TokenMix Research Lab · 2026-07-15

Verify Your Claude API Is Real: 7 Tests to Catch Fake Relays

Verify Your Claude API Is Real: 7 Tests to Catch Fake Relays

Last Updated: 2026-07-15 Author: TokenMix Research Lab Data verified: 2026-07-15 — Anthropic pricing + extended-thinking docs (signature, tokenizer); veridrop/llm-verify open-source detectors; two 2026 arXiv shadow-API studies; OpenRouter usage split

You can prove whether a relay actually serves Claude, and the strongest test is not "ask the model who it is" — it is the encrypted signature on extended-thinking blocks, which Anthropic's servers sign and the API rejects if forged. Combine that with a tokenizer-count check (Opus 4.7+ and Sonnet 5 emit ~30% more tokens than older models for the same text) and a cache-billing audit, and a downgraded or reverse-proxied endpoint fails within minutes. No single probe is complete: a relay can proxy real Claude for your test and a cheap model for everything else, so randomize and combine.

Model substitution is a real fraud pattern, not a rumor. Shadow-API research in 2026 documents resellers advertising "Claude" or "GPT" while silently serving cheaper models behind a system prompt (arXiv, Real Money, Fake Models). The economic pull is obvious: official-forwarded Claude access costs several times more than reverse-engineered access, so a dishonest relay pockets the spread. This guide keeps every claim tagged with a confirmed / likely / speculation tier and separates what Anthropic documents from what the detection community infers.

Table of Contents

Quick Verdict

Test Reliability What it catches Tier
Thinking signature Highest Non-Claude model; stripped reasoning Confirmed (mechanism)
Tokenizer fingerprint High Wrong model generation; older-model swap Confirmed (official note)
Cache billing math High Faked usage numbers; no real caching Confirmed (official rates)
Long-context needle High Truncated context window Likely
Protocol / message_id shape Medium Non-native backend; OpenAI relay masquerading Likely
Capability probes (PDF, tool_use) Medium Downgraded model missing features Likely
Identity / knowledge probes Low alone Crude system-prompt spoofing Speculation (weak alone)
Any single test in isolation Incomplete Beaten by probe-only proxying Confirmed limitation

The order matters. Start with the cryptographic and arithmetic tests — they do not depend on the model's cooperation. Treat self-reported identity as the weakest signal, because a system prompt can make any model claim to be Claude.

Why Relays Swap Models: The Price Gap

The incentive to cheat scales with the price gap, and for Claude that gap is large. Reselling markets separate "official-forwarded" channels from "reverse-engineered" channels, and Chinese relay guides price the two roughly 5–6x apart — official-forwarded access around ¥0.85–1.5 per dollar of quota versus ¥0.1–0.3 for reverse channels (Help AIO relay guide). A reseller who bills you at premium rates but serves a cheap model keeps the difference on every token.

Access type Rough cost basis Capability risk
Official API / cloud-forwarded ¥0.85–1.5 per $ quota Full — real model, real features
Reverse-engineered channel ¥0.1–0.3 per $ quota Stripped tools, thinking, PDFs; downgrade risk
Silent substitution (fraud) Seller cost near zero You pay premium, receive a cheaper model

Demand makes the target rich. Coding and technical work is now the largest usage category on OpenRouter at roughly 39% of tokens, ahead of roleplay at about 33%, and Chinese-origin models supply more than 45% of traffic (OpenRouter State of AI). A cheap, capable substitute is always available — which is exactly why verification matters when you route production coding traffic through a third party. If you run agentic coding, our note on verifying the live route before production covers the same silent-substitution risk from the gateway side.

Test 1: Thinking Signature (Strongest)

The strongest authenticity proof is cryptographic, not behavioral. When extended thinking is enabled, Claude returns each reasoning block with an encrypted signature field, and Anthropic documents it plainly: the field "is used to verify that thinking blocks were generated by Claude," it "is an opaque field and should not be interpreted or parsed," and it "exists solely for verification purposes" (Anthropic extended-thinking docs). If a thinking block is modified, the API returns a 400 invalid_request_error stating the blocks "cannot be modified."

Property Detail Tier
Field signature on each thinking content block Confirmed
Length ~500–2,000 characters; longer on Claude 4.x Confirmed
Forgeable by relay No — signed server-side, opaque Confirmed
Tamper response 400 error on modified blocks Confirmed
Cross-platform Compatible across Claude API, Bedrock, Vertex Confirmed

How to use it: send a request with extended thinking on, then check that you receive a well-formed signature of the expected length, and — the decisive step — echo the thinking block back in a follow-up turn. A real Claude endpoint accepts it; a relay serving a non-Claude model cannot produce a signature the API will validate, and a relay that strips reasoning cannot return one at all. Open-source detector veridrop weights this probe at about a quarter of its Claude authenticity score for this reason (veridrop). Treat a missing or malformed signature as a red flag — behavioral, not merely stylistic.

Test 2: Tokenizer Fingerprint

A model swap changes the token math, and Anthropic's own pricing note hands you the ruler. Claude Opus 4.7 and later Opus models, Claude Sonnet 5, Fable 5, and Mythos 5 "use a newer tokenizer" that "produces approximately 30% more tokens for the same text," while Claude Sonnet 4.6 and earlier models use the previous tokenizer (Anthropic pricing). That means the usage.input_tokens a genuine endpoint reports for a fixed prompt differs measurably between tokenizer generations.

Model class Tokenizer Relative token count (same text) Tier
Opus 4.7 / 4.8, Sonnet 5, Fable 5, Mythos 5 New ~1.30x baseline Confirmed
Sonnet 4.6, Opus 4.6 and earlier Previous ~1.00x baseline Confirmed
Non-Claude substitute Foreign tokenizer Arbitrary, usually off both Likely

How to use it: send a fixed, known block of text and read back usage.input_tokens. If a relay sells you "Opus 4.8" but the reported count matches the old tokenizer — or a wholly different tokenizer's math — the model underneath is not what you paid for. This test needs no model cooperation; it reads a billing field the relay has to expose. Pair it with the price you are charged: paying Opus rates for old-tokenizer counts is a direct contradiction.

Test 3: Cache Billing Math

Prompt-cache economics are fixed by Anthropic, so faked usage numbers stop adding up. The documented multipliers relative to base input price are: cache read (hit) at 0.1x, 5-minute cache write at 1.25x, and 1-hour cache write at 2x (Anthropic pricing). A genuine endpoint that supports caching will report cache_read_input_tokens and cache_creation_input_tokens that move consistently with these rules across repeated identical requests.

Cache operation Multiplier vs base input What a fake often gets wrong Tier
Cache read (hit) 0.1x Returns no cache fields, or static zeros Confirmed
5-minute cache write 1.25x Write/read ratio impossible under real rates Confirmed
1-hour cache write 2x Bill does not fall on repeat prompts Confirmed

How to use it: send the same large prompt twice within the cache window and inspect the usage object. A real Claude backend shows a cache write on the first call and a cheap cache read on the second; a relay faking the model frequently cannot reproduce the field structure or the arithmetic, and simply bills full input both times. For the per-model dollar figures behind this math, see our Claude Code pricing breakdown.

Test 4: Identity and Knowledge Probes

Behavioral probes are useful as corroboration but weak on their own, because a system prompt can coach any model to claim it is Claude. The forensic approach is consistency, not a single question: ask the model to identify itself several different ways and look for contradictions, then probe Anthropic-specific depth. Open-source detector llm-verify ships 32 forensic prompts built on exactly this principle — a real model answers consistently while a masquerading one contradicts itself (llm-verify).

Probe Real Claude pattern Fake pattern Tier
Repeated identity ask (10 phrasings) Stable, consistent Drifts or contradicts Likely
Constitutional AI depth Detailed, first-hand framing Shallow or generic Speculation
Refusal-style fingerprint Characteristic Anthropic phrasing Off-distribution Speculation

Use these to raise or lower confidence, never to conclude alone. A relay that pipes real Claude only for identity-shaped requests will pass every one of these while still cheating on your real traffic — which is why Test 1 through Test 3 carry the weight.

Test 5: Protocol and Message-ID Shape

Native Claude responses have a structural fingerprint that OpenAI-compatible relays often fail to reproduce. Genuine Anthropic Messages API responses carry specific field shapes, content-block types, streaming (SSE) event sequences, error-object formats, and message id prefixes. Detectors probe all of these; veridrop's Claude suite alone runs message-id prefix checks, protocol/SSE-sequence validation, and stream-vs-non-stream integrity comparison (veridrop).

Signal Native Claude Common relay tell Tier
Message id prefix Anthropic-native prefix Wrong or synthetic prefix Likely
SSE event order Documented sequence Reordered or missing events Likely
Error object shape Anthropic format OpenAI-style error leaking through Likely
Stream vs non-stream Consistent content Diverges between modes Likely

How to use it: run the same request streamed and non-streamed and compare. A relay that wraps an OpenAI backend to imitate Claude tends to leak the wrong error schema or an inconsistent event sequence under this pressure.

Test 6: Long-Context Needle Test

A relay can advertise a 1M-token window and quietly truncate it, so test the window you paid for. Anthropic ships the full 1M-token context at standard pricing on Opus 4.7/4.8, Sonnet 5, Sonnet 4.6, and the Fable/Mythos line (Anthropic pricing). A needle-in-a-haystack probe — plant a unique fact deep inside a long document and ask for it — verifies the context is genuinely processed rather than clipped.

Depth tier Prompt size What failure reveals Tier
Standard 32k → 100k → 200k Silent truncation at a low ceiling Likely
Extreme up to model max (e.g. 950k) 1M claim is marketing, not real Likely

How to use it: place the needle at varying depths, including near the far end of the advertised window. A downgraded backend or a truncating relay misses the deep needle while passing the shallow one.

Test 7: Capability and Latency Probes

Downgraded models betray themselves on features and timing. Real Claude endpoints handle base64 PDF extraction, structured tool_use with schema adherence, and multi-modal inputs; a cheaper substitute often cannot, or does so incorrectly. Latency adds a softer signal — a model much faster or slower than Claude's known profile for a given output length is worth flagging, though latency alone is noisy.

Probe Expected on real Claude Downgrade tell Tier
Base64 PDF extraction Accurate Fails or hallucinates Likely
tool_use schema adherence Valid structured call Malformed or ignored schema Likely
Vision / multimodal Handled Rejected or wrong Likely
Output latency profile Within Claude's band Far outside for token count Speculation

Use capability probes as pass/fail evidence and latency only as a tiebreaker.

Detection Tools Compared

You do not have to build probes by hand — several open tools automate the battery, and running one costs pennies against a monthly bill in the tens to low hundreds of dollars. The table below reflects each project's own documentation.

Tool Coverage Notable feature License Tier
veridrop Claude / OpenAI / Gemini, 27 checks Thinking-signature probe; 4-level verdict AGPL-3.0 Confirmed (repo)
llm-verify Model identity 32 forensic prompts, consistency scoring Open source Confirmed (repo)
cctest.ai Claude relays Hosted downgrade/authenticity check Hosted Likely
apiranking.com Claude / multi "Test with your own key" flow Hosted Likely

For a first pass, a self-hosted, auditable tool you can read end-to-end is the safest choice, because a hosted checker is itself a third party. Whatever you run, verify against your own key and your own traffic shape — not a vendor's demo.

What These Tests Do NOT Tell You

No probe battery is a guarantee, and honest verification means saying where it breaks:

Treat verification as continuous monitoring, not a one-off certificate.

The Cost of Being Fooled

The math explains why fraud persists and why a two-cent test pays for itself. Suppose you route 10M output tokens a month believing you buy Claude Opus 4.8 at its documented $25 per million output tokens — a $250 line item. A reseller silently serving a budget substitute might carry a true output cost closer to Sonnet-class $10–15 per million, or a low-cost Chinese model well under $1 per million, keeping most of your payment as margin while degrading your results. Even against honest Sonnet 4.6 at $15 per million, paying Opus rates for a Sonnet-grade model overpays by roughly $100 on that 10M-token month. These figures are capacity math from confirmed public rates, not a specific provider's bill.

Item Rate (per 1M output tokens) 10M-token month Tier
Paid for: Opus 4.8 $25 $250 Confirmed
Actually served: Sonnet 4.6 $15 $150 Confirmed
Actually served: budget substitute <$1 <$10 Likely
Detection run (full mode) ~$0.02 Likely

A verification pass costs a rounding error against that exposure. The rational policy is to test before you commit volume, and re-test on a cadence.

Final Recommendation

Verify with cryptography and arithmetic first, behavior second, and never trust a single pass. Lead with the thinking-signature check, the tokenizer-count check, and the cache-billing audit — three tests a fraudulent relay cannot talk its way past — then corroborate with identity, protocol, long-context, and capability probes. Randomize your prompts, blend them into real traffic, and re-run on a schedule, because a channel that passes today can be swapped tomorrow. The right vendor makes this easy: it exposes real usage fields, passes signature echo-back, and does not flinch at your probes. TokenMix routes Claude and other models through published, verifiable per-token rates for exactly this reason — an honest relay wants you to check.

FAQ

Can a relay fake the Claude thinking signature?

No. The signature on extended-thinking blocks is signed server-side by Anthropic, is opaque, and the API returns a 400 error if the block is modified. A relay not proxying real Claude cannot generate one the API will validate, which is why it is the strongest single test.

Is asking the model "are you Claude?" enough?

No. A system prompt can make any model claim to be Claude. Identity questions only help when asked many ways and cross-checked for contradictions, and even then they are corroboration — not proof. Weight the signature, tokenizer, and cache tests far higher.

How does a tokenizer check reveal a model swap?

Opus 4.7 and later, plus Sonnet 5, use a newer tokenizer that produces about 30% more tokens for the same text than Sonnet 4.6 and earlier. Send a fixed prompt and read usage.input_tokens; a count matching the wrong tokenizer generation contradicts the model you were sold.

What is silent model substitution?

It is when a reseller advertises a premium model like Claude but serves a cheaper model behind the scenes, often masked by a system prompt. 2026 shadow-API research documents the pattern, and the price gap between official and reverse channels is the incentive.

Do these tests work for GPT and Gemini too?

Partly. Identity, protocol, structured-output, long-context, and token-billing probes generalize across providers, and tools like veridrop cover OpenAI and Gemini formats. The cryptographic thinking-signature test is Claude-specific.

How often should I re-verify a relay?

On a schedule, not once. A relay can pass on the day you test and swap channels afterward. Blend randomized probes into normal traffic and re-run periodically, since a one-time certificate proves nothing about tomorrow.

Can a relay pass detection and still cheat?

Yes. A sophisticated relay can route test-shaped requests to real Claude while serving a cheap model to ordinary traffic. Randomization and mixing probes into real workloads reduce this, but no black-box test is a full guarantee.

Are cheap relays always fake?

No. A low price can reflect a legitimate margin, cloud credits, or reverse-engineered-but-real forwarding with stripped features. Low price is a reason to verify, not proof of fraud. Test the model identity, capabilities, and billing fields rather than judging by price alone.

About TokenMix

TokenMix.ai is an AI API relay that routes Claude, OpenAI, Gemini, DeepSeek, Qwen, and other large language models through a single OpenAI-compatible endpoint at https://api.tokenmix.ai/v1. Current model availability and per-token rates are listed on the pricing page and the model catalog. Integration uses the standard OpenAI SDK; details in the OpenAI compatibility reference.

Sources

Related Articles