praisonai auth stores provider credentials locally so praisonai run works without exporting env vars every session. Two methods are supported: a long-lived API key, or a short-lived OAuth token signed in via your browser.
Quick Start
- Picker
- API Key
- OAuth (Browser)
- Headless / SSH
ModelCatalogue.list_providers(): openai, anthropic, google, ollama first, every other catalogue provider (Groq, OpenRouter, Mistral, DeepSeek, xAI, …) next, and custom last.Commands
auth login now accepts an optional provider. Run praisonai auth login with no argument to pick from a catalogue-driven list (any provider ModelCatalogue knows about — Groq, OpenRouter, Mistral, DeepSeek, xAI, …); curated providers appear first, custom last. Scripts that pass the provider positionally still work unchanged. A one-line “Get your key” hint prints before the masked prompt for well-known providers.Login flags
Which --method should I use?
--method auto on a registry provider without a --client-id prints an info line telling you how to switch to OAuth explicitly, then falls back to the API-key prompt.Provider Picker
Omit the provider argument andauth login opens a catalogue-driven picker so you never have to memorise a provider id.
ModelCatalogue.list_providers(): openai, anthropic, google, ollama first, every other catalogue provider appended, custom last. Picking custom prompts for a free-form provider id. The positional <provider> argument still works unchanged — keep passing it in scripts and CI.
OAuth Login (browser-based)
Two flows are negotiated automatically per provider:- Device code (RFC 8628) — prints a short code + URL, polls until you approve. Default on headless servers.
- Authorization code + PKCE (RFC 7636) — opens your default browser and listens on
127.0.0.1for the redirect. Default on desktops.
Built-in providers ship with endpoints but no
client_id (registration-specific). Supply your OAuth app’s id via --client-id; the CLI resolves the rest.Token storage & refresh
Self-hosted / custom OAuth providers
praisonai auth login ships built-in endpoints for github, google, gemini, and azure. For a provider outside the registry (e.g. a self-hosted gateway), supply the endpoints directly with CLI flags:
device flow when a --device-authorization-url is present, or falls back to authcode (PKCE) when you pass --authorization-url instead.
As an escape hatch, you can also register a provider config from Python before invoking the flow:
Headless / SSH
API Key Login
auth login (and setup) print a Get your key: link to the provider’s key-creation page before the hidden prompt for catalogue providers, so first-run users don’t have to guess where to find one:PROVIDER_KEY_URLS map (key_url_for_provider()). Providers without a mapped URL skip the hint silently.List & status
Logout
List & Status — new columns
Source shows where the live credential comes from: stored (from ~/.praisonai/credentials.json) or env (VARNAME) when an active environment variable is present. An env key that shadows a stored one is flagged env (VARNAME) [live, overrides stored].
Expires shows (n/a) for API keys, 59m, 1h 23m, <1m, or expired for OAuth tokens, and (no expiry) when the provider didn’t include one.
Stored vs environment credentials
auth list and auth status surface both stored credentials (from ~/.praisonai/credentials.json) and active environment-variable keys for catalogue-known providers. The Source column disambiguates them:
If both a stored and an env credential exist for one provider, the env value wins at run time (this is unchanged) — the
Source line appends [live, overrides stored] so it’s visible:
sk-1***efgh).
The
auth list and auth status table columns changed in this release — Method, Source, and Expires columns were added, and active env-var credentials are now surfaced. Scripts that parse the table output need to be updated. The --json output is additive only (new source / env_var keys added; no existing keys removed).Credential Fields (ProviderCredential)
Each stored provider credential contains the following fields:
auth list and auth status show Method and Expires columns reflecting these fields.
Storage & Security
Path change — auto-migrated. Prior releases stored credentials at
~/.praison/credentials.json. The canonical path is now ~/.praisonai/credentials.json; the legacy path is still read if the canonical file doesn’t exist yet, and any subsequent auth login or setup transparently migrates your old entries onto the canonical file. No re-login is required.Supported Providers
Unknown providers accept API keys with length ≥ 10. OAuth is opt-in per provider. Registry providers ship endpoints but no
client_id; pass yours with --client-id.
Optional dependency
The OAuth flow uses therequests library. It is lazy-imported, so users on the API-key path never see it. If a user runs --method oauth without it installed:
How Run Uses Credentials
praisonai run resolves credentials in this order:
- Environment variables (
OPENAI_API_KEY,ANTHROPIC_API_KEY, …) - Stored credentials — OAuth tokens refreshed transparently (~60 s before expiry) before injection
- LLM endpoint resolution via
resolve_llm_endpoint_with_credentials
praisonai run reports:
Related
Run
Preflight credential check before execution
Config
Default model via
[llm] in config.tomlSetup
First-run setup wizard

