One-Click OpenRouter: Connect 100+ AI Models with OAuth

Clarity now supports OAuth for OpenRouter — click Connect, approve, and you're done. No API key to copy, no tab-switching. PKCE-secured, encrypted at rest, and ready in five seconds.

Most finance apps that offer AI give you one model, one provider, and no way to change either. Clarity already supported Bring Your Own Key for Anthropic, OpenAI, and OpenRouter — but pasting API keys is friction. Today we're shipping one-click OAuth for OpenRouter: click Connect, approve on OpenRouter, and you're done. No key to copy, no tab-switching, no chance of a typo. Five seconds to connect. One hundred models to choose from.

OAuth flow preview

Step 1

Click Connect in Clarity

Step 2

Approve on OpenRouter

Step 3

PKCE code exchange

Server checks challenge + verifier before issuing key access.

Step 4 · trust checkpoint

Encrypted key stored

Encrypted at rest, never rendered in the UI.

What Changed

Previously, connecting OpenRouter to Clarity meant going to openrouter.ai, creating an API key, copying it, navigating to Settings, pasting it in, and hoping you didn't clip a character. It worked, but it was the kind of setup flow that made people say "I'll do it later" and never come back.

Now there's a single Connect button in Settings → AI & Models. Click it. You're redirected to OpenRouter, where you approve the connection. OpenRouter sends you back to Clarity with a secure token. Done. The whole thing takes about five seconds.

Why OAuth Over Paste-a-Key

The API key paste flow has a few problems that OAuth solves:

No key exposure. With the paste flow, your API key appears in plain text on your screen, in your clipboard, and potentially in your browser's autofill. With OAuth, the key is generated server-to-server. It never appears in your browser. You can't accidentally paste it into the wrong field or leave it in your clipboard.
No copy errors. API keys are long strings of random characters. Double-clicking to select sometimes misses a character. Triple-clicking grabs too much. OAuth eliminates this class of error entirely.
Scoped permissions. When OpenRouter generates a key through OAuth, it can scope that key to only the permissions Clarity needs. A manually created key might have broader access than necessary.
Easier revocation. Since the connection is tracked on both sides, you can disconnect from Clarity's settings or revoke from OpenRouter's dashboard. Either way, the connection is cleanly severed.

OAuth removes the riskiest moment in setup: handling raw API secrets in the browser.

How It Works Under the Hood

The integration uses OAuth with PKCE (Proof Key for Code Exchange) — the same pattern used by mobile banking apps and services like Sign in with Google. Here's the flow:

Step 1 · Connect

Clarity creates a cryptographic challenge using the PKCE standard. The verifier is stored in a secure, short-lived server-side cookie.

Step 2 · Redirect

You land on OpenRouter with the code challenge. OpenRouter shows requested scopes before approval.

Step 3 · PKCE exchange

Clarity exchanges the auth code server-side and must present the original verifier. Without that verifier, the code is useless to an attacker.

Step 4 · Encrypt + store

The returned key is encrypted with authenticated encryption before it hits the database and is never displayed in the browser or logs.

Why PKCE matters

If someone intercepts the one-time authorization code during redirect, they still cannot exchange it without the verifier that only exists on Clarity's server.

What You Unlock

Connecting OpenRouter gives you access to every model they support through Clarity's AI chat. As of February 2026, the highlights include:

The list below is illustrative, not exhaustive. OpenRouter's catalog changes frequently, so check their live model list for the latest availability.

Claude Sonnet — the same model family Clarity uses by default, but billed to your OpenRouter account instead
Gemini 2.5 Pro — Google's latest, strong at data analysis and often cheaper than Claude or GPT
DeepSeek R1 — open-source reasoning model that rivals GPT-4 at a fraction of the cost
GPT-4o and GPT-4o Mini — OpenAI's models, accessible without a separate OpenAI key

When you connect your own key, you also bypass Clarity's daily message limits on the built-in model. Since you're paying the provider directly, there's no reason for us to cap usage.

The Disconnect Flow

Disconnecting is as deliberate as connecting. In Settings, the Connect button becomes a Disconnect button with a confirmation dialog. When you confirm:

Your encrypted API key is deleted from Clarity's database
Chat falls back to the default Claude Sonnet model with daily limits
Your conversations are preserved — only the model routing changes

You can reconnect anytime. The OAuth flow takes five seconds, and you're back to 100+ models.

Security Details

We treat API keys as secrets equivalent to passwords. Here's how the OpenRouter key is handled at each step:

Security chain

Browser (no key) → HTTPS server exchange → authenticated encryption → database storage.

The secret never appears in the UI, clipboard, or URL.

In transit

Key moves from OpenRouter to Clarity over HTTPS and never passes through the browser.

At rest

Encrypted at rest with authenticated encryption; tampering is detected automatically.

In use

Decrypted in server memory only for outbound OpenRouter requests, then discarded.

PKCE verifier

Secure, short-lived, callback-scoped cookie — deleted on use.

Database writes

Atomic upsert prevents duplicate keys when Connect is clicked repeatedly and cleanly replaces existing credentials.

Why OpenRouter

Clarity already supports direct API keys for Anthropic and OpenAI. OpenRouter is different because it's a model aggregator — one account, one billing dashboard, and access to models from every major provider. For users who want to experiment with different models for financial queries, OpenRouter is the path of least resistance.

It's also the provider most likely to have the newest models first. When a new open-source model drops, OpenRouter typically adds it within days. With a direct Anthropic or OpenAI key, you're locked to that provider's models. With OpenRouter, you get everything.

What Didn't Change

A few things that are worth clarifying because they haven't changed:

Direct API keys still work. If you prefer to paste an Anthropic or OpenAI key manually, that flow is unchanged. OAuth is an OpenRouter-specific addition.
The default model is still free. Claude Sonnet is included in your Clarity subscription. OpenRouter is for users who want more models, more control, or unlimited messages.
Privacy model is unchanged. Your financial data is sent to whichever AI provider you select, processed to generate a response, and not used for training. BYOK gives you a direct relationship with the provider under your own API agreement.
Conversations are still saved. Switching models or reconnecting doesn't affect your chat history.

Getting Started

Go to Settings → AI & Models
Click Connect next to OpenRouter
Approve the connection on OpenRouter (create an account if you don't have one)
You're redirected back to Clarity — OpenRouter shows as Connected
Open the chat, pick any model from the dropdown, and start asking questions

Five seconds to connect. One hundred models to choose from. Your data, your model, your key.

OAuth flow preview

Step 1

Click Connect in Clarity

Step 2

Approve on OpenRouter

Step 3

PKCE code exchange

Server checks challenge + verifier before issuing key access.

Step 4 · trust checkpoint

Encrypted key stored

Encrypted at rest, never rendered in the UI.

What Changed

Why OAuth Over Paste-a-Key

The API key paste flow has a few problems that OAuth solves:

No key exposure. With the paste flow, your API key appears in plain text on your screen, in your clipboard, and potentially in your browser's autofill. With OAuth, the key is generated server-to-server. It never appears in your browser. You can't accidentally paste it into the wrong field or leave it in your clipboard.
No copy errors. API keys are long strings of random characters. Double-clicking to select sometimes misses a character. Triple-clicking grabs too much. OAuth eliminates this class of error entirely.
Scoped permissions. When OpenRouter generates a key through OAuth, it can scope that key to only the permissions Clarity needs. A manually created key might have broader access than necessary.
Easier revocation. Since the connection is tracked on both sides, you can disconnect from Clarity's settings or revoke from OpenRouter's dashboard. Either way, the connection is cleanly severed.

OAuth removes the riskiest moment in setup: handling raw API secrets in the browser.

How It Works Under the Hood

The integration uses OAuth with PKCE (Proof Key for Code Exchange) — the same pattern used by mobile banking apps and services like Sign in with Google. Here's the flow:

Step 1 · Connect

Clarity creates a cryptographic challenge using the PKCE standard. The verifier is stored in a secure, short-lived server-side cookie.

Step 2 · Redirect

You land on OpenRouter with the code challenge. OpenRouter shows requested scopes before approval.

Step 3 · PKCE exchange

Clarity exchanges the auth code server-side and must present the original verifier. Without that verifier, the code is useless to an attacker.

Step 4 · Encrypt + store

The returned key is encrypted with authenticated encryption before it hits the database and is never displayed in the browser or logs.

Why PKCE matters

If someone intercepts the one-time authorization code during redirect, they still cannot exchange it without the verifier that only exists on Clarity's server.

What You Unlock

Connecting OpenRouter gives you access to every model they support through Clarity's AI chat. As of February 2026, the highlights include:

The list below is illustrative, not exhaustive. OpenRouter's catalog changes frequently, so check their live model list for the latest availability.

Claude Sonnet — the same model family Clarity uses by default, but billed to your OpenRouter account instead
Gemini 2.5 Pro — Google's latest, strong at data analysis and often cheaper than Claude or GPT
DeepSeek R1 — open-source reasoning model that rivals GPT-4 at a fraction of the cost
GPT-4o and GPT-4o Mini — OpenAI's models, accessible without a separate OpenAI key

When you connect your own key, you also bypass Clarity's daily message limits on the built-in model. Since you're paying the provider directly, there's no reason for us to cap usage.

The Disconnect Flow

Disconnecting is as deliberate as connecting. In Settings, the Connect button becomes a Disconnect button with a confirmation dialog. When you confirm:

Your encrypted API key is deleted from Clarity's database
Chat falls back to the default Claude Sonnet model with daily limits
Your conversations are preserved — only the model routing changes

You can reconnect anytime. The OAuth flow takes five seconds, and you're back to 100+ models.

Security Details

We treat API keys as secrets equivalent to passwords. Here's how the OpenRouter key is handled at each step:

Security chain

Browser (no key) → HTTPS server exchange → authenticated encryption → database storage.

The secret never appears in the UI, clipboard, or URL.

In transit

Key moves from OpenRouter to Clarity over HTTPS and never passes through the browser.

At rest

Encrypted at rest with authenticated encryption; tampering is detected automatically.

In use

Decrypted in server memory only for outbound OpenRouter requests, then discarded.

PKCE verifier

Secure, short-lived, callback-scoped cookie — deleted on use.

Database writes

Atomic upsert prevents duplicate keys when Connect is clicked repeatedly and cleanly replaces existing credentials.

Why OpenRouter

What Didn't Change

A few things that are worth clarifying because they haven't changed:

Direct API keys still work. If you prefer to paste an Anthropic or OpenAI key manually, that flow is unchanged. OAuth is an OpenRouter-specific addition.
The default model is still free. Claude Sonnet is included in your Clarity subscription. OpenRouter is for users who want more models, more control, or unlimited messages.
Privacy model is unchanged. Your financial data is sent to whichever AI provider you select, processed to generate a response, and not used for training. BYOK gives you a direct relationship with the provider under your own API agreement.
Conversations are still saved. Switching models or reconnecting doesn't affect your chat history.

Getting Started

Go to Settings → AI & Models
Click Connect next to OpenRouter
Approve the connection on OpenRouter (create an account if you don't have one)
You're redirected back to Clarity — OpenRouter shows as Connected
Open the chat, pick any model from the dropdown, and start asking questions

Five seconds to connect. One hundred models to choose from. Your data, your model, your key.

One-Click OpenRouter: Connect 100+ AI Models with OAuth

What Changed

Why OAuth Over Paste-a-Key

How It Works Under the Hood

What You Unlock

The Disconnect Flow

Security Details

Why OpenRouter

What Didn't Change

Getting Started

Core Clarity paths

Review how Clarity protects your data

One-Click OpenRouter: Connect 100+ AI Models with OAuth

What Changed

Why OAuth Over Paste-a-Key

How It Works Under the Hood

What You Unlock

The Disconnect Flow

Security Details

Why OpenRouter

What Didn't Change

Getting Started

Core Clarity paths

Review how Clarity protects your data

One-Click OpenRouter: Connect 100+ AI Models with OAuth

What Changed

Why OAuth Over Paste-a-Key

How It Works Under the Hood

What You Unlock

The Disconnect Flow

Security Details

Why OpenRouter

What Didn't Change

Getting Started

Core Clarity paths

Review how Clarity protects your data

Next best pages

One-Click OpenRouter: Connect 100+ AI Models with OAuth

What Changed

Why OAuth Over Paste-a-Key

How It Works Under the Hood

What You Unlock

The Disconnect Flow

Security Details

Why OpenRouter

What Didn't Change

Getting Started

Core Clarity paths

Review how Clarity protects your data

Next best pages