Authentication
ModelRelay uses secret API keys and customer bearer tokens to authenticate requests.
Secret Keys (mr_sk_*)
Secret keys are for backend/server use only. They have full access to your project.
# Example secret key
mr_sk_live_abc123...
Use for:
- Server-side API calls
- Creating customer tokens
- Managing customers and tiers
Never expose in:
- Client-side code
- Mobile apps
- Public repositories
Customer Bearer Tokens
Short-lived tokens for customers to make requests within their tier limits.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Use for:
- Customer requests from your frontend
- Mobile app AI features
See the full Customer Tokens guide for minting and usage details.
Creating Customer Tokens
Use a secret key to mint tokens for your customers:
const token = await mr.auth.customerToken({
customerExternalId: "user_42",
});
// Send token.token to your frontend
Project scope is derived from the secret key. Do not include projectId/project_id in the request body—requests that include it are rejected.
Security Best Practices
- Rotate keys regularly - Revoke old keys after rotation
- Use environment variables - Never hardcode keys
- Use customer tokens for clients - Keep secret keys server-side
- Monitor usage - Watch for unusual patterns in the dashboard