Authentication

The gateway uses two authentication methods depending on the endpoint:

API Key Authentication

Used for inference (/v1/chat/completions) and usage queries (/v1/usage).

Authorization: Bearer sk-<64 hex chars>

The middleware extracts the Bearer token, SHA-256 hashes it, and queries the api_keys table. If the key is valid and not revoked, the request proceeds with the wallet context attached.

Pipeline

SIWE Authentication

Used for API key management (/v1/auth/keys). Sign-In with Ethereum (SIWE) proves wallet ownership without sessions.

Building a SIWE Message

import { SiweMessage } from 'siwe'

const siweMsg = new SiweMessage({
  domain: window.location.host,
  address: walletAddress,         // checksummed EIP-55
  uri: window.location.origin,
  version: '1',
  chainId: 1,
  nonce: crypto.randomUUID().replace(/-/g, '').slice(0, 16),
  issuedAt: new Date().toISOString(),
  statement: 'Sign in to the AI Gateway',
})

const message = siweMsg.prepareMessage()
const signature = await walletClient.signMessage({ account: address, message })

Verification Rules

SIWE signature must be valid
issuedAt must be within the last 5 minutes
Address is lowercased for storage

TIP

Generate a fresh issuedAt timestamp before each call. The server rejects SIWE messages older than 5 minutes.

x402 Payment Authentication

Used for top-up (/v1/topup). No wallet auth needed -- the payment signature itself proves the payer.

Authentication ​

API Key Authentication ​

Pipeline ​

SIWE Authentication ​

Building a SIWE Message ​

Verification Rules ​

x402 Payment Authentication ​