Clevermation
Documentation
Get startedAuthentication

Authentication

The `Authorization: Bearer` header, key-leak hygiene, and why keys never belong in the browser.

Every request to https://api.cleverouter.eu/v1/* carries an API key in the Authorization: Bearer … header. The same scheme the OpenAI API uses.

The header

Authorization: Bearer cr_live_XXXXXXXXXXXX
import { createCleverRouter } from '@cleverrouter/sdk';

const cr = createCleverRouter({
  apiKey: process.env.CLEVERROUTER_API_KEY!,
});
import OpenAI from 'openai';

const client = new OpenAI({
  apiKey: process.env.CLEVERROUTER_API_KEY!,
  baseURL: 'https://api.cleverouter.eu/v1',
});
curl https://api.cleverouter.eu/v1/chat/completions \
  -H "Authorization: Bearer $CLEVERROUTER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "model": "mistral/mistral-small-3.2", "messages": [{"role":"user","content":"hi"}] }'

Never use keys in the browser

cr_live_* keys are server-only

Anyone who reads a cr_live_* key from a JS bundle, a network tab or a leaked .env.public file can spend your credit. Keys belong on the server — Node.js, Bun, an Edge function, a serverless worker.

The two correct patterns for client-side AI features:

  1. Backend proxy. Run your own /api/chat endpoint that holds the key and forwards the request to CleverRouter. The browser only ever sees your own origin.
  2. Short-lived session tokens (recommended for useChat()). Issue a per-user token from your backend that expires automatically. The @cleverrouter/sdk/react hooks accept this token at runtime — see React hooks for the pattern.

Response headers worth reading

Every successful response carries observability metadata:

X-Request-Id: 0193adc8-9f6a-7a0d-…
X-CleverRouter-Provider: scaleway
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 47
X-RateLimit-Reset: 31
X-RateLimit-Enforced: true
  • X-Request-Id — include in bug reports so we can correlate logs.
  • X-CleverRouter-Provider — which EU provider served this request.
  • X-RateLimit-* — see Rate limits.
  • X-RateLimit-Enforced: false — Redis was unreachable, we failed open. Time to back off voluntarily.

What happens on auth failure

HTTPerror.codeSDK classMeaning
401unauthorizedCRAuthErrorMissing, malformed, revoked or unknown key
402budget_exceededCRBudgetExceededErrorPer-key budget reached
429rate_limit_exceededCRRateLimitErrorSliding-window limit hit

The full taxonomy lives in Errors.

Closed-beta sign-up

Sign-up is currently invite-only. Existing org owners and admins can invite new members through Settings → Team in the dashboard. The invite carries an HMAC-signed token that bypasses the closed-beta gate for that one sign-up flow.

If you want an invite, email hello@clevermation.com with one sentence about what you're building.