> ## Documentation Index
> Fetch the complete documentation index at: https://docs.langchain.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Provider credentials

> Add and manage API keys for model providers, Tavily web search, and LangSmith tracing

Deep Agents Code needs an API key for each model provider you use. The recommended way to add one is the [`/auth`](#use-%2Fauth-recommended) credential manager. For non-interactive runs, manage the same stored keys from the shell with [`dcode auth`](#manage-credentials-from-the-shell-dcode-auth) or set [environment variables](#environment-variables-ci-and-headless) instead.

If the same key is set in more than one place, see [Key resolution order](#key-resolution-order) for which one wins.

For `.env` loading order and the `DEEPAGENTS_CODE_` prefix, see [Configuration](/oss/python/deepagents/code/configuration#environment-variables).

## Use `/auth` (recommended)

Open the credential manager from any session:

```txt theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
/auth
```

The manager lists installed LLM provider and whether they have an environment key set, surfaces known providers that you can add from within the app, and includes non-model services such as Tavily web search. Select a provider to add or replace its key, install support for an uninstalled provider, or remove one you have already stored. Keys you add persist across sessions.

<Accordion title="Provider row labels" icon="list-check">
  Each row shows the provider name followed by where its key comes from:

  | Label            | Meaning                                                                                                                             |
  | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
  | `[stored]`       | A key saved in this manager via `/auth`                                                                                             |
  | `[env: VARNAME]` | The key comes from environment variable `VARNAME` (the resolved name, such as `DEEPAGENTS_CODE_OPENAI_API_KEY` or `OPENAI_API_KEY`) |
  | `[missing]`      | No key is stored and the env var is unset; select the row to paste one                                                              |
</Accordion>

The `/auth` prompt also has an optional **base URL** field. Leave it blank to use the provider's default endpoint, or set a custom one to use with this key. The base URL is saved alongside the key. See [Endpoints, keys, and gateways](/oss/python/deepagents/code/config-file#endpoints-keys-and-gateways) for how endpoints resolve, including with gateways.

<Warning>
  A stored base URL is not a secret and may be logged; the key paired with it is never logged.
</Warning>

<Note>
  Keys are scoped to your user account on this machine — Deep Agents Code never transmits them anywhere except to the configured provider's API.
</Note>

### Sign in with ChatGPT

Selecting the `openai_codex` provider in `/auth` starts a browser sign-in instead of prompting for an API key, letting you use OpenAI models with a ChatGPT subscription. To re-authenticate or sign out, select `openai_codex` again. See [Sign in with ChatGPT (Codex models)](/oss/python/deepagents/code/providers) for the full flow.

`/auth` manages LLM provider credentials, the Tavily web-search key, and LangSmith tracing. Enter a Tavily key to [activate web search](#enable-web-search-with-tavily) on the next launch. Enter a LangSmith key to enable tracing. Keys are also read from the environment. You can [set them in `~/.deepagents/.env` or your shell](/oss/python/deepagents/code/configuration#environment-variables).

## Manage credentials from the shell (`dcode auth`)

The `dcode auth` command group is the scriptable equivalent of the `/auth` manager: it manages the same stored credentials without launching the TUI, which makes it usable for dotfile bootstrap, CI/CD, and setting a key on a remote box over SSH. The subcommands mirror the modal's verbs:

| Command                                                 | Description                                                   |
| ------------------------------------------------------- | ------------------------------------------------------------- |
| `dcode auth list` (alias `ls`)                          | List every known provider and where its key resolves from     |
| `dcode auth status <provider>`                          | Print the resolution source for one provider                  |
| `dcode auth set <provider>`                             | Store an API key, read from stdin by default                  |
| `dcode auth remove <provider>` (aliases `rm`, `delete`) | Delete a stored credential                                    |
| `dcode auth path`                                       | Print the resolved path to the credential store (`auth.json`) |

`set` reads the key from **stdin** by default, so it never lands in shell history or `argv`. Pipe the key in, or use `--from-env VAR` to copy it from a process environment variable:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
# Pipe the key in (stdin)
echo "$ANTHROPIC_API_KEY" | dcode auth set anthropic

# Copy it from an existing environment variable
dcode auth set openai --from-env OPENAI_API_KEY
```

<Note>
  `set` refuses to run in an interactive terminal so an accidental invocation cannot hang waiting on input — pipe the key via stdin or use `--from-env VAR`. Stored keys go through the same store as `/auth`, so warnings (for example, about file permissions on `auth.json`) are printed to stderr.
</Note>

Remove a stored key or print the store location:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
dcode auth remove anthropic
dcode auth path
```

<Note>
  `dcode auth set` manages API keys only. The `openai_codex` provider uses a ChatGPT browser sign-in rather than an API key, so run [`/auth` and select `openai_codex`](#sign-in-with-chatgpt) to sign in instead. `dcode auth remove openai_codex` does sign you out.
</Note>

## Environment variables (CI and headless)

For non-interactive runs, CI/CD pipelines, or anywhere a TUI isn't available, export the provider's env var in your shell:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."

# Prefix with DEEPAGENTS_CODE_ to scope a key to Deep Agents Code only,
# leaving a shared key used by other CI steps untouched
export DEEPAGENTS_CODE_OPENAI_API_KEY="sk-..."
```

To keep keys in a file instead, define them in a [`.env` file](/oss/python/deepagents/code/configuration#environment-variables).

## Key resolution order

When a provider's key is set in more than one place, Deep Agents Code uses the first of these that is set:

1. **`DEEPAGENTS_CODE_`-prefixed env var** — for example `DEEPAGENTS_CODE_OPENAI_API_KEY` as an inline shell export. The [`DEEPAGENTS_CODE_` prefix](/oss/python/deepagents/code/configuration#deepagents_code_-prefix) is the explicit "use this key in Deep Agents Code" override.
2. **App-stored key** — entered in the `/auth` credential manager.
3. **Plain provider env var** — for example `OPENAI_API_KEY`, from your shell or `.env` files.

An app-stored key wins over a plain env-var key for the same provider, but a `DEEPAGENTS_CODE_`-prefixed key wins over an app-stored key. The prefix is the way to override an already-stored key for a single run, without clearing it:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
# With a key already stored via /auth, a plain env var does not override it.
# dcode still uses the app-stored key for this run:
OPENAI_API_KEY=sk-xxxx dcode -n "..."

# The DEEPAGENTS_CODE_ prefix does override it, for this run only:
DEEPAGENTS_CODE_OPENAI_API_KEY=sk-xxxx dcode -n "..."
```

This layering exists for the common case where your machine already exports a plain provider variable for some other purpose — a shared `OPENAI_API_KEY` used by other tools, scripts, or CI — that you do not want Deep Agents Code to reuse. An app-stored key or a `DEEPAGENTS_CODE_`-prefixed variable gives Deep Agents Code its own value while leaving the unprefixed one untouched for everything else, so the two never mix.

Each provider's API key and its endpoint (`base_url`) resolve as a pair from the same source. See [Endpoints, keys, and gateways](/oss/python/deepagents/code/config-file#endpoints-keys-and-gateways).

## Enable web search with Tavily

The built-in `web_search` tool uses [Tavily](https://tavily.com). Deep Agents Code shows a "Web search disabled" notification on startup until you provide a key. You can store the key in the [`/auth`](#use-%2Fauth-recommended) credential manager, where Tavily appears as a non-model service, or set the `TAVILY_API_KEY` environment variable.

<Tabs>
  <Tab title="Use /auth (recommended)">
    Get a key from [tavily.com](https://tavily.com) (it starts with `tvly-`; the free tier is sufficient for most Deep Agents Code usage), then store it in the credential manager:

    ```txt theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
    /auth
    ```

    Select **Tavily** from the list and paste the key. You can also reach this prompt directly from the "Web search disabled" notification by choosing **Enter API key**.
  </Tab>

  <Tab title="Set an environment variable">
    <Steps>
      <Step title="Get a key">
        Sign up at [tavily.com](https://tavily.com) and copy the key (it starts with `tvly-`). The free tier is sufficient for most Deep Agents Code usage.
      </Step>

      <Step title="Add it to your environment">
        Add the key to `~/.deepagents/.env` so every session picks it up:

        ```bash title="~/.deepagents/.env" theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
        TAVILY_API_KEY=tvly-...
        ```

        Shell exports take precedence over `.env` values (see [Loading order and precedence](/oss/python/deepagents/code/configuration#loading-order-and-precedence)). To scope a key to Deep Agents Code only without affecting other tools that read `TAVILY_API_KEY`, use the [`DEEPAGENTS_CODE_` prefix](/oss/python/deepagents/code/configuration#deepagents_code_-prefix): `DEEPAGENTS_CODE_TAVILY_API_KEY=tvly-...`.
      </Step>

      <Step title="Reload or restart">
        In an existing session, run `/reload` to re-read `.env` files. On the next launch, the "Web search disabled" notification goes away and the agent can call `web_search`.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## See also

* [Configuration](/oss/python/deepagents/code/configuration)
* [Config file](/oss/python/deepagents/code/config-file)
* [Providers](/oss/python/deepagents/code/providers)
* [Quickstart](/oss/python/deepagents/code/quickstart)

***

<div className="source-links">
  <Callout icon="terminal-2">
    [Connect these docs](/use-these-docs) to Claude, VSCode, and more via MCP for real-time answers.
  </Callout>

  <Callout icon="edit">
    [Edit this page on GitHub](https://github.com/langchain-ai/docs/edit/main/src/oss/deepagents/code/credentials.mdx) or [file an issue](https://github.com/langchain-ai/docs/issues/new/choose).
  </Callout>
</div>
