Authentication
Onlist authenticates every request with a single bearer token. There is no bespoke
SDK and no signing scheme to learn: point your existing OpenAI, Anthropic, or Gemini
client at https://onlist.io and supply your token.
Bearer token
Issue a token in the Onlist buyer dashboard, then send it on every request in the
standard Authorization header:
Authorization: Bearer YOUR_ONLIST_TOKEN
The token is a plain bearer credential tied to your wallet. It carries your account's routing preferences (allow/deny lists) and per-token rate and quota limits. Keep it secret and server-side; rotate it from the dashboard if it leaks.
curl https://onlist.io/v1/chat/completions \
-H "Authorization: Bearer YOUR_ONLIST_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"model": "openai/gpt-4o",
"messages": [{ "role": "user", "content": "Hello!" }]
}'
A missing or invalid token returns 401. See Errors for the full envelope.
No sk-or- prefix
If you are migrating from OpenRouter, drop the prefix. Onlist tokens are plain bearer
strings, not sk-or-... keys.
Unlike OpenRouter, an Onlist token has no sk-or- prefix. A leading sk- is
tolerated and silently stripped, so a value copied from OpenAI-style tooling still
works — but the canonical form is the bare token from your dashboard.
Header variants
Different SDKs send the credential under different header names. Onlist normalizes all of them to the same token, so you do not need to special-case the header your client library uses:
| Header | Sent by | Notes |
|---|---|---|
Authorization: Bearer <token> | OpenAI SDK, curl, most HTTP clients | Canonical form. |
x-api-key: <token> | Anthropic SDKs (/v1/messages) | Normalized to the same token. |
x-goog-api-key: <token> | Gemini SDKs (/v1beta paths) | Normalized to the same token. |
All three resolve to one token and one account. The examples below set authentication the way each official SDK expects.
# OpenAI-compatible surface
curl https://onlist.io/v1/chat/completions \
-H "Authorization: Bearer YOUR_ONLIST_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "model": "openai/gpt-4o", "messages": [{ "role": "user", "content": "Hi" }] }'
# Anthropic-native: x-api-key
curl https://onlist.io/v1/messages \
-H "x-api-key: YOUR_ONLIST_TOKEN" \
-H "anthropic-version: 2023-06-01" \
-H "Content-Type: application/json" \
-d '{ "model": "anthropic/claude-sonnet-4-20250514", "max_tokens": 256, "messages": [{ "role": "user", "content": "Hi" }] }'
# Gemini-native: x-goog-api-key
curl "https://onlist.io/v1beta/models/gemini-2.5-pro:generateContent" \
-H "x-goog-api-key: YOUR_ONLIST_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "contents": [{ "parts": [{ "text": "Hi" }] }] }'Attribution headers
OpenRouter clients commonly send HTTP-Referer and X-Title to attribute traffic to
an app. Onlist reads the same headers (including the X-OpenRouter-Title and
X-OpenRouter-Categories variants), so a setup copied from OpenRouter works unchanged.
These headers place your app on the public Apps & Agents rankings, ranked by token usage. They do not affect routing, model selection, or billing.
Attribution is used only for the public rankings. Before each request is forwarded upstream, Onlist swaps these headers for its own identity, so the providers serving your traffic cannot see which app sent it. The headers are optional: send them to appear on the rankings, or omit them to stay anonymous.
Next steps
- Quickstart — Get a token, set your base URL, and make a first request in curl, Python, and Node.
- Errors — The error envelope and what a 401 means when a token is missing, invalid, or stale.