Gateway, BYOK & OAuth
How agents authenticate with providers and tools.
Routes & the picker covers the three routes at a glance: native, API key, and gateway. This page goes deeper on each one.
Proliferate gateway
The gateway is Proliferate's managed path to models. Flip it on for a harness and you get access to the current Anthropic, OpenAI, and xAI models with nothing else to configure: no key to paste in, nothing to rotate.
Under the hood, the gateway is a LiteLLM proxy that Proliferate operates. Proliferate holds the real provider keys; your account gets a virtual key scoped to you, with its own spending budget and usage tracking. Provider secrets never reach your machine or a cloud sandbox.
Harness authentication, gateway enabled
Settings -> Agents -> Codex -> Authentication with the 'Proliferate gateway' switch turned on and its subtitle reading 'Proliferate-managed model access. No setup required.'
The gateway can be turned on for Claude, Codex, OpenCode, and Grok. Cursor doesn't use it (see Per-harness notes). The toggle can be unavailable or locked for a few reasons:
- Your account or organization plan doesn't include gateway access.
- Your account's gateway enrollment is still pending or failed to sync, which the subtitle under the toggle will call out directly.
Bring your own key (BYOK)
If you'd rather use your own provider account, add the key once and wire it into whichever harnesses need it.
Save a key to your vault
Go to Settings -> Agents -> API keys. Give the key a title (something memorable, like "Personal Anthropic key") and paste the secret. Proliferate stores it encrypted and only ever shows you a redacted hint afterward, never the raw value again.
Settings -> Agents -> API keys
The API keys pane: a list of saved keys showing title and redacted hint (e.g. 'Personal Anthropic key ****abcd') each with a Revoke button, and an add-key form with Title and Value fields below.
Wire it into a harness
Open the harness's Authentication tab, click Add variable, and set the
environment variable name the harness expects (Proliferate suggests the
common one, like ANTHROPIC_API_KEY for Claude). Pick your saved key from
the dropdown, then flip the row's switch on. You can also create a new key
inline from that same dropdown instead of visiting the API keys pane first.
OpenCode works a little differently since it isn't tied to one provider. Instead of a fixed suggestion, it gives you an Add provider search over a list of well over a hundred providers; picking one prefills the row with that provider's environment variable name.
A key can't be revoked while a harness still has it wired in and enabled; you'll get a clear error naming which harness to disconnect first.
Native sign-in (OAuth and cached logins)
This is what happens when you haven't configured a route at all, and it's also how you set up a harness's own login the first time.
For local work, click Run login on a harness's Authentication tab (shown
when that harness needs to sign in). This opens an embedded terminal running
the harness's own login command, such as claude login or codex login,
right inside Proliferate. Finish the flow there (including any browser-based
OAuth step the CLI opens), and the harness picks up its own credential file
the same way it would if you'd run the command yourself in a regular
terminal.
Embedded agent login terminal
An embedded terminal panel inside the harness's Authentication tab, mid-login: the CLI's own sign-in prompt (e.g. a device code or browser-login instruction) running live, with Close and Restart controls.
Native credentials are never uploaded anywhere by Proliferate; they stay in the harness's own config on your machine. That's also why native sign-in only applies to local work: there's no terminal to log in from inside a cloud sandbox, so cloud runs need either a gateway or an API key route instead.
Cursor is the exception: it always uses its own sign-in, on both local and cloud, and never shows a gateway or API key option.