Authorization header.
Bearer authentication
Include the key on every request:Key lifecycle
1
Create separate keys
Use a distinct key for each application and environment. Separation makes rotation, attribution, limits, and incident response safer.
2
Store keys as secrets
Keep keys in a secret manager or protected environment variable. Restrict who and which workloads can read them.
3
Rotate regularly
Create a replacement, deploy it, verify traffic, then revoke the old key. Do not wait for a suspected leak.
4
Revoke on exposure
If a key appears in a repository, log, screenshot, or browser bundle, revoke it immediately. Removing the visible copy is not sufficient.
Server-side only
For a browser-facing product, your server should:- authenticate the end user;
- authorize the requested feature and model;
- enforce per-user budgets and abuse controls;
- keep the Yelu key server-side;
- validate input and limit output size;
- avoid logging prompts or generated content unless required and disclosed.
Authentication failures
Errors use an OpenAI-compatible
error object. See Errors for parsing and retry guidance.