Authentication
Overview
Section titled “Overview”nxusKit supports multiple authentication methods depending on the provider. This matrix shows which methods are available for each provider and how to configure them.
Provider Matrix
Section titled “Provider Matrix”| Provider | Auth Required | API Key | OAuth | Env Variable | Dashboard |
|---|---|---|---|---|---|
| OpenAI / GPT | Yes | Yes | — | OPENAI_API_KEY | platform.openai.com/api-keys |
| Anthropic / Claude | Yes | Yes | — | ANTHROPIC_API_KEY | console.anthropic.com/settings/keys |
| Groq | Yes | Yes | — | GROQ_API_KEY | console.groq.com/keys |
| Mistral AI | Yes | Yes | — | MISTRAL_API_KEY | console.mistral.ai/api-keys |
| Fireworks AI | Yes | Yes | — | FIREWORKS_API_KEY | fireworks.ai/account/api-keys |
| Together AI | Yes | Yes | — | TOGETHER_API_KEY | api.together.ai/settings/api-keys |
| OpenRouter | Yes | Yes | — | OPENROUTER_API_KEY | openrouter.ai/settings/keys |
| Perplexity | Yes | Yes | — | PERPLEXITY_API_KEY | perplexity.ai/settings/api |
| Ollama | No | — | — | OLLAMA_HOST | — |
| LM Studio | No | — | — | LMSTUDIO_HOST | — |
Legend: Yes = supported, — = not applicable
Authentication Methods
Section titled “Authentication Methods”API Key
Section titled “API Key”The standard authentication method for cloud providers. Obtain a key from the provider’s dashboard, then configure via any of these methods:
Environment variable (recommended for development and CI/CD):
export OPENAI_API_KEY="sk-..."Credential store (recommended for persistent local development):
nxuskit-cli provider set openai sk-...This stores the key in the OS credential store (macOS Keychain, Windows Credential Manager, or Linux secret-service). Falls back to a file-based store with 0600 permissions if no system store is available.
Explicit parameter (for programmatic use):
provider = Provider.create("openai", api_key="sk-...")OAuth support is available for providers that require browser-based authorization. The current cloud providers use API keys, so most projects will not need this flow. When a provider requires OAuth, use:
# Start OAuth loginnxuskit-cli provider login <provider>
# Check auth statusnxuskit-cli provider statusThe OAuth flow uses:
- PKCE (SHA-256 code challenge) for security
- Localhost callback on an ephemeral port
- State/CSRF validation
- Automatic browser launch
No Authentication
Section titled “No Authentication”Local providers (Ollama, LM Studio) run on the local machine and do not
require authentication. The host env variable is optional and defaults to
localhost on the provider’s default port.
Credential Precedence
Section titled “Credential Precedence”When multiple credential sources exist, the SDK uses this precedence order:
| Priority | Source | Example |
|---|---|---|
| 1 (highest) | Explicit API parameter | Provider.create("openai", api_key="sk-...") |
| 2 | Environment variable | OPENAI_API_KEY=sk-... |
| 3 (lowest) | OS credential store | Via nxuskit-cli provider set |
Checking Auth Status
Section titled “Checking Auth Status”View authentication status for all providers:
nxuskit-cli provider statusFor a specific provider:
nxuskit-cli provider status openaiJSON output (for scripts):
nxuskit-cli provider status --jsonExample output:
Provider Status Source Auth Methods─────────────────────────────────────────────────────────────openai Authenticated env api_keyclaude Authenticated store api_keygroq Not authenticated — api_keyollama Not required — —lm-studio Not required — —Managing Credentials
Section titled “Managing Credentials”# Store a credentialnxuskit-cli provider set <provider> <api-key>
# Remove a stored credentialnxuskit-cli provider remove <provider>
# View statusnxuskit-cli provider status [provider]Per-Language Configuration
Section titled “Per-Language Configuration”use nxuskit::{auth_status, auth_set_credential, auth_resolve};
// Check statuslet status = auth_status("openai")?;
// Store credentialauth_set_credential("openai", "sk-...")?;
// Resolve credential (follows precedence chain)let resolution = auth_resolve("openai", None)?;import "github.com/nxus-SYSTEMS/nxuskit-go"
// Check statusstatus, err := nxuskit.AuthStatus("openai")
// Store credentialerr = nxuskit.AuthSetCredential("openai", "sk-...")
// Resolve credentialresolution, err := nxuskit.AuthResolve("openai", "")Python
Section titled “Python”from nxuskit import auth_status, auth_set_credential, auth_resolve
# Check statusstatus = auth_status("openai")
# Store credentialauth_set_credential("openai", "sk-...")
# Resolve credentialresolution = auth_resolve("openai")