← Back

Docs

How to use a Strake endpoint with your favorite AI tools.

On this page

Quick start

  1. Sign in at app.strake.sh.
  2. Click Connect new provider, pick your provider, and paste your real API key. We validate the key before saving.
  3. Copy the endpoint URL and bearer token from the success screen. The token is shown only once.
  4. Point your tool at the URL and use the bearer token in place of your real API key.

The rest of this page shows exactly how to do step 4 for the most common tools.

Strake CLI

The CLI’s whole job is to make sure you never paste a Strake URL or a bearer token into a tool’s config. You hand it a subdomain, it hands your tool a fresh, scoped, auto-rotated endpoint.

Install & log in

npm install -g @strakelabs/strake

# Mint a token at app.strake.sh/dashboard/settings → Access tokens, then:
strake login --token pat_...

Create an endpoint

strake connect openai
# Label (optional) [e.g. Cursor]: Cursor on laptop
# OpenAI API key: ***************  (input hidden)
#
# Endpoint created.
#   URL:   https://abc123def456.strake.sh
#   Token: 5656d21667545a...   ← shown once, save it now

Works for openai, anthropic, gemini, xai, openrouter, or custom. Built-in providers are validated before the endpoint is created, so bad keys fail fast.

Use an endpoint: strake run

The killer command. Mints a short-lived bearer, spawns the target with Strake env vars already set.

# Launches Claude Code routed through Strake
strake run abc123def456 -- claude

# Same thing for Cursor, any OpenAI-SDK script, a VS Code session, whatever
strake run abc123def456 -- cursor
strake run abc123def456 -- python app.py
strake run abc123def456 -- npm run dev

Behind the scenes, strake run sets these env vars for the spawned process:

  • OPENAI_BASE_URLhttps://{subdomain}.strake.sh/v1
  • OPENAI_API_KEY → the freshly minted bearer
  • ANTHROPIC_BASE_URLhttps://{subdomain}.strake.sh
  • ANTHROPIC_AUTH_TOKEN → the same bearer

Any tool that reads those env names (Claude Code, Cursor, OpenAI and Anthropic SDKs, most SDK wrappers) talks to Strake without any extra config. Your real upstream key never leaves the vault.

Use an endpoint: strake env + your shell

When you want the vars in your current shell — for curl, quick scripts, or piping to something else:

eval "$(strake env abc123def456 --mint)"

curl "$OPENAI_BASE_URL/chat/completions" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"hi"}]}'

--mint issues a fresh token for the shell. Pass --token <plaintext> if you want to reuse an existing one.

Manage tokens

strake get abc123def456               # endpoint + every token
strake tokens add abc123def456 --label "CI"
strake tokens revoke abc123def456 ctok_...

Every endpoint can have any number of labeled tokens. Revoking one doesn’t touch the others. Losing one? Add a new one, revoke the old — the endpoint URL and your real upstream key stay exactly the same.

Full command list & source

Run strake help for the full reference, or read github.com/strakelabs/strake-cli for the source. Bug reports and feature requests: github.com/strakelabs/community.

curl

Sanity-check in one command. Replace {URL} and {TOKEN} with the values from the success screen.

OpenAI-shaped (OpenAI, xAI, OpenRouter)

curl {URL}/v1/chat/completions \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"hi"}]}'

Anthropic

curl {URL}/v1/messages \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Content-Type: application/json" \
  -H "anthropic-version: 2023-06-01" \
  -d '{"model":"claude-haiku-4-5-20251001","max_tokens":256,"messages":[{"role":"user","content":"hi"}]}'

Gemini

curl {URL}/v1beta/models/gemini-2.0-flash:generateContent \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"contents":[{"parts":[{"text":"hi"}]}]}'

OpenAI SDK

Python

from openai import OpenAI

client = OpenAI(
    base_url="{URL}/v1",
    api_key="{TOKEN}",
)

resp = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "hi"}],
)
print(resp.choices[0].message.content)

JavaScript / TypeScript

import OpenAI from "openai";

const client = new OpenAI({
  baseURL: "{URL}/v1",
  apiKey: "{TOKEN}",
});

const resp = await client.chat.completions.create({
  model: "gpt-4o-mini",
  messages: [{ role: "user", content: "hi" }],
});
console.log(resp.choices[0].message.content);
The OpenAI SDK appends /v1-prefixed paths to your base URL, so pass {URL}/v1 (not {URL}) or you’ll hit the Strake root and get a 404 from the worker.

Anthropic SDK

Python

from anthropic import Anthropic

client = Anthropic(
    base_url="{URL}",
    api_key="{TOKEN}",
)

msg = client.messages.create(
    model="claude-haiku-4-5-20251001",
    max_tokens=256,
    messages=[{"role": "user", "content": "hi"}],
)
print(msg.content[0].text)

JavaScript / TypeScript

import Anthropic from "@anthropic-ai/sdk";

const client = new Anthropic({
  baseURL: "{URL}",
  apiKey: "{TOKEN}",
});

const msg = await client.messages.create({
  model: "claude-haiku-4-5-20251001",
  max_tokens: 256,
  messages: [{ role: "user", content: "hi" }],
});
console.log(msg.content[0].text);
The Anthropic SDK sends its own x-api-key header internally. Strake ignores it and substitutes your real upstream key using the one stored in the vault, so whatever string you pass as api_key to the SDK is the Strake bearer token.

Cursor

Cursor › SettingsModelsOverride OpenAI Base URL:

  • Base URL: {URL}/v1
  • API key: {TOKEN}

Then enable OpenAI-compatible models and Cursor will route everything through your Strake endpoint. Switch the dropdown between providers by creating a separate Strake endpoint per provider and swapping the Base URL.

Claude Code

Set the Anthropic base URL and auth token in your shell before launching Claude Code:

export ANTHROPIC_BASE_URL="{URL}"
export ANTHROPIC_AUTH_TOKEN="{TOKEN}"
claude

If you’d rather scope this per-project, drop the same two lines into a .envrc (direnv) at the project root.

OpenRouter, Gemini, Grok

Each of these is OpenAI-compatible at the request shape level. Point the OpenAI SDK at the Strake URL with /v1 appended (or /api/v1 for OpenRouter, /v1beta for Gemini) and use the Strake bearer token as the API key. The vault injects the real provider key at proxy time.

Rotating and revoking

  • Rotate — generates a new bearer token, shows it once, invalidates the old one immediately. Use this when a token leaks or you just want a fresh one.
  • Revoke — nulls the bearer token so the endpoint starts returning 401. Use this to quickly disable an endpoint without deleting the stored upstream key.
  • Delete — soft-deletes the endpoint and its stored upstream credential. Permanent.

All three are on the endpoint detail page in the dashboard.

FAQ

What happens if I forget to copy the token?

Rotate it. The new token is shown once, and your old one stops working immediately.

Does Strake see my prompts?

No. Request and response bodies are never inspected or persisted — only routing metadata (subdomain, status, latency). See Security.

What’s the latency overhead?

Typically a few milliseconds. The proxy runs on Cloudflare’s edge near the caller and the cryptographic unwrap is done in memory on the hot path.

Can I restrict an endpoint to specific paths?

Yes. On the endpoint detail page, set an Allowed paths list (one path per line). A leaked Strake token can’t hit anything outside that list. Same with per-minute rate limits and monthly request caps.

Still stuck?

Email hello@strakelabs.com.