Short answer
LLMEasy is an API gateway. Its main role is to forward your request to the selected upstream model and record the billing, usage, and troubleshooting information needed to operate the service. When you use the API, follow data minimization. Do not put unnecessary personal data, secrets, payment information, or business-sensitive content in prompts, files, or tool output. Store API Keys in environment variables, secret managers, or CI secrets. Do not commit them to public repositories.Data security boundary
| Type | Description |
|---|---|
| API Key | Authenticates your requests and should be protected by you |
| Request content | Prompts, context, file snippets, or tool results sent to the model |
| Response content | Text, code, or structured output returned by the model |
| Usage information | Model, tokens, cost, status code, request time, and other billing or troubleshooting metadata |
| Upstream model | The model service or provider that processes the inference request |
Transport security
All API calls should use HTTPS. When you configure a Base URL, use thehttps:// address shown in the docs.
Do not send API Keys or request content over plaintext HTTP. If a client, proxy, or local tool asks you to disable TLS verification, confirm why before using that setup. Do not make it the default.
Logs and usage records
To support billing, balance deduction, error troubleshooting, and risk control, an API gateway usually needs to record request metadata such as:- Request time
- API Key or key group used
- Requested model
- Token usage
- Whether the request succeeded
- Error status
User-side recommendations
- Do not commit API Keys to code repositories.
- Do not expose a full API Key in screenshots, logs, or support tickets.
- Use separate API Keys for production and test environments.
- Check usage records in the dashboard regularly.
- Disable old keys when a member leaves, a project ends, or a leak is suspected.
- Avoid sending identity documents, bank cards, passwords, private keys, or other highly sensitive data in prompts.
- If you need to process sensitive business data, mask and minimize it before sending it to the model.
What to do if usage looks abnormal
If an API Key shows abnormal calls:- Disable or delete the suspicious API Key in the console.
- Check recent call records for model, time, and request source.
- Check code repositories, CI logs, local config, and third-party tool settings for key leaks.
- Create a new API Key and distribute it only to the required environments.
- If you cannot find the cause, contact support with the time range, model, and abnormal amount.

