Gateway, BYOK & OAuth

How agents authenticate with providers and tools.

Routes & the picker covers the three routes at a glance: native, API key, and gateway. This page goes deeper on each one.

Proliferate gateway

The gateway is Proliferate's managed path to models. Flip it on for a harness and you get access to the current Anthropic, OpenAI, and xAI models with nothing else to configure: no key to paste in, nothing to rotate.

Under the hood, the gateway is a LiteLLM proxy that Proliferate operates. Proliferate holds the real provider keys; your account gets a virtual key scoped to you, with its own spending budget and usage tracking. Provider secrets never reach your machine or a cloud sandbox.

Harness authentication, gateway enabled

Settings -> Agents -> Codex -> Authentication with the 'Proliferate gateway' switch turned on and its subtitle reading 'Proliferate-managed model access. No setup required.'

The gateway can be turned on for Claude, Codex, OpenCode, and Grok. Cursor doesn't use it (see Per-harness notes). The toggle can be unavailable or locked for a few reasons:

  • Your account or organization plan doesn't include gateway access.
  • Your account's gateway enrollment is still pending or failed to sync, which the subtitle under the toggle will call out directly.

Bring your own key (BYOK)

If you'd rather use your own provider account, add the key once and wire it into whichever harnesses need it.

Save a key to your vault

Go to Settings -> Agents -> API keys. Give the key a title (something memorable, like "Personal Anthropic key") and paste the secret. Proliferate stores it encrypted and only ever shows you a redacted hint afterward, never the raw value again.

Settings -> Agents -> API keys

The API keys pane: a list of saved keys showing title and redacted hint (e.g. 'Personal Anthropic key ****abcd') each with a Revoke button, and an add-key form with Title and Value fields below.

Wire it into a harness

Open the harness's Authentication tab, click Add variable, and set the environment variable name the harness expects (Proliferate suggests the common one, like ANTHROPIC_API_KEY for Claude). Pick your saved key from the dropdown, then flip the row's switch on. You can also create a new key inline from that same dropdown instead of visiting the API keys pane first.

OpenCode works a little differently since it isn't tied to one provider. Instead of a fixed suggestion, it gives you an Add provider search over a list of well over a hundred providers; picking one prefills the row with that provider's environment variable name.

A key can't be revoked while a harness still has it wired in and enabled; you'll get a clear error naming which harness to disconnect first.

Native sign-in (OAuth and cached logins)

This is what happens when you haven't configured a route at all, and it's also how you set up a harness's own login the first time.

For local work, click Run login on a harness's Authentication tab (shown when that harness needs to sign in). This opens an embedded terminal running the harness's own login command, such as claude login or codex login, right inside Proliferate. Finish the flow there (including any browser-based OAuth step the CLI opens), and the harness picks up its own credential file the same way it would if you'd run the command yourself in a regular terminal.

Embedded agent login terminal

An embedded terminal panel inside the harness's Authentication tab, mid-login: the CLI's own sign-in prompt (e.g. a device code or browser-login instruction) running live, with Close and Restart controls.

Native credentials are never uploaded anywhere by Proliferate; they stay in the harness's own config on your machine. That's also why native sign-in only applies to local work: there's no terminal to log in from inside a cloud sandbox, so cloud runs need either a gateway or an API key route instead.

Info:

Cursor is the exception: it always uses its own sign-in, on both local and cloud, and never shows a gateway or API key option.

On this page