Platform

Provider API keys

Store provider credentials encrypted at rest. Keys are never returned in full after save — only a short hint is shown in the UI.

Requirements

Set API_KEY_ENCRYPTION_SECRET (16+ characters) in your environment. Without it, saving secrets returns an error.

API

List

GET /api/providers
Cookie: (session)

Create

POST /api/providers
Content-Type: application/json

{
  "providerId": "openai",
  "displayName": "Production",
  "secret": "sk-..."
}

Update

PATCH /api/providers/{id}
Content-Type: application/json

{
  "displayName": "Staging",
  "secret": "sk-new..."
}

Delete

DELETE /api/providers/{id}

For production, prefer billing-scoped or read-only keys where providers offer them, instead of full inference keys, when you only need cost reporting.