Overview
Deli is OAuth for API keys. It lets users store their API keys securely and grant scoped access to third-party platforms — without ever exposing the raw key.
There are three actors in the Deli ecosystem:
Users
Store API keys, authorize platforms, revoke access, view usage.
Developers
Register apps, integrate OAuth, proxy API calls through Deli.
Agents
Authenticate via client credentials, scoped access, audit trail.
Quick Start for Developers
1. Register a developer account
Sign up at
portal.withdeli.com/auth/register2. Create an application
In the dashboard, create a new app to get your
client_idandclient_secret.3. Implement the OAuth flow
Redirect users to the authorization endpoint:
GET https://portal.withdeli.com/oauth/consent ?client_id=YOUR_CLIENT_ID &redirect_uri=https://yourapp.com/callback &response_type=code &scope=openai &code_challenge=CHALLENGE &code_challenge_method=S2564. Exchange code for token
POST https://api.withdeli.com/oauth/token Content-Type: application/json { "grant_type": "authorization_code", "code": "AUTH_CODE", "client_id": "YOUR_CLIENT_ID", "redirect_uri": "https://yourapp.com/callback", "code_verifier": "VERIFIER" }5. Proxy API calls
POST https://api.withdeli.com/proxy/openai/chat/completions Authorization: Bearer ACCESS_TOKEN { "model": "gpt-4o", "messages": [{ "role": "user", "content": "Hello" }] }
OAuth 2.0 Flow
Deli implements the Authorization Code flow with PKCE (Proof Key for Code Exchange), the industry standard for secure OAuth.
Authorization Endpoint
GET /oauth/authorize
Redirects to consent screen. Params: client_id, redirect_uri, response_type=code, scope, code_challenge, code_challenge_method, state
Token Endpoint
POST /oauth/token
Exchange authorization code for access + refresh tokens. Supports authorization_code, refresh_token, and client_credentials grant types.
Revocation Endpoint
POST /oauth/revoke
Revoke an access or refresh token.
API Proxy
Deli acts as a transparent proxy. Your API calls are forwarded to the upstream provider using the user's stored key. The response is passed back unmodified.
POST https://api.withdeli.com/proxy/{service}/*
Authorization: Bearer ACCESS_TOKENSupported Services
The path after the service name is forwarded as-is. For example, proxy/openai/chat/completions proxies to OpenAI's /v1/chat/completions.
User Key Management
Users store their API keys through the Deli portal or API. Keys are encrypted at rest and never exposed to third-party platforms.
# Store a key
POST /api/user/keys
{ "service": "openai", "apiKey": "sk-...", "label": "My GPT key" }
# List keys (keys are masked)
GET /api/user/keys
# Delete a key
DELETE /api/user/keys/:idAgent Authentication
AI agents authenticate using the client credentials flow. Developers create agents in their app settings and generate scoped tokens.
# Generate agent token
POST /api/agents/:id/tokens
Authorization: Bearer DEV_SESSION
# Use agent token for proxy calls
POST /proxy/openai/chat/completions
Authorization: Bearer AGENT_TOKENAPI Reference
Authentication
OAuth
Apps
Keys & Proxy
Agents
SDK
The official JavaScript/TypeScript SDK handles OAuth flows, token management, and proxied API calls.
npm install @deli/sdkimport { DeliClient } from '@deli/sdk';
const deli = new DeliClient({
clientId: 'YOUR_CLIENT_ID',
redirectUri: 'https://yourapp.com/callback',
});
// Start OAuth flow
const authUrl = deli.getAuthorizationUrl({ scope: 'openai' });
// Exchange code
const tokens = await deli.exchangeCode(code);
// Proxy a call
const response = await deli.proxy('openai', '/chat/completions', {
model: 'gpt-4o',
messages: [{ role: 'user', content: 'Hello' }],
});