Skip to main content
praisonai auth stores provider credentials locally so praisonai run works without exporting env vars every session. Two methods are supported: a long-lived API key, or a short-lived OAuth token signed in via your browser.

Quick Start

The picker is built from ModelCatalogue.list_providers(): openai, anthropic, google, ollama first, every other catalogue provider (Groq, OpenRouter, Mistral, DeepSeek, xAI, …) next, and custom last.

Commands

auth login now accepts an optional provider. Run praisonai auth login with no argument to pick from a catalogue-driven list (any provider ModelCatalogue knows about — Groq, OpenRouter, Mistral, DeepSeek, xAI, …); curated providers appear first, custom last. Scripts that pass the provider positionally still work unchanged. A one-line “Get your key” hint prints before the masked prompt for well-known providers.

Login flags

Which --method should I use?

--method auto on a registry provider without a --client-id prints an info line telling you how to switch to OAuth explicitly, then falls back to the API-key prompt.

Provider Picker

Omit the provider argument and auth login opens a catalogue-driven picker so you never have to memorise a provider id.
The list comes from ModelCatalogue.list_providers(): openai, anthropic, google, ollama first, every other catalogue provider appended, custom last. Picking custom prompts for a free-form provider id. The positional <provider> argument still works unchanged — keep passing it in scripts and CI.

OAuth Login (browser-based)

Two flows are negotiated automatically per provider:
  • Device code (RFC 8628) — prints a short code + URL, polls until you approve. Default on headless servers.
  • Authorization code + PKCE (RFC 7636) — opens your default browser and listens on 127.0.0.1 for the redirect. Default on desktops.
Built-in providers ship with endpoints but no client_id (registration-specific). Supply your OAuth app’s id via --client-id; the CLI resolves the rest.
The OAuth callback handler and PKCE helpers are shared with the MCP OAuth integration.

Token storage & refresh

Self-hosted / custom OAuth providers

praisonai auth login ships built-in endpoints for github, google, gemini, and azure. For a provider outside the registry (e.g. a self-hosted gateway), supply the endpoints directly with CLI flags:
The CLI infers the device flow when a --device-authorization-url is present, or falls back to authcode (PKCE) when you pass --authorization-url instead. As an escape hatch, you can also register a provider config from Python before invoking the flow:

Headless / SSH

API Key Login

auth login (and setup) print a Get your key: link to the provider’s key-creation page before the hidden prompt for catalogue providers, so first-run users don’t have to guess where to find one:
The link comes from a static PROVIDER_KEY_URLS map (key_url_for_provider()). Providers without a mapped URL skip the hint silently.

List & status

Logout

List & Status — new columns

Source shows where the live credential comes from: stored (from ~/.praisonai/credentials.json) or env (VARNAME) when an active environment variable is present. An env key that shadows a stored one is flagged env (VARNAME) [live, overrides stored]. Expires shows (n/a) for API keys, 59m, 1h 23m, <1m, or expired for OAuth tokens, and (no expiry) when the provider didn’t include one.

Stored vs environment credentials

auth list and auth status surface both stored credentials (from ~/.praisonai/credentials.json) and active environment-variable keys for catalogue-known providers. The Source column disambiguates them: If both a stored and an env credential exist for one provider, the env value wins at run time (this is unchanged) — the Source line appends [live, overrides stored] so it’s visible:
Both stored and env secrets are redacted the same way (sk-1***efgh).
The auth list and auth status table columns changed in this release — Method, Source, and Expires columns were added, and active env-var credentials are now surfaced. Scripts that parse the table output need to be updated. The --json output is additive only (new source / env_var keys added; no existing keys removed).

Credential Fields (ProviderCredential)

Each stored provider credential contains the following fields: auth list and auth status show Method and Expires columns reflecting these fields.

Storage & Security

Path change — auto-migrated. Prior releases stored credentials at ~/.praison/credentials.json. The canonical path is now ~/.praisonai/credentials.json; the legacy path is still read if the canonical file doesn’t exist yet, and any subsequent auth login or setup transparently migrates your old entries onto the canonical file. No re-login is required.

Supported Providers

Unknown providers accept API keys with length ≥ 10. OAuth is opt-in per provider. Registry providers ship endpoints but no client_id; pass yours with --client-id.

Optional dependency

The OAuth flow uses the requests library. It is lazy-imported, so users on the API-key path never see it. If a user runs --method oauth without it installed:

How Run Uses Credentials

praisonai run resolves credentials in this order:
  1. Environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, …)
  2. Stored credentials — OAuth tokens refreshed transparently (~60 s before expiry) before injection
  3. LLM endpoint resolution via resolve_llm_endpoint_with_credentials
If an expired OAuth token cannot be refreshed (refresh token revoked, network error, etc.), praisonai run reports:
If nothing is found, non-interactive mode exits with:
See Run for the interactive wizard path.

Run

Preflight credential check before execution

Config

Default model via [llm] in config.toml

Setup

First-run setup wizard