Going to production
Use this checklist before sending production traffic. Each section links to detailed guidance elsewhere in the documentation.
Keys and secrets
- One key per app and environment (
prod-backend,staging,cli-tools), and private keys over workspace-shared ones when usage should remain attributable to a person. There are no per-key rate limits. - Load keys from a secret manager or environment variable. Never store
them in source control. Add the
dg_prefix to secret-scanning rules. - Document a rotation procedure. Key changes can take up to one minute to take effect. Rotate shared credentials when access changes and immediately after suspected exposure.
- Do not include a key in public client-side code. Browser calls are supported, but public JavaScript cannot keep a credential secret. Proxy requests through your backend.
Retries and timeouts
- Retry
429,502, and503with exponential backoff and jitter, honoringRetry-Afteras the floor — code in Rate limits. - Never retry
400,401,404, or413unchanged — they fail identically every time. See Errors. - Treat
402as terminal and alert on it. An exhausted balance stops every key in the workspace; a retry loop cannot fix it. - Set client timeouts based on your workload and latency objective. Treat a timeout as transient and retry with backoff.
- Retry any
5xxby status, not by body. Some5xxresponses do not include a JSON body, so do not requireerror.codebefore retrying.
Concurrency and throughput
- Use a shared client-side concurrency limit across workers. See Rate limits.
- Remember limits are workspace-scoped. All keys share one rate ceiling and one credit balance. Set separate concurrency budgets for batch and user-facing traffic.
- Reuse connections. Use connection pooling and keep-alive. OpenAI SDK clients enable these by default. See Measuring latency.
Observability
- Send
X-Client-Trace-Idon every request. Celeris echoes it in API responses so you can correlate failures with application logs and support cases. See the API reference. - Log or sample the
Server-Timingheader. Compare server duration with wall-clock latency to separate server-side changes from client and network overhead. See Measuring latency. - Track your client-side
429rate. Throttled requests do not appear on the usage dashboard.
Billing readiness
- Monitor spend. The usage page shows completed request counts and token volumes over 24 hours, 7 days, or 30 days. Project spend from those volumes with the pricing rates.
- Maintain sufficient credit. When the balance is exhausted, all keys in
the workspace return
402. Alert on this response. - Set
max_tokenson every request. This bounds completion latency and cost. See Prompt engineering.
Deployment geometry
- Deploy callers close to the serving region. Celeris is available in
us-east-1. Typical short requests complete in roughly 50–150 ms within the region; network distance adds to end-to-end latency. - Measure with
Server-Timing. Compare server duration with wall-clock latency to estimate client and network overhead. See Measuring latency.
The checklist
- Separate API keys per app and environment, loaded from a secret store
- Rotation procedure written down; keys rotate on departures/exposure
- No keys in public client-side code
- Backoff with jitter on
429/502/503, honoringRetry-After -
400/401/404/413fail fast — no blind retries -
402alerts a human; nothing retry-loops on it - Client timeouts set and timeout retries bounded
- Shared concurrency cap sized under your workspace's ceiling
-
X-Client-Trace-Idsent on every request and logged - Client-side
429rate tracked -
max_tokensset (low) on every call;temperature: 0on structured calls - Callers deployed near the serving region; keep-alive connections
- Credit balance monitored; top-up owner named