Provider Credentials
Configure provider API keys and cloud platform credentials.
Overview
Provider Credentials let you configure API keys and cloud platform credentials for all supported providers. Credentials are set at the organization level and apply to all API keys in your organization.
When configured, Aira routes model calls through your accounts — giving you direct billing, higher rate limits, and full control over provider relationships.
In the dashboard, all provider credentials are managed from the Models → Providers tab. Direct API keys (OpenAI, Anthropic, Google) appear at the top, and cloud platform credentials (AWS Bedrock, Azure OpenAI, Vertex AI) appear under Cloud Deployments. Both use the same API described below.
Set / Merge Credentials
POST /api/v1/provider-credentials
Authorization: Bearer aira_live_xxxxxEach POST merges new provider credentials with your existing configuration. Setting OpenAI credentials, then later setting Anthropic credentials, results in both being configured.
Credential Types
Provider credentials come in four types depending on the provider.
Direct API Providers (openai, anthropic, google)
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | "api_key" |
api_key | string | Yes | Your provider API key |
AWS Bedrock (slug: bedrock)
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | "aws" |
access_key_id | string | Yes | AWS access key ID |
secret_access_key | string | Yes | AWS secret access key |
region | string | No | AWS region (default: "us-east-1") |
Azure OpenAI (slug: azure)
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | "azure" |
endpoint | string | Yes | Azure OpenAI endpoint URL (must be HTTPS) |
api_key | string | Yes | Azure API key |
api_version | string | No | API version (default: "2024-10-21") |
Google Vertex AI (slug: vertex)
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | "vertex" |
project_id | string | Yes | GCP project ID |
region | string | No | GCP region (default: "us-central1") |
service_account_json | string | No | Service account key JSON (for non-ADC auth) |
Example: Direct API Key (OpenAI)
curl -X POST https://api.airaproof.com/api/v1/provider-credentials \
-H "Authorization: Bearer aira_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"provider": "openai",
"credentials": {
"type": "api_key",
"api_key": "sk-proj-abc123..."
}
}'Example: Direct API Key (Anthropic)
curl -X POST https://api.airaproof.com/api/v1/provider-credentials \
-H "Authorization: Bearer aira_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"provider": "anthropic",
"credentials": {
"type": "api_key",
"api_key": "sk-ant-xyz789..."
}
}'Example: AWS Bedrock
curl -X POST https://api.airaproof.com/api/v1/provider-credentials \
-H "Authorization: Bearer aira_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"provider": "bedrock",
"credentials": {
"type": "aws",
"access_key_id": "AKIA...",
"secret_access_key": "wJalr...",
"region": "us-east-1"
}
}'Example: Azure OpenAI
curl -X POST https://api.airaproof.com/api/v1/provider-credentials \
-H "Authorization: Bearer aira_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"provider": "azure",
"credentials": {
"type": "azure",
"endpoint": "https://your-resource.openai.azure.com",
"api_key": "abc123...",
"api_version": "2024-10-21"
}
}'Example: Google Vertex AI
curl -X POST https://api.airaproof.com/api/v1/provider-credentials \
-H "Authorization: Bearer aira_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"provider": "vertex",
"credentials": {
"type": "vertex",
"project_id": "your-gcp-project",
"region": "us-central1"
}
}'Response (200 OK)
{
"message": "Credentials saved for openai",
"request_id": "req_01J8X..."
}Credentials are encrypted at rest and never returned in API responses. You can overwrite them but not read them back.
Each POST merges with existing configuration — it does not overwrite other providers. Setting OpenAI, then Anthropic, then Bedrock results in all three being configured.
Get Credential Status
GET /api/v1/provider-credentials
Authorization: Bearer aira_live_xxxxxReturns the current credential status for your organization — which providers are configured and their type, without revealing any secrets.
Response (200 OK)
{
"providers": [
{
"slug": "openai",
"type": "api_key",
"configured": true
},
{
"slug": "bedrock",
"type": "aws",
"configured": true,
"region": "us-east-1"
},
{
"slug": "azure",
"type": "azure",
"configured": true,
"endpoint": "https://your-resource.openai.azure.com"
},
{
"slug": "vertex",
"type": "vertex",
"configured": true,
"region": "us-central1"
}
],
"request_id": "req_..."
}Response Fields (ProviderStatusItem)
| Field | Type | Description |
|---|---|---|
slug | string | Provider identifier (openai, anthropic, google, bedrock, azure, vertex) |
type | string | Credential type (api_key, aws, azure, vertex) |
configured | boolean | Whether credentials are set for this provider |
region | string|null | Region (for bedrock and vertex) |
endpoint | string|null | Endpoint URL (for azure) |
Delete Credentials
DELETE /api/v1/provider-credentials?provider=xxx
Authorization: Bearer aira_live_xxxxxRemoves credentials for the specified provider.
Example
curl -X DELETE "https://api.airaproof.com/api/v1/provider-credentials?provider=openai" \
-H "Authorization: Bearer aira_live_xxxxx"Response (200 OK)
{
"message": "Credentials removed for openai",
"request_id": "req_..."
}How It Works
- Credentials are organization-level, not per-API-key — all API keys in your org share the same provider credentials
- Each
POSTmerges new providers with existing config — other providers are preserved - When running cases, Aira checks org credentials first, then falls back to platform-managed keys (cloud mode only)
- Credentials are encrypted at rest and never returned in responses
- This is transparent to the case API — request and response shapes are identical regardless of credential source
Self-Hosted Deployments
In self-hosted mode (DEPLOYMENT_MODE=selfhosted), provider credentials must be configured for all providers you want to use — there are no platform-managed keys. The dashboard reflects this by showing "Not configured" instead of "Managed by Aira" for unconfigured providers.