Advanced
Configure advanced agent routing, proxies, credentials, and organization controls.
Advanced agent configuration controls how each agent authenticates and which models it can reach, on top of the workspace and review behavior described in the agents overview.
How agents authenticate
Every agent has two independent surfaces: Local (agents you run on your own machine) and Cloud (agents running in a Proliferate cloud sandbox). For each surface, most agents can authenticate one of three ways.
| Route | What it means |
|---|---|
| Native sign-in | The agent's own login, like claude /login or codex login. Nothing routes through Proliferate. |
| Your own API key (BYOK) | Add a provider key under an environment variable that Proliferate wires into the session. |
| Proliferate Gateway | Proliferate-managed model access with no setup. Your organization's central provider keys are issued as per-user virtual keys with budgets and usage tracking, so nobody has to copy a key around. |
Open Settings -> Agents -> an agent to switch between Local and Cloud and configure Authentication, or browse that surface's model catalog under All Models.
Settings -> Agents -> [agent] authentication pane
A harness settings page showing the Cloud/Local segmented control, the Authentication and All Models tabs, the Proliferate Gateway toggle, and a list of BYOK API key rows.
Advanced controls
| Area | Go deeper |
|---|---|
| Allowed agents and routes | Allowed harnesses |
| Model routing and BYO keys | Models and authentication |
| Local or self-hosted models | Local and self-hosted models |
| Policies | Admin policies |
| Guardrails | Runtime guardrails |
Admin settings apply defaults and boundaries. An admin can restrict which agents are available at all, and which of the routes above (native, API key, or gateway) each one is allowed to use org-wide. Developers can still choose the right agent for a task within those boundaries.