Free · Supports third-party API gateway · Itemized evidence

LLM API Gateway Check

Worried about performance degradation, inconsistent model declarations, or unexplained routing changes in APIs such as Claude, GPT, DeepSeek, etc.? Enter the public HTTPS address, temporary API Key and model ID, and conduct risk screening through signals such as protocols, metadata, tokens, dynamic questions, SSE and tool calls.

Supports public HTTPS OpenAI Compatible API gateway API Key is not stored in the database or cached Itemized evidence, no official identity verification

First explain the detection boundary:Reports measure API compatibility, model declaration consistency, and behavioral sampling results. It can help discover obvious protocol deficiencies, routing differences, or capability anomalies, but it cannot prove the identity of the underlying model with just a black box test, nor does it belong to any model manufacturer certification.

MODEL CHECKCreate a test
edge execution
detection mode
Key is not written to the URL, database, cache, or reports; the server does not log the request body.

The inspection report will be generated here

The report explains why each check passed, failed, or remained inconclusive instead of showing an unexplained percentage.

Look at the risk signals first

One chat cannot prove capability degradation or model impersonation behind an API gateway

Whether an answer looks like a certain model can only be considered a weak signal. Even more valuable is cross-checking model declarations, protocol fields, billing data, and capability probes in the same report.

Route declaration is inconsistent

Requested model ID and response model If it continues to be different, it may be due to alias mapping, gateway rewriting, or actual routing changes. You need to verify with the service provider.

Token and metadata exceptions

usage Long-term missing, inconsistent Token arithmetic, or a large number of missing key fields in the response object indicate insufficient billing transparency or protocol compatibility.

Deterioration of key capabilities

Continuous failures in fixed instructions, random dynamic questions, SSE or tool calls may reflect capability degradation, compatibility layer defects or route drift in different time periods.

Behavioral results drift significantly

Sudden changes in the structure and ability performance of the same parameters in different periods are worthy of saving the report for repeated comparisons; style and cutoff cannot be used as true or false conclusions alone.

Don’t misjudge:/models Returning 401, 403, 429 or not public does not mean that the model is falsified; a single failure may also come from differences in gateway configuration, rate limiting, or model parameters. Judgment should be based on multiple pieces of evidence, multiple rounds of testing and real business question sets.

View the complete topic of model quality inspection and interpretation path
Three steps to complete the test

Do standard testing first, then look at each piece of evidence

It is recommended to use a temporary limit Key and detect it once at low peaks and once at peak times. When comparing multiple API gateways, please keep the model, parameters, and business question sets consistent.

  1. 01

    Fill in the public HTTPS address

    Fill in the Base URL to the version path, for example https://api.example.com/v1, do not append a specific API path.

  2. 02

    Use temporary quota API Key

    Fill in the exact model ID in the console and select "Standard" mode; detection incurs a small upstream request and token fee.

  3. 03

    Save report and repeat comparison

    Prioritize viewing response models, tokens, dynamic questions, SSE and tool call evidence. Overall score reflects compatibility and does not equal model authentication.

Detection method

Ten signal cross-checking model routing and capability anomalies

Structured protocol signals participate in compatibility scoring; style and knowledge boundaries only record observation results to avoid packaging weak evidence into model certification.

Authentication and Model List

Check Bearer Certification Status,/models Returns whether the structure and the selected model are visible; when the model list is limited, it is marked separately and does not directly determine fraud.

Protocol Compliance

Check the HTTP status, response JSON, and key fields of Chat Completions without mixing behavioral results into protocol points.

Instruction Following

The model is required to return the server-side random string as it is, independently marked with additional explanations, punctuation or format modifications, and not mixed with the protocol structure.

Metadata Fingerprint

Collect idobjectcreatedmodel, request ID, and optional system fingerprint.

Token Usage Fields

Verify whether the input, output, and total tokens are complete, non-negative, and arithmetic consistent, and provide token/character relative fingerprints.

Output Style Fingerprint

Fixed prompt words collect structural signals such as characters, paragraphs, titles, lists, and code fences, and are only for repeated detection and comparison.

Knowledge Cutoff Boundary

Acquisition model's structured self-report of the knowledge deadline; this result is a weak signal and does not participate in the compatibility score alone.

R1 Dynamic Challenge

The server randomly generates multi-step calculation parameters and nonce, accurately checks answers and random values, and reduces the impact of fixed question adaptation.

SSE Streaming Output

Verify text/event-stream, incremental events, end tags, output splicing, and streaming usage are recognized.

Tool Calls

Forcibly call a fixed function with JSON Schema to verify whether the tool name, parameter structure and random nonce are returned unchanged.

Disclosure basis

Why multi-dimensional intersection is necessary instead of just asking the model "who are you"

Model identity is a black-box inference problem. Publicly available research shows that multiple active probes and repeated sampling are required to establish comparable fingerprints; shadow APIs may also deviate from official APIs in capabilities, security behavior, and identity testing.

This site is independently implemented and has no affiliation with the author of the paper or other testing platforms. Quotes are only used to illustrate the boundaries of the method and do not represent the complete set of questions or accuracy of the reproduction paper.
How to read reports

A high score means more complete compatibility, but does not mean official certification.

85–100

Good Compatibility

Most of the protocol and capability probes in this test have passed, and business scenario testing can continue.

65–84

Partial Compatibility

The underlying call may work, but there are differences in streaming, tooling, usage, or model routing and should be viewed for evidence of failure.

0–64

Needs Investigation

There are obvious abnormalities in the authentication, protocol or key capabilities. It is not recommended to put it into production based on just one ordinary chat success.

Detection tools remain open

First detect the existing API gateway and then decide whether to migrate

This tool can detect third-party public API gateways that comply with the scope of the agreement, and does not only serve AIFast. If you still need backup lines or unified access to domestic and foreign models, you can check AIFast's models and prices after completing the comparison.

When choosing a service provider, you should also independently evaluate price, stability, after-sales, privacy terms, and production environment performance.

Model checking FAQ

First understand what the report can and cannot prove before deciding whether to join production.

Can this tool prove that the underlying model must be an official model?

No. Black-box API detection can only check whether the protocol, metadata, and model behavior match the declaration. API gateway can rewrite fields such as model, and there are also errors in behavioral questions, so the report is not equivalent to model manufacturer certification.

How can you detect model capability degradation behind an API gateway?

First, use the same model ID to repeatedly perform standard detection, compare fixed instructions, dynamic questions, tool calls, SSE, Token fields and response model declarations, and then supplement your own real business question set. If key capabilities continue to fail, results drift significantly, or performance changes during peak periods, it indicates there is a risk of capability degradation or routing change, but the cause cannot be determined based on a single round of results alone.

What signals may indicate model impersonation or substitution?

Continuous inconsistencies between request model and response model fields, a large number of missing key protocol fields, unavailability of tool calls or streaming output originally declared to support, and long-term deviations of dynamic question performance from known baselines are all worthy of further investigation. A single anomaly may come from a gateway compatibility issue, which must be judged based on multiple pieces of evidence and multiple rounds of results.

Can Claude, GPT, and DeepSeek API detect it?

The performance of these models can be tested on the public HTTPS OpenAI Chat Completions compatible portal, provided that the API gateway uses the Bearer API Key and the model can be called by the model ID. This tool detects compatible endpoints and does not necessarily cover the manufacturer's native Anthropic Messages, Gemini generateContent or OpenAI Responses API.

Why can't you just ask the model "who are you?"

The model readme is easily affected by system prompts, gateway rewriting, training data and role settings, and can also be rewritten uniformly by the API gateway. A more reliable screening method is to cross-check protocol metadata, tokens, random dynamic questions, streaming output, tool calls and multiple rounds of behavioral changes.

Will the API Key be saved?

No. The API Key is only used to access the transit address you filled in during this detection request, and is not written to the database, cache, page address or detection report. It is recommended to create a temporary key and revoke it after detection.

Why can I only fill in the HTTPS address?

The detection request contains the API Key. Allowing only public HTTPS addresses reduces the risk of keys being transmitted in the clear, accessing local or intranet services, and misuse of open proxies.

What API gateway protocols does this tool support?

Supports public HTTPS API gateway using Bearer API Key, providing OpenAI Chat Completions compatible API. Anthropic Messages, Gemini generateContent, OpenAI Responses API, and private custom protocols cannot directly use this set of fixed probes.

What is the difference between rapid testing and standard testing?

The quick detection is about 3 requests, mainly checking authentication, protocol, metadata, billing token fields and R1 dynamic questions; the standard detection is about 7 requests, and the output style, knowledge cutoff, SSE streaming output and tool invocation are added, which may generate more token fees.

Why are the prompts detected too frequently?

In order to prevent API abuse, the detection service will perform basic frequency and concurrency control: the same client usually initiates up to 6 rounds of detection every 10 minutes, and can run up to 2 rounds at the same time. This limit is enforced by edge nodes on a best-effort basis and may be temporarily tightened when busy. Please try again later.

Can the output style and knowledge cutoff directly determine the authenticity of the model?

No. The knowledge deadlines of single style samples and model self-reports are easily affected by system prompts, gateway rewrites and randomness, so they are only marked as observation signals and are not included in the comprehensive compatibility of the API. Reliable model fingerprinting requires a fixed question set, multiple rounds of sampling, and a known baseline.

Does passing the test mean that the production environment must be stable?

Doesn't mean. A single detection only reflects the current point in time. Production launch also requires continuous testing of latency, concurrency, rate limiting, error rates, timeouts, retries, routing changes, and billing consistency.