Authentication
The `Authorization: Bearer` header, key-leak hygiene, and why keys never belong in the browser.
Every request to https://api.cleverouter.eu/v1/* carries an API key in
the Authorization: Bearer … header. The same scheme the OpenAI API
uses.
The header
Authorization: Bearer cr_live_XXXXXXXXXXXXimport { createCleverRouter } from '@cleverrouter/sdk';
const cr = createCleverRouter({
apiKey: process.env.CLEVERROUTER_API_KEY!,
});import OpenAI from 'openai';
const client = new OpenAI({
apiKey: process.env.CLEVERROUTER_API_KEY!,
baseURL: 'https://api.cleverouter.eu/v1',
});curl https://api.cleverouter.eu/v1/chat/completions \
-H "Authorization: Bearer $CLEVERROUTER_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "model": "mistral/mistral-small-3.2", "messages": [{"role":"user","content":"hi"}] }'Never use keys in the browser
cr_live_* keys are server-only
Anyone who reads a cr_live_* key from a JS bundle, a network tab
or a leaked .env.public file can spend your credit. Keys belong on
the server — Node.js, Bun, an Edge function, a serverless worker.
The two correct patterns for client-side AI features:
- Backend proxy. Run your own
/api/chatendpoint that holds the key and forwards the request to CleverRouter. The browser only ever sees your own origin. - Short-lived session tokens (recommended for
useChat()). Issue a per-user token from your backend that expires automatically. The@cleverrouter/sdk/reacthooks accept this token at runtime — see React hooks for the pattern.
Response headers worth reading
Every successful response carries observability metadata:
X-Request-Id: 0193adc8-9f6a-7a0d-…
X-CleverRouter-Provider: scaleway
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 47
X-RateLimit-Reset: 31
X-RateLimit-Enforced: trueX-Request-Id— include in bug reports so we can correlate logs.X-CleverRouter-Provider— which EU provider served this request.X-RateLimit-*— see Rate limits.X-RateLimit-Enforced: false— Redis was unreachable, we failed open. Time to back off voluntarily.
What happens on auth failure
| HTTP | error.code | SDK class | Meaning |
|---|---|---|---|
| 401 | unauthorized | CRAuthError | Missing, malformed, revoked or unknown key |
| 402 | budget_exceeded | CRBudgetExceededError | Per-key budget reached |
| 429 | rate_limit_exceeded | CRRateLimitError | Sliding-window limit hit |
The full taxonomy lives in Errors.
Closed-beta sign-up
Sign-up is currently invite-only. Existing org owners and admins can invite new members through Settings → Team in the dashboard. The invite carries an HMAC-signed token that bypasses the closed-beta gate for that one sign-up flow.
If you want an invite, email hello@clevermation.com with one sentence about what you're building.
Related
- Get your API key — create, rotate, revoke, budget.
- Rate limits — RPM, sliding window, headers.
- Workspaces — invites, org roles.