Authentication
ModelRelay uses API keys to authenticate requests. There are three types of keys, each designed for different use cases.
Key Types
Secret Keys (mr_sk_*)
Secret keys are for backend/server use only. They have full access to your project.
# Example secret key
mr_sk_live_abc123...
Use for:
- Server-side API calls
- Creating customer tokens
- Managing customers and tiers
Never expose in:
- Client-side code
- Mobile apps
- Public repositories
Publishable Keys (mr_pk_*)
Publishable keys are safe for client-side use. They have limited permissions.
# Example publishable key
mr_pk_live_xyz789...
Use for:
- Checkout session initialization
- Public subscription status checks
Cannot:
- Make AI model requests
- Access customer data
- Create tokens
Customer Bearer Tokens
Short-lived tokens for end-users to make requests within their tier limits.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Use for:
- End-user requests from your frontend
- Mobile app AI features
Creating Customer Tokens
Use a secret key to mint tokens for your customers:
const token = await mr.auth.createToken({
customerId: 'cust_123',
expiresIn: '1h',
});
// Send token.accessToken to your frontend
Security Best Practices
- Rotate keys regularly - Revoke old keys after rotation
- Use environment variables - Never hardcode keys
- Scope permissions - Use the least privileged key type
- Monitor usage - Watch for unusual patterns in the dashboard