Skip to main content

Authentication

Every request to HPP Router must be authenticated. The gateway uses the API key to identify the consumer, enforce per-consumer rate limits, and check the prepaid quota before forwarding the request to a provider.

Getting an API key

API keys are issued through HPP Hub, the HPP developer portal. Treat the key like a password: keep it server-side and never commit it to source control.

Supported schemes

HPP Router accepts two authentication schemes. Use whichever fits your client.

curl https://router.hpp.io/llm/v1/models \
-H "apikey: $HPPROUTER_API_KEY"

2. Bearer token

curl https://router.hpp.io/llm/v1/models \
-H "Authorization: Bearer $HPPROUTER_API_KEY"

The Bearer scheme is what most OpenAI-compatible SDKs send by default, which is why the OpenAI SDK works as a drop-in: set the SDK's apiKey to your HPP Router key and it sends Authorization: Bearer ....

Which endpoints require auth

All consumer endpoints are authenticated:

EndpointPurpose
POST /llm/v1/chat/completionsChat completions
GET /llm/v1/modelsList models
POST /v1/images/generationsImage generation
GET /api/usageUsage summary
GET /api/quota-checkQuota check

Errors

A missing or invalid key returns 401. See Errors for the full list of status codes and the error envelope shape.

{ "error": "unauthorized", "message": "Invalid API key" }

Security tips

  • Store the key in an environment variable or secret manager, never in client-side code.
  • Rotate keys through HPP Hub if a key may have been exposed.
  • Prefer calling HPP Router from your backend so the key is never shipped to browsers or mobile apps.