Authentication
Every request to HPP Router must be authenticated. The gateway uses the API key to identify the consumer, enforce per-consumer rate limits, and check the prepaid quota before forwarding the request to a provider.
Getting an API key
API keys are issued through HPP Hub, the HPP developer portal. Treat the key like a password: keep it server-side and never commit it to source control.
Supported schemes
HPP Router accepts two authentication schemes. Use whichever fits your client.
1. apikey header (recommended)
- cURL
curl https://router.hpp.io/llm/v1/models \
-H "apikey: $HPPROUTER_API_KEY"
2. Bearer token
- cURL
curl https://router.hpp.io/llm/v1/models \
-H "Authorization: Bearer $HPPROUTER_API_KEY"
The Bearer scheme is what most OpenAI-compatible SDKs send by default, which is why the OpenAI SDK works as a drop-in: set the SDK's apiKey to your HPP Router key and it sends Authorization: Bearer ....
Which endpoints require auth
All consumer endpoints are authenticated:
| Endpoint | Purpose |
|---|---|
POST /llm/v1/chat/completions | Chat completions |
GET /llm/v1/models | List models |
POST /v1/images/generations | Image generation |
GET /api/usage | Usage summary |
GET /api/quota-check | Quota check |
Errors
A missing or invalid key returns 401. See Errors for the full list of status codes and the error envelope shape.
{ "error": "unauthorized", "message": "Invalid API key" }
Security tips
- Store the key in an environment variable or secret manager, never in client-side code.
- Rotate keys through HPP Hub if a key may have been exposed.
- Prefer calling HPP Router from your backend so the key is never shipped to browsers or mobile apps.