Authentication
Overview
Section titled “Overview”nxusKit supports multiple authentication methods depending on the provider. This matrix shows which methods are available for each provider and how to configure them.
Provider Matrix
Section titled “Provider Matrix”| Provider | Auth Required | API Key | OAuth | Env Variable | Dashboard |
|---|---|---|---|---|---|
| OpenAI / GPT | Yes | Yes | — | OPENAI_API_KEY | platform.openai.com/api-keys |
| Anthropic / Claude | Yes | Yes | — | ANTHROPIC_API_KEY | console.anthropic.com/settings/keys |
| xAI Grok | Yes | Yes | — | XAI_API_KEY | console.x.ai |
| Groq | Yes | Yes | — | GROQ_API_KEY | console.groq.com/keys |
| Mistral AI | Yes | Yes | — | MISTRAL_API_KEY | console.mistral.ai/api-keys |
| Fireworks AI | Yes | Yes | — | FIREWORKS_API_KEY | fireworks.ai/account/api-keys |
| Together AI | Yes | Yes | — | TOGETHER_API_KEY | api.together.ai/settings/api-keys |
| OpenRouter | Yes | Yes | — | OPENROUTER_API_KEY | openrouter.ai/settings/keys |
| Perplexity | Yes | Yes | — | PERPLEXITY_API_KEY | perplexity.ai/settings/api |
| Ollama | No | — | — | OLLAMA_HOST | — |
| LM Studio | No | — | — | LM_STUDIO_HOST | — |
Legend: Yes = supported, — = not applicable/not yet available
Authentication Methods
Section titled “Authentication Methods”API Key
Section titled “API Key”The standard authentication method for cloud providers. Obtain a key from the provider’s dashboard, then configure via any of these methods:
Environment variable (recommended for development and CI/CD):
export OPENAI_API_KEY="sk-..."Credential store (recommended for persistent local development):
nxuskit-cli provider set openai sk-...This stores the key in the OS credential store (macOS Keychain, Windows Credential Manager, or Linux secret-service). Falls back to a file-based store with 0600 permissions if no system store is available.
Explicit parameter (for programmatic use):
provider = Provider.create("openai", api_key="sk-...")OAuth (Infrastructure Ready)
Section titled “OAuth (Infrastructure Ready)”OAuth authentication infrastructure is implemented in v0.9.1 but no current providers require it. When a provider enables OAuth support, the flow will be:
# Start OAuth loginnxuskit-cli provider login <provider>
# Check auth statusnxuskit-cli provider statusThe OAuth flow uses:
- PKCE (SHA-256 code challenge) for security
- Localhost callback on an ephemeral port
- State/CSRF validation
- Automatic browser launch
No Authentication
Section titled “No Authentication”Local providers (Ollama, LM Studio) run on the local machine and do not
require authentication. The host env variable is optional and defaults to
localhost on the provider’s default port.
Credential Precedence
Section titled “Credential Precedence”When multiple credential sources exist, the SDK uses this precedence order:
| Priority | Source | Example |
|---|---|---|
| 1 (highest) | Explicit API parameter | Provider.create("openai", api_key="sk-...") |
| 2 | Environment variable | OPENAI_API_KEY=sk-... |
| 3 (lowest) | OS credential store | Via nxuskit-cli provider set |
Checking Auth Status
Section titled “Checking Auth Status”View authentication status for all providers:
nxuskit-cli provider statusFor a specific provider:
nxuskit-cli provider status openaiJSON output (for scripts):
nxuskit-cli provider status --jsonExample output:
Provider Status Source Auth Methods─────────────────────────────────────────────────────────────openai Authenticated env api_keyclaude Authenticated store api_keyxai Not authenticated — api_keygroq Not authenticated — api_keyollama Not required — —lm-studio Not required — —Managing Credentials
Section titled “Managing Credentials”# Store a credentialnxuskit-cli provider set <provider> <api-key>
# Remove a stored credentialnxuskit-cli provider remove <provider>
# View statusnxuskit-cli provider status [provider]Per-Language Configuration
Section titled “Per-Language Configuration”use nxuskit::{auth_status, auth_set_credential, auth_resolve};
// Check statuslet status = auth_status("openai")?;
// Store credentialauth_set_credential("openai", "sk-...")?;
// Resolve credential (follows precedence chain)let resolution = auth_resolve("openai", None)?;import "github.com/nxus-SYSTEMS/nxuskit-go"
// Check statusstatus, err := nxuskit.AuthStatus("openai")
// Store credentialerr = nxuskit.AuthSetCredential("openai", "sk-...")
// Resolve credentialresolution, err := nxuskit.AuthResolve("openai", "")Python
Section titled “Python”from nxuskit import auth_status, auth_set_credential, auth_resolve
# Check statusstatus = auth_status("openai")
# Store credentialauth_set_credential("openai", "sk-...")
# Resolve credentialresolution = auth_resolve("openai")