Skip to main content
Deep Agents Code needs an API key for each model provider you use. The recommended way to add one is the /auth credential manager. For non-interactive runs, manage the same stored keys from the shell with dcode auth or set environment variables instead. If the same key is set in more than one place, see Key resolution order for which one wins. For .env loading order and the DEEPAGENTS_CODE_ prefix, see Configuration. Open the credential manager from any session:
/auth
The manager lists installed LLM provider and whether they have an environment key set, surfaces known providers that you can add from within the app, and includes non-model services such as Tavily web search. Select a provider to add or replace its key, install support for an uninstalled provider, or remove one you have already stored. Keys you add persist across sessions.
Each row shows the provider name followed by where its key comes from:
LabelMeaning
[stored]A key saved in this manager via /auth
[env: VARNAME]The key comes from environment variable VARNAME (the resolved name, such as DEEPAGENTS_CODE_OPENAI_API_KEY or OPENAI_API_KEY)
[missing]No key is stored and the env var is unset; select the row to paste one
The /auth prompt also has an optional base URL field. Leave it blank to use the provider’s default endpoint, or set a custom one to use with this key. The base URL is saved alongside the key. See Endpoints, keys, and gateways for how endpoints resolve, including with gateways.
A stored base URL is not a secret and may be logged; the key paired with it is never logged.
Keys are scoped to your user account on this machine — Deep Agents Code never transmits them anywhere except to the configured provider’s API.

Sign in with ChatGPT

Selecting the openai_codex provider in /auth starts a browser sign-in instead of prompting for an API key, letting you use OpenAI models with a ChatGPT subscription. To re-authenticate or sign out, select openai_codex again. See Sign in with ChatGPT (Codex models) for the full flow. /auth manages LLM provider credentials, the Tavily web-search key, and LangSmith tracing. Enter a Tavily key to activate web search on the next launch. Enter a LangSmith key to enable tracing. Keys are also read from the environment. You can set them in ~/.deepagents/.env or your shell.

Manage credentials from the shell (dcode auth)

The dcode auth command group is the scriptable equivalent of the /auth manager: it manages the same stored credentials without launching the TUI, which makes it usable for dotfile bootstrap, CI/CD, and setting a key on a remote box over SSH. The subcommands mirror the modal’s verbs:
CommandDescription
dcode auth list (alias ls)List every known provider and where its key resolves from
dcode auth status <provider>Print the resolution source for one provider
dcode auth set <provider>Store an API key, read from stdin by default
dcode auth remove <provider> (aliases rm, delete)Delete a stored credential
dcode auth pathPrint the resolved path to the credential store (auth.json)
set reads the key from stdin by default, so it never lands in shell history or argv. Pipe the key in, or use --from-env VAR to copy it from a process environment variable:
# Pipe the key in (stdin)
echo "$ANTHROPIC_API_KEY" | dcode auth set anthropic

# Copy it from an existing environment variable
dcode auth set openai --from-env OPENAI_API_KEY
set refuses to run in an interactive terminal so an accidental invocation cannot hang waiting on input — pipe the key via stdin or use --from-env VAR. Stored keys go through the same store as /auth, so warnings (for example, about file permissions on auth.json) are printed to stderr.
Remove a stored key or print the store location:
dcode auth remove anthropic
dcode auth path
dcode auth set manages API keys only. The openai_codex provider uses a ChatGPT browser sign-in rather than an API key, so run /auth and select openai_codex to sign in instead. dcode auth remove openai_codex does sign you out.

Environment variables (CI and headless)

For non-interactive runs, CI/CD pipelines, or anywhere a TUI isn’t available, export the provider’s env var in your shell:
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."

# Prefix with DEEPAGENTS_CODE_ to scope a key to Deep Agents Code only,
# leaving a shared key used by other CI steps untouched
export DEEPAGENTS_CODE_OPENAI_API_KEY="sk-..."
To keep keys in a file instead, define them in a .env file.

Key resolution order

When a provider’s key is set in more than one place, Deep Agents Code uses the first of these that is set:
  1. DEEPAGENTS_CODE_-prefixed env var — for example DEEPAGENTS_CODE_OPENAI_API_KEY as an inline shell export. The DEEPAGENTS_CODE_ prefix is the explicit “use this key in Deep Agents Code” override.
  2. App-stored key — entered in the /auth credential manager.
  3. Plain provider env var — for example OPENAI_API_KEY, from your shell or .env files.
An app-stored key wins over a plain env-var key for the same provider, but a DEEPAGENTS_CODE_-prefixed key wins over an app-stored key. The prefix is the way to override an already-stored key for a single run, without clearing it:
# With a key already stored via /auth, a plain env var does not override it.
# dcode still uses the app-stored key for this run:
OPENAI_API_KEY=sk-xxxx dcode -n "..."

# The DEEPAGENTS_CODE_ prefix does override it, for this run only:
DEEPAGENTS_CODE_OPENAI_API_KEY=sk-xxxx dcode -n "..."
This layering exists for the common case where your machine already exports a plain provider variable for some other purpose — a shared OPENAI_API_KEY used by other tools, scripts, or CI — that you do not want Deep Agents Code to reuse. An app-stored key or a DEEPAGENTS_CODE_-prefixed variable gives Deep Agents Code its own value while leaving the unprefixed one untouched for everything else, so the two never mix. Each provider’s API key and its endpoint (base_url) resolve as a pair from the same source. See Endpoints, keys, and gateways.

Enable web search with Tavily

The built-in web_search tool uses Tavily. Deep Agents Code shows a “Web search disabled” notification on startup until you provide a key. You can store the key in the /auth credential manager, where Tavily appears as a non-model service, or set the TAVILY_API_KEY environment variable.

See also