Authentication
Every request through the AI SpendOps proxy requires two sets of credentials:
X-ASO-API-Key— Your AI SpendOps API key (for the proxy)- Provider credentials — Your AI provider's API key (forwarded to the upstream)
X-ASO-API-Key
Your AI SpendOps API key, provided by your administrator. Keys use the format:
aso_k_{id}.{secret}
Pass it as a request header:
-H "X-ASO-API-Key: aso_k_01ARZ3NDEK.dGhpcyBpcyBhIHRlc3Qga2V5..."
Error responses
| Scenario | HTTP Status | Error |
|---|---|---|
| Header missing | 401 | Missing X-ASO-API-Key |
| Invalid or unrecognised key | 403 | Invalid X-ASO-API-Key |
| Key exists but deactivated | 403 | API key is inactive |
Provider credentials
Pass your provider's API key exactly as you would when calling them directly:
| Provider | Header | Example |
|---|---|---|
| OpenAI, OpenRouter, Google, xAI | Authorization | Bearer sk-... |
| Anthropic | x-api-key | sk-ant-... |
| Groq, DeepInfra, Mistral, etc. | Authorization | Bearer ... |
The proxy forwards these headers to the upstream provider unchanged. AI SpendOps never stores or logs your provider credentials.
Security
- API keys are validated using HMAC-SHA-256 hashes stored in Cloudflare KV
- Provider credentials are forwarded directly — never stored
- All traffic is encrypted via HTTPS
X-ASO-*headers are stripped before forwarding to the provider