Multi-Provider & BYOK

Route conversions through your own Anthropic, AWS Bedrock, Google Vertex AI, or Azure AI Foundry account instead of the platform-provided key. Your credentials, stored locally, never touch the 3XDE backend.

Overview

By default, 3XCode routes LLM calls through a platform-provided key managed by your organization's admin. BYOK (Bring Your Own Key) lets you instead supply your own provider credentials (an Anthropic API key, AWS Bedrock access keys, a Google Vertex AI project, or an Azure AI Foundry endpoint) and have every conversion call go directly from your machine to your own account.

BYOK is admin-gated: an admin must assign BYOK as your account's key source before 3xcode keys store will fully activate. Once assigned, your credentials are stored locally on your machine. The 3XDE backend is told which provider and which models you prefer, but it never receives, stores, or has access to the key itself.

Supported Providers

Four providers are supported, each with its own credential fields collected interactively by 3xcode keys store:

ProviderCredentials CollectedSecret FieldsSDK Env Flag Set
Anthropic (default)ANTHROPIC_API_KEYAPI keynone (default routing)
AWS BedrockAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGIONAccess key + secret keyCLAUDE_CODE_USE_BEDROCK=1
Google Vertex AICLOUD_ML_REGION, ANTHROPIC_VERTEX_PROJECT_IDnone prompted (region + project ID only)CLAUDE_CODE_USE_VERTEX=1
Azure AI FoundryANTHROPIC_FOUNDRY_API_KEY, ANTHROPIC_FOUNDRY_BASE_URLFoundry API keyCLAUDE_CODE_USE_FOUNDRY=1

Note that AWS Bedrock only accepts a raw access key / secret key pair. There's no AWS profile or SSO field. All conflicting provider env flags are explicitly cleared before the CLI sets exactly one, so a shell alias or function that might otherwise force a different provider can't silently interfere.

Setting Up BYOK

BYOK setup is a short sequence: log in, request BYOK access from your admin if it isn't already assigned, store your provider credentials, then verify the key actually works before relying on it.

Terminal: BYOK setup
# 1. Log in (device flow, or --email/--password)
3xcode login

# 2. If BYOK isn't assigned to your account yet, request it
3xcode contact-admin -m "Please enable BYOK for my account"

# 3. Store credentials for a provider (interactive prompts follow)
3xcode keys store --provider anthropic

# Provider-specific examples:
3xcode keys store --provider bedrock   # prompts for AWS access/secret key + region
3xcode keys store --provider vertex    # prompts for GCP region + project ID
3xcode keys store --provider azure     # prompts for Foundry API key + base URL

# 4. Confirm what's stored
3xcode keys list

# 5. Verify the key actually works with a live call
3xcode keys test --provider anthropic

During keys store, after the credential fields you're also asked which models you prefer: opus, sonnet (Claude Sonnet 5, the default), or haiku, given as comma-separated numbers, or Enter to allow all three. Only the provider name and this model preference list are registered with the backend; the credential values themselves stay on your machine.

How Keys Are Stored

OS keychain first

Sensitive fields (API keys, secret access keys) are stored in your OS's native credential store when available (macOS Keychain, Linux Secret Service, or Windows Credential Manager), the same pattern used by Claude Code, the GitHub CLI, and the AWS CLI.

Local file fallback

Each provider's config also lives at ~/.3xcode/providers/{provider}.json, created with owner-only permissions. When the keyring holds a secret, the JSON file stores a placeholder instead of the real value.

Never sent to the backend

Storing a key is registered with the 3XDE backend as metadata only: provider name and preferred models. The credential value itself is never transmitted, stored, or logged server-side.

Your code never leaves either

Independent of BYOK, source SQL is never sent to the 3XDE backend under any key mode. The backend only handles auth, licensing, provider-key metadata, and usage tracking. Conversion calls go directly from your machine to your chosen LLM provider.

Managing Keys

The keys command group covers the full lifecycle of a BYOK provider configuration:

CommandWhat it does
3xcode keys store --provider <name>Interactively prompts for and stores credentials for one provider (anthropic, bedrock, vertex, azure)
3xcode keys listTable of stored providers with masked credential values, preferred models, and storage backend (keyring vs. file)
3xcode keys statusReports which key source is currently active: a configured BYOK provider, or "Using platform key" if none is set
3xcode keys test --provider <name>Makes a minimal live API call to confirm the stored key actually works; only available while your account is in BYOK mode
3xcode keys delete <provider>Removes a provider's credentials from both the keychain and the local JSON file

3xcode keys test reports latency, the model tested, which key source was used, and the approval state of the request, useful for confirming a newly stored key before running it against a real conversion. If your account is not in BYOK mode, it prints a notice and returns without making a call.

Troubleshooting

keys store fails because BYOK is not yet assigned to your account

BYOK must be assigned by an admin before it fully activates. Run 3xcode contact-admin -m "Please enable BYOK for my account" to request it. If you're offline, keys store will optimistically allow local storage, but the actual conversion session will still gate on the backend-assigned key source.

keys test says "Only available in BYOK mode"

keys test checks your account's assigned key source before making a call. If your account is currently set to the platform key, testing a locally stored provider key is skipped. Confirm your key source with 3xcode keys status, and request BYOK access via contact-admin if needed.

A conversion errors out saying no local key was found

If your account's key source is set to "user" (BYOK) but no matching credentials exist on this machine, the CLI errors instead of silently falling back to the platform key. Run 3xcode keys store --provider <name> on this machine to store the key locally. BYOK credentials do not sync between machines.

Bedrock, Vertex, or Azure calls fail after storing keys

Double-check the plain-text fields alongside the secret: an incorrect AWS_REGION, ANTHROPIC_VERTEX_PROJECT_ID, or ANTHROPIC_FOUNDRY_BASE_URL will cause requests to fail even with a valid key. Re-run 3xcode keys store --provider <name> to overwrite the stored values, then confirm with keys test.

Switching back to the platform key

Delete your locally stored provider credentials with 3xcode keys delete <provider>, then contact your admin to have your account's key source reassigned to platform. Run keys status to confirm which source is active.