TrueLLMs

Token Usage & Model Identity Audit · OpenAI-Compatible

Back to the auditor

Privacy

Last reviewed May 2026. We aim to keep this short. If you find an inaccuracy, file an issue.

What TrueLLMs is

A static-ish Next.js app that runs an audit pipeline locally in your browser against an OpenAI-compatible API of your choice. There is no user account, no server-side database, and no audit history kept on our servers.

API keys

You paste an API key into the configuration form. Where the key goes depends on which run mode is selected:

  • Direct mode. The key is held in the React store in your browser tab. Requests to the upstream API are made directly from your browser using fetch. The key never reaches truellms.com or any other server we control.
  • Proxy mode. The key is sent to a same-origin Next.js route handler (/api/proxy), which uses it as the upstream Authorization header. The handler does not log the key, does not persist it, and treats it only as a pass-through value for that single request. We do not store request bodies. The handler does not follow upstream redirects, and it refuses to forward to private / loopback / cloud-metadata addresses.

We strongly recommend a non-production, scoped key for audits. Keys can be rotated trivially in any provider's console.

Prompts and responses

  • Direct mode: prompts and responses never leave your browser.
  • Proxy mode: prompts transit the same-origin Next.js handler; we do not log or persist them. Responses are streamed back to your browser unchanged.
  • The audit results, including derived statistics, are kept in your browser tab. They are erased when you reload the tab.
  • The Export Report button generates a Markdown file client-side and downloads it directly from your browser. The file is never uploaded anywhere. There is no "share via URL" feature any more — the previous LZ-compressed share-URL was retired because the URLs grew long enough to be truncated by chat tools, and embedding audit content inside a link encouraged accidental disclosure. Use the Markdown export when you want to share results.

Analytics and cookies

In production we load Vercel Web Analytics, which records anonymised aggregate page views. It does not see the contents of any audit. There are no advertising cookies and no third-party trackers. We do not set any authentication cookies (there are no accounts).

Logs

The Vercel platform records standard HTTP request metadata (timestamp, method, path, response status) for the routes /api/og and /api/proxy. Request bodies are not recorded. Logs are retained according to Vercel's default retention.

Children

TrueLLMs is not intended for users under 13. We do not knowingly collect personal data from anyone.

Contact

For privacy questions, please open an issue on the project repository.