Skip to main content

Security notes

Your FHRouter token key can spend from your account balance. Treat it like a payment credential.

Key handling

  • Do not commit token keys to Git.
  • Do not put token keys in browser frontend code.
  • Do not share token keys in screenshots.
  • Use separate keys for separate tools.
  • Delete old keys you no longer use.
  • Rotate a key if it appears in logs, chat messages, or public issue trackers.

Local environment files

Many AI clients read .env files. If a client uses the wrong key or endpoint, check the current directory and parent directories for old environment variables.

Common variable names include:

OPENAI_API_KEY
OPENAI_BASE_URL
ANTHROPIC_API_KEY
ANTHROPIC_AUTH_TOKEN
ANTHROPIC_BASE_URL
GEMINI_API_KEY
GOOGLE_API_KEY
GOOGLE_GEMINI_BASE_URL

If a client behaves as if it is using another service, search for these variables in your shell profile, project .env files, and client settings.

Public bug reports

When reporting a problem, remove:

  • API keys
  • account emails
  • payment ids
  • full request bodies if they contain private data
  • private repository names or file paths

Include:

  • client name and version
  • base URL used
  • model id
  • HTTP status code
  • short error message
  • approximate time of the request

Do not paste a full request log if it includes source code, private files, or account information. A short error message and timestamp are usually enough to investigate.

Copyright (c) 2026 FHRouter
Copyright © 2026 FHRouter