Authentication
fremai is OAuth-first with a static-key fallback. The right method depends on your client.
| Client | Auth method | What you handle |
|---|---|---|
| opencode | OAuth only (auth plugin) | Nothing — the plugin mints and refreshes a short-lived key |
| OpenAI SDK / LangChain / curl | Static sk-fremai-… key | You manage the key |
| CI / machine-to-machine | OAuth client-credentials, or a scoped static service key | A short-lived token, or a watched service key |
Static API keys — sk-fremai-…
The drop-in path for SDKs, tools, and CI. Keys keep the sk- prefix that OpenAI SDKs and validators expect, marked with fremai provenance.
Create / rotate / revoke keys in the console at app.fremai.eu.
Send the key as a bearer token:
Authorization: Bearer sk-fremai-…Hold multiple keys — e.g. separate prod, dev, and CI keys — each individually revocable with its own budget, rate limit, and model subset. See rate limits & budgets.
Keep keys server-side. Never embed a key in a browser or mobile client; proxy requests through your backend.
fremai login and OAuth (opencode)
opencode is OAuth-only — you never paste a key. fremai login (or the @fremai/opencode-auth plugin) runs the browser sign-in once, stores a refresh token in your OS keychain, and supplies a fresh, short-lived key at request time, refreshing automatically. See the opencode guide.
Under the hood, the OAuth flow mints an ephemeral sk-fremai-… key scoped to your user, so per-user metering and budgets still apply. The key stays inside the plugin.
Because most interactive traffic (opencode) never holds a long-lived key, static keys become an opt-in minority to monitor tightly — OAuth-by-default is also the strongest form of leaked-key mitigation.
Machine-to-machine
For browserless automation, use an OAuth client-credentials grant to obtain a short-lived token, or a scoped static service key for tools that only accept a bearer. Configure both in the console.
Good practice
- Rotate keys periodically and on any suspected exposure.
- Scope keys narrowly — a CI key needs fewer models and a smaller budget than an interactive key.
- Set budgets and alerts so a leaked or runaway key is bounded by spend, not just by revocation. See rate limits & budgets.