API keys
Authenticate safely with server-side keys.
ModelSpend API keys identify the tenant, project and permissions used for routed AI requests. Treat them like production infrastructure secrets.
Recommended usage
Server-side only
Use keys from backend services, serverless functions, jobs, CLIs or private internal tools.
Environment variables
Store keys in environment variables or a secrets manager, not in source code or client bundles.
Rotate regularly
Create replacement keys before revoking old keys so production traffic can move safely.
Environment example
MODELSPEND_API_KEY=YOUR_MODELSPEND_API_KEY
OPENAI_BASE_URL=https://api.modelspend.best/proxy/v1
OPENAI_BASE_URL=https://api.modelspend.best/proxy/v1
Do not expose keys in browser code
Browser-based AI features should call your own backend first. Your backend can then call ModelSpend using a private API key and return only the safe result to the browser.
Operational checklist
Separate environments
Use different keys for development, staging and production.
Name keys clearly
Use names that identify the service, owner and environment.
Revoke unused keys
Remove old keys after migration, staff changes or service retirement.