Getting Started
Authentication
Connect to any LLM provider using OAuth, API keys, or environment variables.
Authentication Methods
API Key (All Providers)
Browser-based login with PKCE security. Tokens refresh automatically.
API Key
Set environment variables or edit .env file directly.
Credentials File
Saved automatically by openanalyst login to ~/.openanalyst/credentials.json.
OAuth Login
The recommended way to authenticate. Supports all providers with automatic token refresh.
Direct Provider Login
All providers authenticate via API key. Get your key from the provider dashboard and paste it during login. Gemini also supports OAuth browser login.
# Interactive provider picker
openanalyst login
# Login to a specific provider
openanalyst login --provider anthropic
# Check logged-in providers
openanalyst whoamiHow OAuth Works
- You run
openanalyst loginand pick a provider - A browser window opens for the provider's consent page
- After authorization, the CLI receives a callback on
localhost:8080 - Tokens are stored encrypted in
~/.openanalyst/credentials.json - Tokens auto-refresh when expired — no re-login needed
Security
OAuth uses PKCE (Proof Key for Code Exchange) with SHA-256 challenge. No client secret is stored on disk.
API Key Authentication
Set API keys via environment variables or the .env file:
~/.openanalyst/.env
# OpenAnalyst (default provider)
OPENANALYST_AUTH_TOKEN=your-openanalyst-key
OPENANALYST_BASE_URL=https://api.openanalyst.com/api
# Anthropic / Claude
ANTHROPIC_API_KEY=sk-ant-api03-...
# OpenAI / GPT / Codex
OPENAI_API_KEY=sk-...
# Google Gemini (also supports OAuth: openanalyst login)
GEMINI_API_KEY=AIzaSy...
# xAI / Grok
XAI_API_KEY=xai-...
# OpenRouter (350+ models)
OPENROUTER_API_KEY=sk-or-v1-...
# Amazon Bedrock
BEDROCK_API_KEY=your-bedrock-keyProvider Resolution Order
When you specify a model, OpenAnalyst resolves the provider and auth in this order:
| Model | Provider | Auth Variable | Fallback |
|---|---|---|---|
openanalyst-beta | OpenAnalyst | OPENANALYST_AUTH_TOKEN | ANTHROPIC_API_KEY |
opus, sonnet, haiku | Anthropic | ANTHROPIC_API_KEY | — |
gpt-4o, o3, codex-mini | OpenAI | OPENAI_API_KEY | — |
gemini-2.5-pro | GEMINI_API_KEY | — | |
grok-3 | xAI | XAI_API_KEY | — |
openrouter/* | OpenRouter | OPENROUTER_API_KEY | — |
bedrock/* | Bedrock | BEDROCK_API_KEY | — |
Credentials File
After openanalyst login, tokens are saved to:
~/.openanalyst/credentials.jsonThis file contains OAuth access tokens, refresh tokens, and expiry timestamps. It is automatically managed — you should not edit it manually.
Warning
Never commit credentials.json or .env to version control. The ~/.openanalyst/ directory should remain private.
Logging Out
# Logout from all providers
openanalyst logout
# Or from within the TUI
/logout