Security and data handling
This page summarizes API-key handling, workspace isolation, and usage data.
API authentication and isolation
- Inference requests use a
dg_…bearer API key over HTTPS. The inference API does not use browser cookies for authorization. - Keys belong to a workspace. Usage, prepaid credit, and request history are attributed to that workspace; organization membership controls which workspaces a Console user can reach.
- API keys are encrypted at rest and access is restricted to the services that validate or display them.
- Key changes can take up to one minute to take effect. A rotated or revoked key may continue to work during that period.
See Authentication for operational key guidance.
Inference and usage records
Celeris processes request bodies to generate responses. Usage records include token counts, request outcomes, consumed credit, model, and region. These records are retained for 90 days.
Successful responses are billed from their reported token counts. Requests that continue processing after the client disconnects may still be charged. See Pricing and Making requests.
Browser use
The inference API permits cross-origin bearer requests for browser-based applications. CORS does not make an embedded key private: anyone who can load a public application's JavaScript can recover a bundled key. For public web applications, keep the Celeris key on your server and proxy the request through your own authenticated backend.