Supported auth
Decide how agents authenticate to providers, gateways, and internal systems.
Authentication is configured per agent, per person, in Settings > Agents > Agent > Authentication. There's no central place an admin pushes credentials to a team; each person picks how their own sessions authenticate, separately for local work and cloud work.
Auth routes
| Route | Use it when |
|---|---|
| Native | The agent's own CLI sign-in already works (Claude Code login, Codex login, and so on). This is the default for local work, and the only option for Cursor. |
| API key | You want to bring your own provider key. Claude Code, Codex, and Grok each expect one provider's key; OpenCode ships with a vendored registry of well over a hundred providers to choose from. Keys are stored encrypted in Proliferate's key vault and mapped to whichever environment variable the agent expects. |
| Gateway | You want Proliferate's built-in managed gateway: no key to manage, a small free credit at signup, and centrally enforced spend limits. See Use your AI gateway. |
Claude Code, Codex, and Grok allow exactly one active source at a time (native, one API key, or the gateway). OpenCode is additive: you can enable the gateway and multiple provider API keys side by side, since OpenCode routes different models to different providers. Cursor has no auth screen at all, it always uses its own sign-in.
Settings > Agents > Claude > Authentication
The per-agent Authentication section: a 'Proliferate gateway' toggle at the top with a status subtitle, one or more API key rows below it (each with an editable env var name, a saved-key picker, an enable switch, and a remove button), and an 'Add variable' button.
What admins control
Org admins don't provision or see individual members' API keys. What admins control is the org's agent policy: which agents are allowed at all, and which of the three routes above members may choose from. Policy conflicts are flagged for the admin to see, not silently blocked.
Editing the agent policy requires the organization to be on a paid plan.
For model-level detail once auth is configured, see advanced agent settings.