Authentication
Note
AI Gateway requires the AI Governance Add-On.
AI Gateway authenticates clients with the same Coder API token that a user already uses against the rest of the Coder API. No separate AI Gateway login or credential is required.
Authenticating with a Coder token avoids distributing provider-specific API keys (such as OpenAI or Anthropic keys) to individual users. AI Gateway handles upstream credentials centrally and forwards each request to the configured provider on the user's behalf.
Note
Only Coder-issued tokens can authenticate users to AI Gateway. AI Gateway will use provider-specific API keys to authenticate against upstream AI services.
The exact environment variable or setting naming may differ from tool to tool. Refer to the list of supported clients, and consult your tool's documentation for details.
Create a Coder API token
You can generate a token from the Coder dashboard or the CLI.
From the dashboard, go to Account settings > Tokens and create a new token. For long-lived tokens, refer to Sessions and API tokens. For headless or service-account use, refer to Headless authentication.
From the CLI, print your current session token with coder login token:
coder login token
Or create a new long-lived token with a name and lifetime:
coder tokens create --lifetime 30d -n my-ai-token
Use short lifetimes for automation and CI to limit the blast radius if a token leaks.
Retrieve your session token
If you're logged in with the Coder CLI, you can retrieve your current session token
by using coder login token:
export ANTHROPIC_API_KEY=$(coder login token)
export ANTHROPIC_BASE_URL="https://coder.example.com/api/v2/aibridge/anthropic"
Alternatively, you can generate a long-lived API token from the Coder dashboard.
For headless or service-account use, refer to Headless authentication.
AI Gateway Proxy authentication
For tools that don't support a configurable base URL, AI Gateway Proxy intercepts traffic and forwards it to AI Gateway. The Coder token is supplied in the proxy URL:
export HTTPS_PROXY="https://coder:$(coder login token)@<proxy-host>:8888"
The client machine also needs to trust the proxy's CA certificate. For full setup, refer to AI Gateway Proxy setup.
Bring Your Own Key (BYOK)
In addition to centralized key management, AI Gateway supports Bring Your Own Key (BYOK) mode. Users can provide their own LLM API keys or use provider subscriptions (such as Claude Pro/Max or ChatGPT Plus/Pro), while AI Gateway continues to provide observability and governance.
In BYOK mode, users need two credentials:
- A Coder API token to authenticate with AI Gateway.
- Their own LLM credential (personal API key or subscription token) which AI Gateway forwards to the upstream provider.
BYOK and centralized modes can be used together. When a user provides their own credential, AI Gateway forwards it directly. When no user credential is present, AI Gateway falls back to the admin-configured provider key. This approach offers centralized keys as a default, while allowing individual users to bring their own key.
Visit individual client pages for configuration details.
Enable or disable BYOK
BYOK is enabled by default.
Administrators can disable it using --aibridge-allow-byok=false or CODER_AIBRIDGE_ALLOW_BYOK=false:
coder server --aibridge-allow-byok=false
When disabled, BYOK requests are rejected with a 403 Forbidden response and only centralized key authentication is permitted.
Rotate or revoke a token
To rotate a token without downtime:
- Create a new token with
coder tokens create. - Update the client's configuration to use the new token.
- Delete the old token from the dashboard or with
coder tokens rm <name>.
Deleting a token immediately revokes access. Deleting the user that owns a token revokes every token that user holds at the same time.