Providers & Authentication
Pi supports multiple LLM providers through two authentication methods: subscription-based and API key-based.
Authentication Methods
Subscription Providers
Subscription providers use OAuth to authenticate through your existing service account. No API key is needed.
On first use, Pi opens a browser window for OAuth login. Credentials are stored securely and refreshed automatically.
API Keys
For direct API access, configure keys via environment variables or the auth file.
API Key Configuration
Environment Variables
Set the appropriate environment variable for your provider:
Auth File
Store keys in ~/.pi/agent/auth.json:
Key Formats
Values in auth.json support three formats:
Credential Resolution Priority
Pi resolves credentials in this order (first match wins):
- CLI flags --
--api-keypassed on the command line - auth.json -- Key for the provider in
~/.pi/agent/auth.json - Environment variables -- Provider-specific env var (e.g.,
ANTHROPIC_API_KEY) - Custom provider -- Key defined in
models.jsonprovider configuration - OAuth -- Subscription-based authentication (if available for the provider)
Provider-Specific Configuration
Azure OpenAI
Azure OpenAI requires additional configuration for your deployment:
Or configure via models.json:
Amazon Bedrock
Configure AWS credentials using standard AWS credential chain:
Or use an AWS profile:
Google Vertex AI
For Vertex AI, authenticate via service account or application default credentials:
Custom Providers
For custom or self-hosted providers, use models.json to define the provider configuration. See the Custom Models reference for details.
For programmatic provider registration in extensions, use pi.registerProvider(). See the Custom Provider reference for the full API.