OpenShellAI agents typically need credentials to access external services: an API key for the AI model provider, a token for GitHub or GitLab, and so on. OpenShell manages these credentials as first-class entities called providers.
Create and manage providers that supply credentials to sandboxes.
Providers v2 is available for profile-backed provider policy, provider-owned network rules, and gateway-managed credential refresh. This page remains the credential-focused provider command reference. For the new workflow, see Providers v2.
Provider profiles include metadata for known endpoints and binaries. View the available profiles before creating a provider:
Providers can be created from local environment variables or with explicit credential values.
The fastest way to create a provider is to let the CLI discover credentials from your shell environment:
This reads ANTHROPIC_API_KEY or CLAUDE_API_KEY from your current environment
and stores them in the provider.
Supply a credential value directly:
Pass a key name without a value to read the value from the environment variable of that name:
This looks up the current value of $API_KEY in your shell and stores it.
Provider profile metadata is available for known provider types. Provider profile network policy is gateway opt-in:
Without providers_v2_enabled=true, provider behavior remains credential-only.
List, inspect, update, and delete providers from the active gateway.
List all providers:
Inspect a provider:
Update a provider’s credentials:
Set or clear a credential expiry timestamp:
Use 0 as the timestamp to clear expiry for a credential key.
Provider refresh stores non-injectable refresh material separately from the provider’s current credential values. The gateway can mint OAuth2 client credentials tokens and Google service account JWT tokens, then write the current access token back to the provider record for sandbox injection.
Configure refresh metadata for one injectable credential key:
Check refresh status:
Delete refresh metadata for a credential:
Force a gateway-managed refresh for one credential:
External refresh systems should continue to push new current credentials through
openshell provider update. The --credential-expires-at option works for
static credentials, externally refreshed credentials, and gateway-managed
refresh strategies.
Delete a provider:
Pass one or more --provider flags when creating a sandbox:
Each --provider flag attaches one provider. The sandbox receives all
credentials from every attached provider at runtime. Profile-managed providers
also contribute provider-generated network policy entries when
providers_v2_enabled is enabled at the gateway. When the setting is disabled,
providers keep the previous behavior and only provide credentials.
Providers cannot be added to a running sandbox. If you need to attach an additional provider, delete the sandbox and recreate it with all required providers specified.
When the trailing command in openshell sandbox create is a recognized tool name (claude, codex, or opencode), the CLI auto-creates the required
provider from your local credentials if one does not already exist. You do not
need to create the provider separately:
This detects claude as a known tool, finds your ANTHROPIC_API_KEY, creates
a provider, attaches it to the sandbox, and launches Claude Code.
The agent process inside the sandbox never sees real credential values. At startup, the proxy replaces each credential with an opaque placeholder token in the agent’s environment. When the agent sends an HTTP request containing a placeholder, the proxy resolves it to the real credential before forwarding upstream.
This resolution requires the proxy to see plaintext HTTP. Endpoints must use protocol: rest in the policy (which auto-terminates TLS) or explicit tls: terminate. Endpoints without TLS termination pass traffic through as an opaque stream, and credential placeholders are forwarded unresolved.
The proxy resolves credential placeholders in the following parts of an HTTP request:
The proxy does not modify request bodies, cookies, or response content.
If the proxy detects a credential placeholder in a request but cannot resolve it, it rejects the request with HTTP 500 instead of forwarding the raw placeholder to the upstream server. This prevents accidental credential leakage in server logs or error responses.
Create a provider with the Telegram bot token:
The agent reads TELEGRAM_BOT_TOKEN from its environment and builds a request like POST /bot<placeholder>/sendMessage. The proxy resolves the placeholder in the URL path and forwards POST /bot123456:ABC-DEF/sendMessage to the upstream.
The agent sends GET /youtube/v3/search?part=snippet&key=<placeholder>. The proxy resolves the placeholder in the query parameter value and percent-encodes the result before forwarding.
The following provider types are supported.
Use the generic type for any service not listed above. You define the
environment variable names and values yourself with --credential.
The following providers have been tested with inference.local. Any provider that exposes an OpenAI-compatible API works with the openai type. Set --config OPENAI_BASE_URL to the provider’s base URL and --credential OPENAI_API_KEY to your API key.
Refer to your provider’s documentation for the correct base URL, available models, and API key setup. To configure inference routing, refer to Inference Routing.
Explore related topics:
