Advanced

Configure advanced agent routing, proxies, credentials, and organization controls.

Advanced agent configuration controls how each agent authenticates and which models it can reach, on top of the workspace and review behavior described in the agents overview.

How agents authenticate

Every agent has two independent surfaces: Local (agents you run on your own machine) and Cloud (agents running in a Proliferate cloud sandbox). For each surface, most agents can authenticate one of three ways.

RouteWhat it means
Native sign-inThe agent's own login, like claude /login or codex login. Nothing routes through Proliferate.
Your own API key (BYOK)Add a provider key under an environment variable that Proliferate wires into the session.
Proliferate GatewayProliferate-managed model access with no setup. Your organization's central provider keys are issued as per-user virtual keys with budgets and usage tracking, so nobody has to copy a key around.

Open Settings -> Agents -> an agent to switch between Local and Cloud and configure Authentication, or browse that surface's model catalog under All Models.

Settings -> Agents -> [agent] authentication pane

A harness settings page showing the Cloud/Local segmented control, the Authentication and All Models tabs, the Proliferate Gateway toggle, and a list of BYOK API key rows.

Advanced controls

AreaGo deeper
Allowed agents and routesAllowed harnesses
Model routing and BYO keysModels and authentication
Local or self-hosted modelsLocal and self-hosted models
PoliciesAdmin policies
GuardrailsRuntime guardrails

Admin settings apply defaults and boundaries. An admin can restrict which agents are available at all, and which of the routes above (native, API key, or gateway) each one is allowed to use org-wide. Developers can still choose the right agent for a task within those boundaries.

On this page