One-Click OpenRouter: Connect 100+ AI Models with OAuth
Clarity now supports OAuth for OpenRouter — click Connect, approve, and you're done. No API key to copy, no tab-switching. PKCE-secured, AES-256-GCM encrypted, and ready in five seconds.
Most finance apps that offer AI give you one model, one provider, and no way to change either. Clarity already supported Bring Your Own Key for Anthropic, OpenAI, and OpenRouter — but pasting API keys is friction. Today we're shipping one-click OAuth for OpenRouter: click Connect, approve on OpenRouter, and you're done. No key to copy, no tab-switching, no chance of a typo. Five seconds to connect. One hundred models to choose from.
OAuth flow preview
Step 1
Click Connect in Clarity
Step 2
Approve on OpenRouter
Step 3
PKCE code exchange
Server checks challenge + verifier before issuing key access.
Step 4 · trust checkpoint
Encrypted key stored
AES-256-GCM at rest, never rendered in the UI.
What Changed
Previously, connecting OpenRouter to Clarity meant going to openrouter.ai, creating an API key, copying it, navigating to Settings, pasting it in, and hoping you didn't clip a character. It worked, but it was the kind of setup flow that made people say "I'll do it later" and never come back.
Now there's a single Connect button in Settings → AI & Models. Click it. You're redirected to OpenRouter, where you approve the connection. OpenRouter sends you back to Clarity with a secure token. Done. The whole thing takes about five seconds.
Why OAuth Over Paste-a-Key
The API key paste flow has a few problems that OAuth solves:
No key exposure. With the paste flow, your API key appears in plain text on your screen, in your clipboard, and potentially in your browser's autofill. With OAuth, the key is generated server-to-server. It never appears in your browser. You can't accidentally paste it into the wrong field or leave it in your clipboard.
No copy errors. API keys are long strings of random characters. Double-clicking to select sometimes misses a character. Triple-clicking grabs too much. OAuth eliminates this class of error entirely.
Scoped permissions. When OpenRouter generates a key through OAuth, it can scope that key to only the permissions Clarity needs. A manually created key might have broader access than necessary.
Easier revocation. Since the connection is tracked on both sides, you can disconnect from Clarity's settings or revoke from OpenRouter's dashboard. Either way, the connection is cleanly severed.
OAuth removes the riskiest moment in setup: handling raw API secrets in the browser.
How It Works Under the Hood
The integration uses OAuth with PKCE (Proof Key for Code Exchange) — the same pattern used by mobile banking apps and services like Sign in with Google. Here's the flow:
Step 1 · Connect
Clarity creates a random verifier and SHA-256 challenge. The verifier is written to an httpOnly cookie with a 5-minute expiry.
Step 2 · Redirect
You land on OpenRouter with the code challenge. OpenRouter shows requested scopes before approval.
Step 3 · PKCE exchange
Clarity exchanges the auth code server-side and must present the original verifier. Without that verifier, the code is useless to an attacker.
Step 4 · Encrypt + store
The returned key is encrypted with AES-256-GCM before it hits the database and is never displayed in the browser or logs.
Why PKCE matters
If someone intercepts the one-time authorization code during redirect, they still cannot exchange it without the verifier that only exists in an httpOnly cookie and Clarity's server memory.
What You Unlock
Connecting OpenRouter gives you access to every model they support through Clarity's AI chat. As of February 2026, the highlights include:
The list below is illustrative, not exhaustive. OpenRouter's catalog changes frequently, so check their live model list for the latest availability.
Claude Sonnet 4 — the same model Clarity uses by default, but billed to your OpenRouter account instead
Gemini 2.5 Pro — Google's latest, strong at data analysis and often cheaper than Claude or GPT
DeepSeek R1 — open-source reasoning model that rivals GPT-4 at a fraction of the cost
GPT-4o and GPT-4o Mini — OpenAI's models, accessible without a separate OpenAI key
When you connect your own key, you also bypass Clarity's daily message limits on the built-in model. Since you're paying the provider directly, there's no reason for us to cap usage.
The Disconnect Flow
Disconnecting is as deliberate as connecting. In Settings, the Connect button becomes a Disconnect button with a confirmation dialog. When you confirm:
Your encrypted API key is deleted from Clarity's database
Chat falls back to the default Claude Sonnet model with daily limits
Your conversations are preserved — only the model routing changes
You can reconnect anytime. The OAuth flow takes five seconds, and you're back to 100+ models.
Security Details
We treat API keys as secrets equivalent to passwords. Here's how the OpenRouter key is handled at each step:
Security chain
Browser (no key) → HTTPS server exchange → AES-256-GCM encryption → database storage.
The secret never appears in the UI, clipboard, or URL.
In transit
Key moves from OpenRouter to Clarity over HTTPS and never passes through the browser.
At rest
AES-256-GCM with a unique 12-byte IV per key; auth tag detects tampering.
In use
Decrypted in server memory only for outbound OpenRouter requests, then discarded.
Atomic upsert prevents duplicate keys when Connect is clicked repeatedly and cleanly replaces existing credentials.
Why OpenRouter
Clarity already supports direct API keys for Anthropic and OpenAI. OpenRouter is different because it's a model aggregator — one account, one billing dashboard, and access to models from every major provider. For users who want to experiment with different models for financial queries, OpenRouter is the path of least resistance.
It's also the provider most likely to have the newest models first. When a new open-source model drops, OpenRouter typically adds it within days. With a direct Anthropic or OpenAI key, you're locked to that provider's models. With OpenRouter, you get everything.
What Didn't Change
A few things that are worth clarifying because they haven't changed:
Direct API keys still work. If you prefer to paste an Anthropic or OpenAI key manually, that flow is unchanged. OAuth is an OpenRouter-specific addition.
The default model is still free. Claude Sonnet 4.5 is included in your Clarity subscription. OpenRouter is for users who want more models, more control, or unlimited messages.
Privacy model is unchanged. Your financial data is sent to whichever AI provider you select, processed to generate a response, and not used for training. BYOK gives you a direct relationship with the provider under your own API agreement.
Conversations are still saved. Switching models or reconnecting doesn't affect your chat history.
Getting Started
Go to Settings → AI & Models
Click Connect next to OpenRouter
Approve the connection on OpenRouter (create an account if you don't have one)
You're redirected back to Clarity — OpenRouter shows as Connected
Open the chat, pick any model from the dropdown, and start asking questions
Five seconds to connect. One hundred models to choose from. Your data, your model, your key.
Security and trust
Review Clarity trust documentation
See architecture controls, incident-response posture, and technical implementation details.