AI Gateway
An OpenAI-compatible chat endpoint, a transparent Claude (Anthropic) proxy, the ccas analytics CLI, and AI Skills, a public agent-skill registry. One account, three credential types.
AI Gateway
The Hep.gg AI Gateway is two runtimes under one account.
The first is an LLM gateway at https://ai.hep.gg. It exposes an OpenAI-compatible /v1/chat/completions endpoint (point any OpenAI SDK at it) and a transparent passthrough proxy for the Anthropic Claude API so calls made by Claude Code can be metered and analyzed. The ccas CLI installs from the same host and wires Claude Code into the proxy.
The second is AI Skills at https://skills.hep.gg, a public registry of agent skills (SKILL.md files plus supporting files) served as plain markdown for coding agents to read and import. Skills are part of the same AI account.
Three credential types
This app uses three distinct credentials. Mixing them up is the most common source of 401s, so keep them straight.
master tokenAuthorization: Bearer hyd_.... Identifies your whole AI account. Used to mint API keys (/keys), register machines (/sync/machines), and call /me. Anyone holding it can manage your account, treat it like a password. Issued by the dashboard onboarder; rotate it from the dashboard.API keyAuthorization: Bearer sk-hyd-.... Authenticates the OpenAI-compatible /v1/* endpoints. Each key is bound to exactly one model at mint time. Minted with the master token via POST /keys and shown only once.proxy token/anthropic/pt_.../v1/messages. Identifies the machine that registered it. Issued by POST /sync/machines (which ccas init calls for you).A fourth, separate credential, the skills access key (48 hex chars), authorizes private AI Skills access and the skill import endpoint. It lives entirely on skills.hep.gg; see AI Skills.
Authentication summary
- OpenAI-compatible endpoints (
/v1/chat/completions,/v1/models):Authorization: Bearer sk-hyd-.... The key is SHA-256 hashed and matched against active keys; a disabled key or a nonsk-hyd-value returns401 {"error":"Invalid API key"}. - Account and management endpoints (
/me,/keys,/sync/*):Authorization: Bearer hyd_...(your master token). - Claude proxy (
/anthropic/...): thept_proxy token is the first path segment. You still send your own Anthropic credentials in the request, which are forwarded upstream unchanged. - AI Skills reads are public. Private access and skill import use a capability URL containing your skills access key.
There is no public endpoint to create a master token or a skills access key, those come from the dashboard. API keys and proxy tokens are minted with the master token. Never commit any of these to source control or print them in logs.
Quickstart
The smallest working call is an OpenAI-compatible chat completion. Mint an sk-hyd- key in the dashboard (or via POST /keys), then point any OpenAI client at https://ai.hep.gg/v1. The model slug is cf-gpt-oss-20b.
curl https://ai.hep.gg/v1/chat/completions \
-H "Authorization: Bearer $HYD_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "cf-gpt-oss-20b",
"messages": [{ "role": "user", "content": "Say hello in one word." }],
"max_tokens": 256
}'import OpenAI from "openai";
const client = new OpenAI({
baseURL: "https://ai.hep.gg/v1",
apiKey: process.env.HYD_API_KEY, // sk-hyd-...
});
const res = await client.chat.completions.create({
model: "cf-gpt-oss-20b",
messages: [{ role: "user", content: "Say hello in one word." }],
max_tokens: 256,
});
console.log(res.choices[0].message.content);What you can do
/v1. Use any OpenAI SDK.sk-hyd- API keys and machine proxy tokens.skills.hep.gg.Available models
The OpenAI-compatible endpoints currently serve a single model. List the minting catalog any time at GET https://ai.hep.gg/models (public, no auth).
cf-gpt-oss-20bprovider: "cloudflare". This is the slug you pass when minting an API key, and the only model that key will serve.