OAuth PKCE
Users can connect to OpenRouter in one click using Proof Key for Code Exchange (PKCE). Here's an example, and here's a step-by-step:
-
Send your user to
https://openrouter.ai/auth?callback_url=YOUR_SITE_URL
- You can optionally include a
code_challenge
(random password up to 256 digits) for extra security. - For maximum security, we recommend also setting
code_challenge_method
toS256
, and then settingcode_challenge
to the base64 encoding of the sha256 hash ofcode_verifier
, which you will submit in Step 2. More info in Auth0's docs.
- You can optionally include a
-
Once logged in, they'll be redirected back to your site with a
code
in the URL. Make an API call (can be frontend or backend) to exchange the code for a user-controlled API key. And that's it for PKCE!- Look for the
code
query parameter, e.g.?code=...
.
- Look for the
fetch('https://openrouter.ai/api/v1/auth/keys', { method: 'POST', body: JSON.stringify({ code: $CODE_FROM_QUERY_PARAM, code_verifier: $CODE_VERIFIER, // Only needed if you sent a code_challenge in Step 1 }), });
- A fresh API key will be in the result under "key". Store it securely and make OpenAI-style requests (supports streaming as well):
fetch("https://openrouter.ai/api/v1/chat/completions", {
method: "POST",
headers: {
"Authorization": `Bearer ${OPENROUTER_API_KEY}`,
"HTTP-Referer": `${YOUR_SITE_URL}`, // Optional, for including your app on openrouter.ai rankings.
"X-Title": `${YOUR_SITE_NAME}`, // Optional. Shows in rankings on openrouter.ai.
"Content-Type": "application/json"
},
body: JSON.stringify({
"model": "openai/gpt-4o",
"messages": [
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "Hello!"},
],
})
});
You can use JavaScript or any server-side framework, like Streamlit. The linked example shows multiple models and file Q&A.