> ## Documentation Index
> Fetch the complete documentation index at: https://docs.yelu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Yelu AI API requests with Bearer tokens and manage keys securely across environments.

Yelu authenticates OpenAI-compatible API requests with an API key in the HTTP `Authorization` header.

## Bearer authentication

Include the key on every request:

```http theme={"theme":{"light":"github-light","dark":"github-dark"}}
Authorization: Bearer $YELU_API_KEY
```

<CodeGroup>
  ```bash Curl theme={"theme":{"light":"github-light","dark":"github-dark"}}
  curl https://api.yelu.ai/v1/models \
    -H "Authorization: Bearer $YELU_API_KEY"
  ```

  ```javascript JavaScript theme={"theme":{"light":"github-light","dark":"github-dark"}}
  const response = await fetch('https://api.yelu.ai/v1/models', {
    headers: { Authorization: `Bearer ${process.env.YELU_API_KEY}` },
  });

  if (!response.ok) throw new Error(`Authentication failed: ${response.status}`);
  console.log(await response.json());
  ```

  ```python Python theme={"theme":{"light":"github-light","dark":"github-dark"}}
  import os
  import requests

  response = requests.get(
      "https://api.yelu.ai/v1/models",
      headers={"Authorization": f"Bearer {os.environ['YELU_API_KEY']}"},
      timeout=30,
  )
  response.raise_for_status()
  print(response.json())
  ```
</CodeGroup>

## Key lifecycle

<Steps>
  <Step title="Create separate keys">
    Use a distinct key for each application and environment. Separation makes rotation, attribution, limits, and incident response safer.
  </Step>

  <Step title="Store keys as secrets">
    Keep keys in a secret manager or protected environment variable. Restrict who and which workloads can read them.
  </Step>

  <Step title="Rotate regularly">
    Create a replacement, deploy it, verify traffic, then revoke the old key. Do not wait for a suspected leak.
  </Step>

  <Step title="Revoke on exposure">
    If a key appears in a repository, log, screenshot, or browser bundle, revoke it immediately. Removing the visible copy is not sufficient.
  </Step>
</Steps>

## Server-side only

<Warning>
  Never call Yelu directly from untrusted browser or mobile code with a long-lived API key. Put authentication and authorization in your own backend, then have that backend call Yelu.
</Warning>

For a browser-facing product, your server should:

* authenticate the end user;
* authorize the requested feature and model;
* enforce per-user budgets and abuse controls;
* keep the Yelu key server-side;
* validate input and limit output size;
* avoid logging prompts or generated content unless required and disclosed.

## Authentication failures

| Status | Meaning                                                              | Action                                                          |
| ------ | -------------------------------------------------------------------- | --------------------------------------------------------------- |
| `401`  | The key is missing, malformed, unknown, expired, or disabled.        | Check the header and rotate the key if necessary.               |
| `403`  | The account, key, IP, group, or requested resource is not permitted. | Check key restrictions and model access in the dashboard.       |
| `429`  | The authenticated account or group has reached a request limit.      | Back off and retry according to [Rate limits](/en/rate-limits). |

Errors use an OpenAI-compatible `error` object. See [Errors](/en/errors) for parsing and retry guidance.

## OpenAI SDK environment

You can use SDK-native environment variables or pass values explicitly. Explicit configuration is clearest when an application uses multiple AI gateways.

<CodeGroup>
  ```bash Curl theme={"theme":{"light":"github-light","dark":"github-dark"}}
  export YELU_API_KEY="your_api_key"
  curl https://api.yelu.ai/v1/models -H "Authorization: Bearer $YELU_API_KEY"
  ```

  ```javascript JavaScript theme={"theme":{"light":"github-light","dark":"github-dark"}}
  import OpenAI from 'openai';

  const client = new OpenAI({
    apiKey: process.env.YELU_API_KEY,
    baseURL: 'https://api.yelu.ai/v1',
  });
  ```

  ```python Python theme={"theme":{"light":"github-light","dark":"github-dark"}}
  import os
  from openai import OpenAI

  client = OpenAI(
      api_key=os.environ["YELU_API_KEY"],
      base_url="https://api.yelu.ai/v1",
  )
  ```
</CodeGroup>
