Skip to main content
Pre-launch. fremai is not open for signups yet. These docs describe the launch API and are subject to change. fremai.eu →
Authentication

Authentication

fremai is OAuth-first with a static-key fallback. The right method depends on your client.

ClientAuth methodWhat you handle
opencodeOAuth only (auth plugin)Nothing — the plugin mints and refreshes a short-lived key
OpenAI SDK / LangChain / curlStatic sk-fremai-… keyYou manage the key
CI / machine-to-machineOAuth client-credentials, or a scoped static service keyA short-lived token, or a watched service key

Static API keys — sk-fremai-…

The drop-in path for SDKs, tools, and CI. Keys keep the sk- prefix that OpenAI SDKs and validators expect, marked with fremai provenance.

  • Create / rotate / revoke keys in the console at app.fremai.eu.

  • Send the key as a bearer token:

    Authorization: Bearer sk-fremai-…
  • Hold multiple keys — e.g. separate prod, dev, and CI keys — each individually revocable with its own budget, rate limit, and model subset. See rate limits & budgets.

  • Keep keys server-side. Never embed a key in a browser or mobile client; proxy requests through your backend.

fremai login and OAuth (opencode)

opencode is OAuth-only — you never paste a key. fremai login (or the @fremai/opencode-auth plugin) runs the browser sign-in once, stores a refresh token in your OS keychain, and supplies a fresh, short-lived key at request time, refreshing automatically. See the opencode guide.

Under the hood, the OAuth flow mints an ephemeral sk-fremai-… key scoped to your user, so per-user metering and budgets still apply. The key stays inside the plugin.

Because most interactive traffic (opencode) never holds a long-lived key, static keys become an opt-in minority to monitor tightly — OAuth-by-default is also the strongest form of leaked-key mitigation.

Machine-to-machine

For browserless automation, use an OAuth client-credentials grant to obtain a short-lived token, or a scoped static service key for tools that only accept a bearer. Configure both in the console.

Good practice

  • Rotate keys periodically and on any suspected exposure.
  • Scope keys narrowly — a CI key needs fewer models and a smaller budget than an interactive key.
  • Set budgets and alerts so a leaked or runaway key is bounded by spend, not just by revocation. See rate limits & budgets.