⚠️ Research Preview — Deli is in active development and has not undergone a third-party security audit. Do not store production API keys with spending authority. Use test keys or keys with low rate limits while we harden the platform.
Documentation

Overview

Deli is OAuth for API keys. It lets users store their API keys securely and grant scoped access to third-party platforms — without ever exposing the raw key.

There are three actors in the Deli ecosystem:

Users

Store API keys, authorize platforms, revoke access, view usage.

Developers

Register apps, integrate OAuth, proxy API calls through Deli.

Agents

Authenticate via client credentials, scoped access, audit trail.

Quick Start for Developers

  1. 1. Register a developer account

    Sign up at withdeli.com/auth/register

  2. 2. Create an application

    In the dashboard, create a new app to get your client_id and client_secret.

  3. 3. Implement the OAuth flow

    Redirect users to the authorization endpoint:

    GET https://api.withdeli.com/oauth/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=openai
  &code_challenge=CHALLENGE
  &code_challenge_method=S256

  4. 4. Exchange code for token

    POST https://api.withdeli.com/oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "AUTH_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "redirect_uri": "https://yourapp.com/callback",
  "code_verifier": "VERIFIER"
}

  5. 5. Proxy API calls

    POST https://api.withdeli.com/proxy/openai/chat/completions
Authorization: Bearer ACCESS_TOKEN

{
  "model": "gpt-4o",
  "messages": [{ "role": "user", "content": "Hello" }]
}

OAuth 2.0 Flow

Deli implements the Authorization Code flow with PKCE (Proof Key for Code Exchange), the industry standard for secure OAuth.

Authorization Endpoint

GET /oauth/authorize

Redirects to consent screen. Params: client_id, redirect_uri, response_type=code, scope, code_challenge, code_challenge_method, state

Token Endpoint

POST /oauth/token

Exchange authorization code for access + refresh tokens. Supports authorization_code and refresh_token grant types.

Revocation Endpoint

POST /oauth/revoke

Revoke an access or refresh token.

API Proxy

Deli acts as a transparent proxy. Your API calls are forwarded to the upstream provider using the user's stored key. The response is passed back unmodified.

POST https://api.withdeli.com/proxy/{service}/*
Authorization: Bearer ACCESS_TOKEN

Supported Services

openai
anthropic
stripe
github

The path after the service name is forwarded as-is. For example, proxy/openai/chat/completions proxies to OpenAI's /v1/chat/completions.

User Key Management

Users store their API keys through the Deli portal or API. Keys are encrypted at rest and never exposed to third-party platforms.

# Store a key
POST /api/user/keys
{ "service": "openai", "apiKey": "sk-...", "label": "My GPT key" }

# List keys (keys are masked)
GET /api/user/keys

# Delete a key
DELETE /api/user/keys/:id

Agent Authentication

AI agents authenticate using the client credentials flow. Developers create agents in their app settings and generate scoped tokens.

# Generate agent token (client credentials)
POST /api/agents/token
{ "client_id": "deli_agent_...", "client_secret": "deli_secret_..." }

# Use agent token for proxy calls
POST /api/proxy/openai/chat/completions
Authorization: Bearer AGENT_TOKEN

API Reference

Authentication

POST/api/dev/register
Register developer accountPublic
POST/api/dev/login
Developer loginPublic
GET/api/dev/me
Get current developerSession
POST/api/dev/logout
LogoutSession
POST/api/user/register
Register user accountPublic
POST/api/user/login
User loginPublic
GET/api/user/me
Get current userSession

OAuth

GET/oauth/authorize
Start authorization flowPublic
POST/oauth/token
Exchange code for tokensPublic
POST/oauth/revoke
Revoke a tokenBearer

Apps

GET/api/apps
List developer appsSession
POST/api/apps
Create new appSession
GET/api/apps/:id
Get app detailsSession
PUT/api/apps/:id
Update appSession
DELETE/api/apps/:id
Delete appSession

Keys & Proxy

GET/api/user/keys
List stored keysSession
POST/api/user/keys
Store a new keySession
DELETE/api/user/keys/:id
Delete a keySession
POST/proxy/{service}/*
Proxy API callBearer

Agents

POST/api/agents
Create agentSession
GET/api/agents
List your agentsSession
POST/api/agents/token
Issue token (client_id + client_secret)Client Creds
POST/api/agents/:id/tokens
Issue token (by UUID)Client Creds
DELETE/api/agents/:id/tokens
Revoke all tokensSession
PUT/api/agents/:id/scopes
Update scopesSession
POST/api/agents/:id/rotate-secret
Rotate secretSession
GET/api/agents/:id/audit
View audit logSession
DELETE/api/agents/:id
Deactivate agentSession

Identity Mappings

POST/api/identities
Add credential mappingSession
GET/api/identities
List mappingsSession
DELETE/api/identities/:id
Remove mappingSession

SDK

The official JavaScript/TypeScript SDK handles OAuth flows, token management, and proxied API calls.

npm install @deli/sdk
import { DeliClient } from '@deli/sdk';

const deli = new DeliClient({
  clientId: 'YOUR_CLIENT_ID',
  redirectUri: 'https://yourapp.com/callback',
});

// Start OAuth flow
const authUrl = deli.getAuthorizationUrl({ scope: 'openai' });

// Exchange code
const tokens = await deli.exchangeCode(code);

// Proxy a call
const response = await deli.proxy('openai', '/chat/completions', {
  model: 'gpt-4o',
  messages: [{ role: 'user', content: 'Hello' }],
});

Data Governance

Deli supports configurable data retention modes per user. Control what metadata is stored when requests pass through the proxy.

Standard Mode (default)

Full operational metadata logged: request paths, methods, status codes, response times, usage records. Request and response bodies are never stored.

Zero Retention Mode

Only billing-minimum metadata retained: userId, timestamp, tokenCount, provider, cost. All audit logs, request paths, endpoint details, and response metadata are stripped.

API

# Set governance mode
PUT /api/v1/governance/configure
{ "mode": "zero-retention" }

# Check current mode
GET /api/v1/governance/status/me

# Verify what data is retained
GET /api/v1/governance/verify/me

SDK

// Configure zero retention
await deli.governance.configure('zero-retention');

// Check current status
const status = await deli.governance.status();

CLI

deli governance set --mode zero-retention
deli governance status