Providers
Elyra supports subscription-based providers via OAuth and API key providers via environment variables or auth file. For each provider, elyra knows all available models. The list is updated with every elyra release.
Table of Contents
Subscriptions
Use /login in interactive mode, then select a provider:
- ChatGPT Plus/Pro (Codex)
- Claude Pro/Max
- GitHub Copilot
Use /logout to clear credentials. Tokens are stored in ~/.elyra/agent/auth.json and auto-refresh when expired.
OpenAI Codex
- Requires ChatGPT Plus or Pro subscription
- Officially endorsed by OpenAI: Codex for OSS
Claude Pro/Max
Anthropic subscription auth is active for Claude Pro/Max accounts. Third-party harness usage draws from extra usage and is billed per token, not against Claude plan limits.
GitHub Copilot
- Press Enter for github.com, or enter your GitHub Enterprise Server domain
- If you get "model not supported", enable it in VS Code: Copilot Chat → model selector → select model → "Enable"
API Keys
Environment Variables or Auth File
Use /login in interactive mode and select a provider to store an API key in auth.json, or set credentials via environment variable:
export ANTHROPIC_API_KEY=sk-ant-...
elyra
| Provider | Environment Variable | auth.json key |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
anthropic |
| Azure OpenAI Responses | AZURE_OPENAI_API_KEY |
azure-openai-responses |
| OpenAI | OPENAI_API_KEY |
openai |
| DeepSeek | DEEPSEEK_API_KEY |
deepseek |
| Google Gemini | GEMINI_API_KEY |
google |
| Mistral | MISTRAL_API_KEY |
mistral |
| Groq | GROQ_API_KEY |
groq |
| Cerebras | CEREBRAS_API_KEY |
cerebras |
| Cloudflare AI Gateway | CLOUDFLARE_API_KEY (+ CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_GATEWAY_ID) |
cloudflare-ai-gateway |
| Cloudflare Workers AI | CLOUDFLARE_API_KEY (+ CLOUDFLARE_ACCOUNT_ID) |
cloudflare-workers-ai |
| xAI | XAI_API_KEY |
xai |
| OpenRouter | OPENROUTER_API_KEY |
openrouter |
| Vercel AI Gateway | AI_GATEWAY_API_KEY |
vercel-ai-gateway |
| ZAI | ZAI_API_KEY |
zai |
| OpenCode Zen | OPENCODE_API_KEY |
opencode |
| OpenCode Go | OPENCODE_API_KEY |
opencode-go |
| Hugging Face | HF_TOKEN |
huggingface |
| Fireworks | FIREWORKS_API_KEY |
fireworks |
| Together AI | TOGETHER_API_KEY |
together |
| Kimi For Coding | KIMI_API_KEY |
kimi-coding |
| MiniMax | MINIMAX_API_KEY |
minimax |
| MiniMax (China) | MINIMAX_CN_API_KEY |
minimax-cn |
| Xiaomi MiMo | XIAOMI_API_KEY |
xiaomi |
| Xiaomi MiMo Token Plan (China) | XIAOMI_TOKEN_PLAN_CN_API_KEY |
xiaomi-token-plan-cn |
| Xiaomi MiMo Token Plan (Amsterdam) | XIAOMI_TOKEN_PLAN_AMS_API_KEY |
xiaomi-token-plan-ams |
| Xiaomi MiMo Token Plan (Singapore) | XIAOMI_TOKEN_PLAN_SGP_API_KEY |
xiaomi-token-plan-sgp |
Reference for environment variables and auth.json keys: const envMap in packages/ai/src/env-api-keys.ts.
Auth File
Store credentials in ~/.elyra/agent/auth.json:
{
"anthropic": { "type": "api_key", "key": "sk-ant-..." },
"openai": { "type": "api_key", "key": "sk-..." },
"deepseek": { "type": "api_key", "key": "sk-..." },
"google": { "type": "api_key", "key": "..." },
"opencode": { "type": "api_key", "key": "..." },
"opencode-go": { "type": "api_key", "key": "..." },
"together": { "type": "api_key", "key": "..." },
"xiaomi": { "type": "api_key", "key": "..." },
"xiaomi-token-plan-cn": { "type": "api_key", "key": "..." },
"xiaomi-token-plan-ams": { "type": "api_key", "key": "..." },
"xiaomi-token-plan-sgp": { "type": "api_key", "key": "..." }
}
The file is created with 0600 permissions (user read/write only). Auth file credentials take priority over environment variables.
Key Resolution
The key field supports three formats:
- Shell command:
"!command"executes and uses stdout (cached for process lifetime){ "type": "api_key", "key": "!security find-generic-password -ws 'anthropic'" } { "type": "api_key", "key": "!op read 'op://vault/item/credential'" } - Environment variable: Uses the value of the named variable
{ "type": "api_key", "key": "MY_ANTHROPIC_KEY" } - Literal value: Used directly
{ "type": "api_key", "key": "sk-ant-..." }
OAuth credentials are also stored here after /login and managed automatically.
Cloud Providers
Azure OpenAI
export AZURE_OPENAI_API_KEY=...
export AZURE_OPENAI_BASE_URL=https://your-resource.openai.azure.com
# also supported: https://your-resource.cognitiveservices.azure.com
# root endpoints are auto-normalized to /openai/v1
# or use resource name instead of base URL
export AZURE_OPENAI_RESOURCE_NAME=your-resource
# Optional
export AZURE_OPENAI_API_VERSION=2024-02-01
export AZURE_OPENAI_DEPLOYMENT_NAME_MAP=gpt-4=my-gpt4,gpt-4o=my-gpt4o
Amazon Bedrock
# Option 1: AWS Profile
export AWS_PROFILE=your-profile
# Option 2: IAM Keys
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
# Option 3: Bearer Token
export AWS_BEARER_TOKEN_BEDROCK=...
# Optional region (defaults to us-east-1)
export AWS_REGION=us-west-2
Also supports ECS task roles (AWS_CONTAINER_CREDENTIALS_*) and IRSA (AWS_WEB_IDENTITY_TOKEN_FILE).
elyra --provider amazon-bedrock --model us.anthropic.claude-sonnet-4-20250514-v1:0
Prompt caching is enabled automatically for Claude models whose ID contains a recognizable model name (base models and system-defined inference profiles). For application inference profiles (whose ARNs don't contain the model name), set AWS_BEDROCK_FORCE_CACHE=1 to enable cache points:
export AWS_BEDROCK_FORCE_CACHE=1
elyra --provider amazon-bedrock --model arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123
If you are connecting to a Bedrock API proxy, the following environment variables can be used:
# Set the URL for the Bedrock proxy (standard AWS SDK env var)
export AWS_ENDPOINT_URL_BEDROCK_RUNTIME=https://my.corp.proxy/bedrock
# Set if your proxy does not require authentication
export AWS_BEDROCK_SKIP_AUTH=1
# Set if your proxy only supports HTTP/1.1
export AWS_BEDROCK_FORCE_HTTP1=1
Cloudflare AI Gateway
CLOUDFLARE_API_KEY can be set via /login. The account ID and gateway slug must be set as environment variables.
export CLOUDFLARE_API_KEY=... # or use /login
export CLOUDFLARE_ACCOUNT_ID=...
export CLOUDFLARE_GATEWAY_ID=... # create at dash.cloudflare.com → AI → AI Gateway
elyra --provider cloudflare-ai-gateway --model "claude-sonnet-4-5"
Routes to OpenAI, Anthropic, and Workers AI through Cloudflare AI Gateway. Workers AI uses the Unified API (/compat) and prefixed model IDs (workers-ai/@cf/...). OpenAI uses the OpenAI passthrough route (/openai) with native OpenAI model IDs such as gpt-5.1. Anthropic uses the Anthropic passthrough route (/anthropic) with native Anthropic model IDs such as claude-sonnet-4-5.
AI Gateway authentication uses CLOUDFLARE_API_KEY as cf-aig-authorization. Upstream authentication can be one of:
| Mode | Request auth | Upstream auth |
|---|---|---|
| Workers AI | Cloudflare token only | Cloudflare-native |
| Unified billing | Cloudflare token only | Cloudflare handles upstream auth and deducts credits |
| Stored BYOK | Cloudflare token only | Cloudflare injects provider keys stored in the AI Gateway dashboard |
| Inline BYOK | Cloudflare token plus upstream Authorization header |
The request supplies the upstream provider key |
For normal elyra usage, prefer unified billing or stored BYOK. Inline BYOK requires configuring an additional upstream Authorization header for the Cloudflare AI Gateway provider, for example via a models.json provider/model override.
Cloudflare Workers AI
CLOUDFLARE_API_KEY can be set via /login. CLOUDFLARE_ACCOUNT_ID must be set as an environment variable.
export CLOUDFLARE_API_KEY=... # or use /login
export CLOUDFLARE_ACCOUNT_ID=...
elyra --provider cloudflare-workers-ai --model "@cf/moonshotai/kimi-k2.6"
Elyra automatically sets x-session-affinity for prefix caching discounts.
Google Vertex AI
Uses Application Default Credentials:
gcloud auth application-default login
export GOOGLE_CLOUD_PROJECT=your-project
export GOOGLE_CLOUD_LOCATION=us-central1
Or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
Custom Providers
Via models.json: Add Ollama, LM Studio, vLLM, or any provider that speaks a supported API (OpenAI Completions, OpenAI Responses, Anthropic Messages, Google Generative AI). See models.md.
Via extensions: For providers that need custom API implementations or OAuth flows, create an extension. See custom-provider.md and examples/extensions/custom-provider-gitlab-duo.
Resolution Order
When resolving credentials for a provider:
- CLI
--api-keyflag auth.jsonentry (API key or OAuth token)- Environment variable
- Custom provider keys from
models.json