TokenMix Research Lab · 2026-07-15

Verify Your Claude API Is Real: 7 Tests to Catch Fake Relays
Last Updated: 2026-07-15 Author: TokenMix Research Lab Data verified: 2026-07-15 — Anthropic pricing + extended-thinking docs (signature, tokenizer); veridrop/llm-verify open-source detectors; two 2026 arXiv shadow-API studies; OpenRouter usage split
You can prove whether a relay actually serves Claude, and the strongest test is not "ask the model who it is" — it is the encrypted signature on extended-thinking blocks, which Anthropic's servers sign and the API rejects if forged. Combine that with a tokenizer-count check (Opus 4.7+ and Sonnet 5 emit ~30% more tokens than older models for the same text) and a cache-billing audit, and a downgraded or reverse-proxied endpoint fails within minutes. No single probe is complete: a relay can proxy real Claude for your test and a cheap model for everything else, so randomize and combine.
Model substitution is a real fraud pattern, not a rumor. Shadow-API research in 2026 documents resellers advertising "Claude" or "GPT" while silently serving cheaper models behind a system prompt (arXiv, Real Money, Fake Models). The economic pull is obvious: official-forwarded Claude access costs several times more than reverse-engineered access, so a dishonest relay pockets the spread. This guide keeps every claim tagged with a confirmed / likely / speculation tier and separates what Anthropic documents from what the detection community infers.
Table of Contents
- Quick Verdict
- Why Relays Swap Models: The Price Gap
- Test 1: Thinking Signature (Strongest)
- Test 2: Tokenizer Fingerprint
- Test 3: Cache Billing Math
- Test 4: Identity and Knowledge Probes
- Test 5: Protocol and Message-ID Shape
- Test 6: Long-Context Needle Test
- Test 7: Capability and Latency Probes
- Detection Tools Compared
- What These Tests Do NOT Tell You
- The Cost of Being Fooled
- Final Recommendation
- FAQ
Quick Verdict
| Test | Reliability | What it catches | Tier |
|---|---|---|---|
| Thinking signature | Highest | Non-Claude model; stripped reasoning | Confirmed (mechanism) |
| Tokenizer fingerprint | High | Wrong model generation; older-model swap | Confirmed (official note) |
| Cache billing math | High | Faked usage numbers; no real caching |
Confirmed (official rates) |
| Long-context needle | High | Truncated context window | Likely |
| Protocol / message_id shape | Medium | Non-native backend; OpenAI relay masquerading | Likely |
| Capability probes (PDF, tool_use) | Medium | Downgraded model missing features | Likely |
| Identity / knowledge probes | Low alone | Crude system-prompt spoofing | Speculation (weak alone) |
| Any single test in isolation | Incomplete | Beaten by probe-only proxying | Confirmed limitation |
The order matters. Start with the cryptographic and arithmetic tests — they do not depend on the model's cooperation. Treat self-reported identity as the weakest signal, because a system prompt can make any model claim to be Claude.
Why Relays Swap Models: The Price Gap
The incentive to cheat scales with the price gap, and for Claude that gap is large. Reselling markets separate "official-forwarded" channels from "reverse-engineered" channels, and Chinese relay guides price the two roughly 5–6x apart — official-forwarded access around ¥0.85–1.5 per dollar of quota versus ¥0.1–0.3 for reverse channels (Help AIO relay guide). A reseller who bills you at premium rates but serves a cheap model keeps the difference on every token.
| Access type | Rough cost basis | Capability risk |
|---|---|---|
| Official API / cloud-forwarded | ¥0.85–1.5 per $ quota | Full — real model, real features |
| Reverse-engineered channel | ¥0.1–0.3 per $ quota | Stripped tools, thinking, PDFs; downgrade risk |
| Silent substitution (fraud) | Seller cost near zero | You pay premium, receive a cheaper model |
Demand makes the target rich. Coding and technical work is now the largest usage category on OpenRouter at roughly 39% of tokens, ahead of roleplay at about 33%, and Chinese-origin models supply more than 45% of traffic (OpenRouter State of AI). A cheap, capable substitute is always available — which is exactly why verification matters when you route production coding traffic through a third party. If you run agentic coding, our note on verifying the live route before production covers the same silent-substitution risk from the gateway side.
Test 1: Thinking Signature (Strongest)
The strongest authenticity proof is cryptographic, not behavioral. When extended thinking is enabled, Claude returns each reasoning block with an encrypted signature field, and Anthropic documents it plainly: the field "is used to verify that thinking blocks were generated by Claude," it "is an opaque field and should not be interpreted or parsed," and it "exists solely for verification purposes" (Anthropic extended-thinking docs). If a thinking block is modified, the API returns a 400 invalid_request_error stating the blocks "cannot be modified."
| Property | Detail | Tier |
|---|---|---|
| Field | signature on each thinking content block |
Confirmed |
| Length | ~500–2,000 characters; longer on Claude 4.x | Confirmed |
| Forgeable by relay | No — signed server-side, opaque | Confirmed |
| Tamper response | 400 error on modified blocks |
Confirmed |
| Cross-platform | Compatible across Claude API, Bedrock, Vertex | Confirmed |
How to use it: send a request with extended thinking on, then check that you receive a well-formed signature of the expected length, and — the decisive step — echo the thinking block back in a follow-up turn. A real Claude endpoint accepts it; a relay serving a non-Claude model cannot produce a signature the API will validate, and a relay that strips reasoning cannot return one at all. Open-source detector veridrop weights this probe at about a quarter of its Claude authenticity score for this reason (veridrop). Treat a missing or malformed signature as a red flag — behavioral, not merely stylistic.
Test 2: Tokenizer Fingerprint
A model swap changes the token math, and Anthropic's own pricing note hands you the ruler. Claude Opus 4.7 and later Opus models, Claude Sonnet 5, Fable 5, and Mythos 5 "use a newer tokenizer" that "produces approximately 30% more tokens for the same text," while Claude Sonnet 4.6 and earlier models use the previous tokenizer (Anthropic pricing). That means the usage.input_tokens a genuine endpoint reports for a fixed prompt differs measurably between tokenizer generations.
| Model class | Tokenizer | Relative token count (same text) | Tier |
|---|---|---|---|
| Opus 4.7 / 4.8, Sonnet 5, Fable 5, Mythos 5 | New | ~1.30x baseline | Confirmed |
| Sonnet 4.6, Opus 4.6 and earlier | Previous | ~1.00x baseline | Confirmed |
| Non-Claude substitute | Foreign tokenizer | Arbitrary, usually off both | Likely |
How to use it: send a fixed, known block of text and read back usage.input_tokens. If a relay sells you "Opus 4.8" but the reported count matches the old tokenizer — or a wholly different tokenizer's math — the model underneath is not what you paid for. This test needs no model cooperation; it reads a billing field the relay has to expose. Pair it with the price you are charged: paying Opus rates for old-tokenizer counts is a direct contradiction.
Test 3: Cache Billing Math
Prompt-cache economics are fixed by Anthropic, so faked usage numbers stop adding up. The documented multipliers relative to base input price are: cache read (hit) at 0.1x, 5-minute cache write at 1.25x, and 1-hour cache write at 2x (Anthropic pricing). A genuine endpoint that supports caching will report cache_read_input_tokens and cache_creation_input_tokens that move consistently with these rules across repeated identical requests.
| Cache operation | Multiplier vs base input | What a fake often gets wrong | Tier |
|---|---|---|---|
| Cache read (hit) | 0.1x | Returns no cache fields, or static zeros | Confirmed |
| 5-minute cache write | 1.25x | Write/read ratio impossible under real rates | Confirmed |
| 1-hour cache write | 2x | Bill does not fall on repeat prompts | Confirmed |
How to use it: send the same large prompt twice within the cache window and inspect the usage object. A real Claude backend shows a cache write on the first call and a cheap cache read on the second; a relay faking the model frequently cannot reproduce the field structure or the arithmetic, and simply bills full input both times. For the per-model dollar figures behind this math, see our Claude Code pricing breakdown.
Test 4: Identity and Knowledge Probes
Behavioral probes are useful as corroboration but weak on their own, because a system prompt can coach any model to claim it is Claude. The forensic approach is consistency, not a single question: ask the model to identify itself several different ways and look for contradictions, then probe Anthropic-specific depth. Open-source detector llm-verify ships 32 forensic prompts built on exactly this principle — a real model answers consistently while a masquerading one contradicts itself (llm-verify).
| Probe | Real Claude pattern | Fake pattern | Tier |
|---|---|---|---|
| Repeated identity ask (10 phrasings) | Stable, consistent | Drifts or contradicts | Likely |
| Constitutional AI depth | Detailed, first-hand framing | Shallow or generic | Speculation |
| Refusal-style fingerprint | Characteristic Anthropic phrasing | Off-distribution | Speculation |
Use these to raise or lower confidence, never to conclude alone. A relay that pipes real Claude only for identity-shaped requests will pass every one of these while still cheating on your real traffic — which is why Test 1 through Test 3 carry the weight.
Test 5: Protocol and Message-ID Shape
Native Claude responses have a structural fingerprint that OpenAI-compatible relays often fail to reproduce. Genuine Anthropic Messages API responses carry specific field shapes, content-block types, streaming (SSE) event sequences, error-object formats, and message id prefixes. Detectors probe all of these; veridrop's Claude suite alone runs message-id prefix checks, protocol/SSE-sequence validation, and stream-vs-non-stream integrity comparison (veridrop).
| Signal | Native Claude | Common relay tell | Tier |
|---|---|---|---|
Message id prefix |
Anthropic-native prefix | Wrong or synthetic prefix | Likely |
| SSE event order | Documented sequence | Reordered or missing events | Likely |
| Error object shape | Anthropic format | OpenAI-style error leaking through | Likely |
| Stream vs non-stream | Consistent content | Diverges between modes | Likely |
How to use it: run the same request streamed and non-streamed and compare. A relay that wraps an OpenAI backend to imitate Claude tends to leak the wrong error schema or an inconsistent event sequence under this pressure.
Test 6: Long-Context Needle Test
A relay can advertise a 1M-token window and quietly truncate it, so test the window you paid for. Anthropic ships the full 1M-token context at standard pricing on Opus 4.7/4.8, Sonnet 5, Sonnet 4.6, and the Fable/Mythos line (Anthropic pricing). A needle-in-a-haystack probe — plant a unique fact deep inside a long document and ask for it — verifies the context is genuinely processed rather than clipped.
| Depth tier | Prompt size | What failure reveals | Tier |
|---|---|---|---|
| Standard | 32k → 100k → 200k | Silent truncation at a low ceiling | Likely |
| Extreme | up to model max (e.g. 950k) | 1M claim is marketing, not real | Likely |
How to use it: place the needle at varying depths, including near the far end of the advertised window. A downgraded backend or a truncating relay misses the deep needle while passing the shallow one.
Test 7: Capability and Latency Probes
Downgraded models betray themselves on features and timing. Real Claude endpoints handle base64 PDF extraction, structured tool_use with schema adherence, and multi-modal inputs; a cheaper substitute often cannot, or does so incorrectly. Latency adds a softer signal — a model much faster or slower than Claude's known profile for a given output length is worth flagging, though latency alone is noisy.
| Probe | Expected on real Claude | Downgrade tell | Tier |
|---|---|---|---|
| Base64 PDF extraction | Accurate | Fails or hallucinates | Likely |
tool_use schema adherence |
Valid structured call | Malformed or ignored schema | Likely |
| Vision / multimodal | Handled | Rejected or wrong | Likely |
| Output latency profile | Within Claude's band | Far outside for token count | Speculation |
Use capability probes as pass/fail evidence and latency only as a tiebreaker.
Detection Tools Compared
You do not have to build probes by hand — several open tools automate the battery, and running one costs pennies against a monthly bill in the tens to low hundreds of dollars. The table below reflects each project's own documentation.
| Tool | Coverage | Notable feature | License | Tier |
|---|---|---|---|---|
| veridrop | Claude / OpenAI / Gemini, 27 checks | Thinking-signature probe; 4-level verdict | AGPL-3.0 | Confirmed (repo) |
| llm-verify | Model identity | 32 forensic prompts, consistency scoring | Open source | Confirmed (repo) |
| cctest.ai | Claude relays | Hosted downgrade/authenticity check | Hosted | Likely |
| apiranking.com | Claude / multi | "Test with your own key" flow | Hosted | Likely |
For a first pass, a self-hosted, auditable tool you can read end-to-end is the safest choice, because a hosted checker is itself a third party. Whatever you run, verify against your own key and your own traffic shape — not a vendor's demo.
What These Tests Do NOT Tell You
No probe battery is a guarantee, and honest verification means saying where it breaks:
- Probe-only proxying defeats behavioral tests. A relay can detect test-shaped requests and forward them to real Claude while serving a cheap model to normal traffic. 2026 research demonstrates fingerprint-spoofing against inference services (arXiv, Fingerprint Spoofing Risks). Randomize prompts and blend probes into real workloads.
- A one-time pass is not a standing guarantee. Channels can be swapped after you test. Re-run on a schedule.
- Self-reported identity proves little. Treat Test 4 as corroboration only.
- A green result is authenticity, not quality or uptime. A real-Claude relay can still be slow, rate-limited, or unstable.
Treat verification as continuous monitoring, not a one-off certificate.
The Cost of Being Fooled
The math explains why fraud persists and why a two-cent test pays for itself. Suppose you route 10M output tokens a month believing you buy Claude Opus 4.8 at its documented $25 per million output tokens — a $250 line item. A reseller silently serving a budget substitute might carry a true output cost closer to Sonnet-class $10–15 per million, or a low-cost Chinese model well under $1 per million, keeping most of your payment as margin while degrading your results. Even against honest Sonnet 4.6 at $15 per million, paying Opus rates for a Sonnet-grade model overpays by roughly $100 on that 10M-token month. These figures are capacity math from confirmed public rates, not a specific provider's bill.
| Item | Rate (per 1M output tokens) | 10M-token month | Tier |
|---|---|---|---|
| Paid for: Opus 4.8 | $25 | $250 | Confirmed |
| Actually served: Sonnet 4.6 | $15 | $150 | Confirmed |
| Actually served: budget substitute | <$1 | <$10 | Likely |
| Detection run (full mode) | — | ~$0.02 | Likely |
A verification pass costs a rounding error against that exposure. The rational policy is to test before you commit volume, and re-test on a cadence.
Final Recommendation
Verify with cryptography and arithmetic first, behavior second, and never trust a single pass. Lead with the thinking-signature check, the tokenizer-count check, and the cache-billing audit — three tests a fraudulent relay cannot talk its way past — then corroborate with identity, protocol, long-context, and capability probes. Randomize your prompts, blend them into real traffic, and re-run on a schedule, because a channel that passes today can be swapped tomorrow. The right vendor makes this easy: it exposes real usage fields, passes signature echo-back, and does not flinch at your probes. TokenMix routes Claude and other models through published, verifiable per-token rates for exactly this reason — an honest relay wants you to check.
FAQ
Can a relay fake the Claude thinking signature?
No. The signature on extended-thinking blocks is signed server-side by Anthropic, is opaque, and the API returns a 400 error if the block is modified. A relay not proxying real Claude cannot generate one the API will validate, which is why it is the strongest single test.
Is asking the model "are you Claude?" enough?
No. A system prompt can make any model claim to be Claude. Identity questions only help when asked many ways and cross-checked for contradictions, and even then they are corroboration — not proof. Weight the signature, tokenizer, and cache tests far higher.
How does a tokenizer check reveal a model swap?
Opus 4.7 and later, plus Sonnet 5, use a newer tokenizer that produces about 30% more tokens for the same text than Sonnet 4.6 and earlier. Send a fixed prompt and read usage.input_tokens; a count matching the wrong tokenizer generation contradicts the model you were sold.
What is silent model substitution?
It is when a reseller advertises a premium model like Claude but serves a cheaper model behind the scenes, often masked by a system prompt. 2026 shadow-API research documents the pattern, and the price gap between official and reverse channels is the incentive.
Do these tests work for GPT and Gemini too?
Partly. Identity, protocol, structured-output, long-context, and token-billing probes generalize across providers, and tools like veridrop cover OpenAI and Gemini formats. The cryptographic thinking-signature test is Claude-specific.
How often should I re-verify a relay?
On a schedule, not once. A relay can pass on the day you test and swap channels afterward. Blend randomized probes into normal traffic and re-run periodically, since a one-time certificate proves nothing about tomorrow.
Can a relay pass detection and still cheat?
Yes. A sophisticated relay can route test-shaped requests to real Claude while serving a cheap model to ordinary traffic. Randomization and mixing probes into real workloads reduce this, but no black-box test is a full guarantee.
Are cheap relays always fake?
No. A low price can reflect a legitimate margin, cloud credits, or reverse-engineered-but-real forwarding with stripped features. Low price is a reason to verify, not proof of fraud. Test the model identity, capabilities, and billing fields rather than judging by price alone.
About TokenMix
TokenMix.ai is an AI API relay that routes Claude, OpenAI, Gemini, DeepSeek, Qwen, and other large language models through a single OpenAI-compatible endpoint at https://api.tokenmix.ai/v1. Current model availability and per-token rates are listed on the pricing page and the model catalog. Integration uses the standard OpenAI SDK; details in the OpenAI compatibility reference.
Sources
- Anthropic — Extended thinking - official source for the
signaturefield, its verification purpose, and the 400-on-modification behavior - Anthropic — Pricing - official source for the ~30% tokenizer note, cache multipliers (0.1x / 1.25x / 2x), and per-model rates
- AWS — Claude thinking encryption on Bedrock - confirms encrypted-reasoning and cross-platform signature compatibility
- veridrop (canarybyte) - open-source relay detector; source for the probe battery and thinking-signature weighting
- llm-verify (mintesnot-teshome) - open-source identity checker; source for the 32-forensic-prompt consistency method
- arXiv — Real Money, Fake Models: Deceptive Model Claims in Shadow APIs - documents the substitution fraud pattern
- arXiv — Fingerprint Spoofing Risks in LLM Inference Services - source for the probe-only proxying / detection-evasion limitation
- OpenRouter — State of AI - source for the coding 39% / roleplay 33% usage split and Chinese-model share
Related Articles
- Claude CLI Pricing 2026: Code Limits, /usage, API Cost Math
- TokenMix Adds GPT-5.6 API 2026: Sol, Terra, Luna Access
- Choosing GPT-5.6 Agent-Coding Models: Compare Effort, Not Just Model Names
- Grok 4.5 Review: $2/$6 API Pricing, 500K Context, Benchmarks
- 15 Best Free LLM APIs 2026: Tested Limits, No Credit Card