API Keys
Manage LLM provider keys, understand BYOK vs managed models, and configure auth profiles.
API Keys
Reeve needs access to at least one LLM provider to power your agents. You can use your own API keys (BYOK) or managed models through Reeve Cloud.
BYOK vs Managed
| Feature | BYOK (Bring Your Own Key) | Managed |
|---|---|---|
| Setup | Add your API key from the provider | Included with Reeve Cloud subscription |
| Billing | Billed directly by the provider | Deducted from Reeve credit balance |
| Control | Full control over model selection and spend | Simplified — no external accounts needed |
| Availability | All models from all providers | Curated selection |
You can mix both — use managed models for convenience and BYOK for specific providers.
Adding API Keys
Navigate to Settings → Models in the Cockpit
Click Add Provider and select the provider
Paste your API key
Click Test — Reeve makes a real API call to verify the key works
Click Save
The UI shows a green indicator for connected providers and lets you drag-reorder the fallback chain.
Interactive setup:
reeve configure --section authOr via the onboarding wizard:
reeve onboardBoth walk you through adding provider keys interactively.
Edit reeve.json directly:
{
"models": {
"providers": {
"anthropic": {
"apiKey": "sk-ant-api03-..."
},
"openai": {
"apiKey": "sk-..."
},
"openrouter": {
"apiKey": "sk-or-..."
}
}
}
}Supported Providers
| Provider | Key prefix | Where to get it |
|---|---|---|
| Anthropic | sk-ant- | console.anthropic.com |
| OpenAI | sk- | platform.openai.com |
| OpenRouter | sk-or- | openrouter.ai/keys |
| Google (Gemini) | AI... | aistudio.google.com |
| Amazon Bedrock | IAM credentials | AWS Console |
| Ollama | None (local) | ollama.com |
See Providers for the complete list and model-specific configuration.
Fallback Chain
When your primary provider fails (rate limit, outage, network error), Reeve automatically tries the next provider in the chain:
{
"models": {
"fallback": ["anthropic", "openai", "openrouter"]
}
}In this example, if Anthropic fails, Reeve tries OpenAI. If OpenAI also fails, it tries OpenRouter. Configure the order in the Cockpit via drag-and-drop, or in the config file.
See Model Failover for details on how failover works.
Auth Profiles
API keys are stored in auth profiles — encrypted files in the agent workspace:
~/.reeve/agents/<agentId>/agent/auth-profiles.jsonAuth profiles support multiple key sources:
- Direct API keys (most common)
- OAuth credentials (for providers that support it)
- Environment variables (
ANTHROPIC_API_KEY,OPENAI_API_KEY)
Reeve resolves keys in this order:
- Auth profile for the specific agent
- Global config (
models.providers.*.apiKey) - Environment variables
Key Security
- API keys are stored encrypted via Reeve's TokenVault
- Keys are never exposed to agents — agents call tools, tools use keys internally
- Keys are never logged or included in error messages
- When displayed in the UI, keys are masked (e.g.,
sk-ant-...****) - You can test keys before saving to avoid storing invalid credentials
Never share your API keys or commit them to version control. Use environment variables or the Cockpit UI for key management. Reeve encrypts stored keys, but the encryption is only as strong as your filesystem security.
Environment Variables
For server deployments, you can set keys via environment variables instead of config files:
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."
export BRAVE_API_KEY="BSA..."These are picked up automatically by the gateway on startup.