Skip to main content
Yelu authenticates OpenAI-compatible API requests with an API key in the HTTP Authorization header.

Bearer authentication

Include the key on every request:

Key lifecycle

1

Create separate keys

Use a distinct key for each application and environment. Separation makes rotation, attribution, limits, and incident response safer.
2

Store keys as secrets

Keep keys in a secret manager or protected environment variable. Restrict who and which workloads can read them.
3

Rotate regularly

Create a replacement, deploy it, verify traffic, then revoke the old key. Do not wait for a suspected leak.
4

Revoke on exposure

If a key appears in a repository, log, screenshot, or browser bundle, revoke it immediately. Removing the visible copy is not sufficient.

Server-side only

Never call Yelu directly from untrusted browser or mobile code with a long-lived API key. Put authentication and authorization in your own backend, then have that backend call Yelu.
For a browser-facing product, your server should:
  • authenticate the end user;
  • authorize the requested feature and model;
  • enforce per-user budgets and abuse controls;
  • keep the Yelu key server-side;
  • validate input and limit output size;
  • avoid logging prompts or generated content unless required and disclosed.

Authentication failures

Errors use an OpenAI-compatible error object. See Errors for parsing and retry guidance.

OpenAI SDK environment

You can use SDK-native environment variables or pass values explicitly. Explicit configuration is clearest when an application uses multiple AI gateways.
Last modified on July 13, 2026