
https://developer-hub.apps.cluster.example.com/ -
Log in with
guest (register first)/Welcome123! -
Catalog → System workshop-kuadrant-apis → API MaaS LLM (ai-gateway)
-
Kuadrant tab → Request API key → copy the key
|
Do not share your API key. Treat it like a password — anyone with the key can consume your rate-limit quota on the shared gateway. |
The gateway hostname is https://ai-gateway.apps.cluster.example.com/v1/chat/completions.
|
Test chat completion with curl
export API_KEY="<your-kuadrant-api-key>"
curl -sk -H "Authorization: APIKEY ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"model":"llama-scout-17b","messages":[{"role":"user","content":"Explain PPE detection in one sentence"}]}' \
"https://ai-gateway.apps.cluster.example.com/v1/chat/completions" | head -c 500
echo
{
"id": "chatcmpl-xxx",
"object": "chat.completion",
"choices": [{
"message": {
"role": "assistant",
"content": "PPE detection uses computer vision..."
}
}]
}
List available models
curl -sk -H "Authorization: APIKEY ${API_KEY}" \
"https://ai-gateway.apps.cluster.example.com/v1/models" | python3 -m json.tool 2>/dev/null | head -20
Alternative: OIDC instead of an API key
The ai-maas HTTPRoute accepts either credential — pick whichever is convenient. This is dual auth on a single route (hostname ai-gateway.apps.cluster.example.com):
Token requests use https://sso.apps.cluster.example.com/realms/maas as the OIDC issuer URL in policies. Use https://keycloak.apps.cluster.example.com/ for admin consoles — see Module 01 — Terminology.
|
hub-login guest (register first)
export CLIENT_ID="client-maas-guest (register first)"
export CLIENT_SECRET=$(oc get secret keycloak-client-maas-guest (register first) -n keycloak-system \
-o jsonpath='{.data.clientSecret}' 2>/dev/null | base64 -d)
TOKEN=$(curl -sk -X POST "https://sso.apps.cluster.example.com/realms/maas/protocol/openid-connect/token" \
-d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" \
| python3 -c "import sys,json; print(json.load(sys.stdin).get('access_token',''))")
curl -sk -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" \
-d '{"model":"llama-scout-17b","messages":[{"role":"user","content":"Hello"}]}' \
"https://ai-gateway.apps.cluster.example.com/v1/chat/completions" | head -c 300
echo
In Developer Hub’s Swagger UI (Catalog → MaaS OpenAPI → Definition tab), the Authorize dialog offers both ApiKeyAuth and OAuth2ClientCredentials — either one works on the same endpoint. API-key calls land on the free/gold rate-limit tier; OIDC calls land on a separate oidc tier.
Contrast: direct MaaS (optional)
The hub OpenShift AI dashboard may still show the upstream MaaS endpoint for reference:
https://maas-rhdp.apps.maas.redhatworkshops.io/v1
Workshop apps in this pattern are wired to AI Gateway so Kuadrant can enforce APIKEY auth and rate limits. Do not embed upstream MaaS keys in scaffolded repos.
Test NeuroFace gateway
curl -sk -o /dev/null -w "NeuroFace gateway: HTTP %{http_code}\n" \
"https://neuroface.apps.cluster.example.com/user/guest (register first)/"
NeuroFace gateway: HTTP 200
What you learned
-
All MaaS traffic from workshop apps flows through AI Gateway on the hub
-
User API keys are issued via Developer Hub Kuadrant integration
-
Platform keys (
ai-gateway-platform-keys) are auto-generated in Vault at install time -
The
ai-maasroute accepts an API key or a realm-maasOIDC token on the same endpoint (dual auth)
Next
Continue with Module 09 — Native Models as a Service in OpenShift AI.