/auth credential manager. For non-interactive runs, manage the same stored keys from the shell with dcode auth or set environment variables instead.
If the same key is set in more than one place, see Key resolution order for which one wins.
For .env loading order and the DEEPAGENTS_CODE_ prefix, see Configuration.
Use /auth (recommended)
Open the credential manager from any session:
Provider row labels
Provider row labels
Each row shows the provider name followed by where its key comes from:
| Label | Meaning |
|---|---|
[stored] | A key saved in this manager via /auth |
[env: VARNAME] | The key comes from environment variable VARNAME (the resolved name, such as DEEPAGENTS_CODE_OPENAI_API_KEY or OPENAI_API_KEY) |
[missing] | No key is stored and the env var is unset; select the row to paste one |
/auth prompt also has an optional base URL field. Leave it blank to use the provider’s default endpoint, or set a custom one to use with this key. The base URL is saved alongside the key. See Endpoints, keys, and gateways for how endpoints resolve, including with gateways.
Keys are scoped to your user account on this machine — Deep Agents Code never transmits them anywhere except to the configured provider’s API.
Sign in with ChatGPT
Selecting theopenai_codex provider in /auth starts a browser sign-in instead of prompting for an API key, letting you use OpenAI models with a ChatGPT subscription. To re-authenticate or sign out, select openai_codex again. See Sign in with ChatGPT (Codex models) for the full flow.
/auth manages LLM provider credentials, the Tavily web-search key, and LangSmith tracing. Enter a Tavily key to activate web search on the next launch. Enter a LangSmith key to enable tracing. Keys are also read from the environment. You can set them in ~/.deepagents/.env or your shell.
Manage credentials from the shell (dcode auth)
The dcode auth command group is the scriptable equivalent of the /auth manager: it manages the same stored credentials without launching the TUI, which makes it usable for dotfile bootstrap, CI/CD, and setting a key on a remote box over SSH. The subcommands mirror the modal’s verbs:
| Command | Description |
|---|---|
dcode auth list (alias ls) | List every known provider and where its key resolves from |
dcode auth status <provider> | Print the resolution source for one provider |
dcode auth set <provider> | Store an API key, read from stdin by default |
dcode auth remove <provider> (aliases rm, delete) | Delete a stored credential |
dcode auth path | Print the resolved path to the credential store (auth.json) |
set reads the key from stdin by default, so it never lands in shell history or argv. Pipe the key in, or use --from-env VAR to copy it from a process environment variable:
set refuses to run in an interactive terminal so an accidental invocation cannot hang waiting on input — pipe the key via stdin or use --from-env VAR. Stored keys go through the same store as /auth, so warnings (for example, about file permissions on auth.json) are printed to stderr.dcode auth set manages API keys only. The openai_codex provider uses a ChatGPT browser sign-in rather than an API key, so run /auth and select openai_codex to sign in instead. dcode auth remove openai_codex does sign you out.Environment variables (CI and headless)
For non-interactive runs, CI/CD pipelines, or anywhere a TUI isn’t available, export the provider’s env var in your shell:.env file.
Key resolution order
When a provider’s key is set in more than one place, Deep Agents Code uses the first of these that is set:DEEPAGENTS_CODE_-prefixed env var — for exampleDEEPAGENTS_CODE_OPENAI_API_KEYas an inline shell export. TheDEEPAGENTS_CODE_prefix is the explicit “use this key in Deep Agents Code” override.- App-stored key — entered in the
/authcredential manager. - Plain provider env var — for example
OPENAI_API_KEY, from your shell or.envfiles.
DEEPAGENTS_CODE_-prefixed key wins over an app-stored key. The prefix is the way to override an already-stored key for a single run, without clearing it:
OPENAI_API_KEY used by other tools, scripts, or CI — that you do not want Deep Agents Code to reuse. An app-stored key or a DEEPAGENTS_CODE_-prefixed variable gives Deep Agents Code its own value while leaving the unprefixed one untouched for everything else, so the two never mix.
Each provider’s API key and its endpoint (base_url) resolve as a pair from the same source. See Endpoints, keys, and gateways.
Enable web search with Tavily
The built-inweb_search tool uses Tavily. Deep Agents Code shows a “Web search disabled” notification on startup until you provide a key. You can store the key in the /auth credential manager, where Tavily appears as a non-model service, or set the TAVILY_API_KEY environment variable.
- Use /auth (recommended)
- Set an environment variable
Get a key from tavily.com (it starts with Select Tavily from the list and paste the key. You can also reach this prompt directly from the “Web search disabled” notification by choosing Enter API key.
tvly-; the free tier is sufficient for most Deep Agents Code usage), then store it in the credential manager:See also
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

