Getting Started

Authentication

Three ways to give the CLI credentials — OpenAnalyst account login, an sk-oa-v1-* key, or your own per-provider API keys. Mix and match.

Authentication Methods

🔑

OpenAnalyst Account Login

Recommended. Email + 6-digit OTP. Frontier models on one credit balance, plus skills & plugins from 10x.in.

🔐

OpenAnalyst API Key

Long-lived sk-oa-v1-* key from 10x.in → Dashboard → API Keys. Same catalog, static credential.

📄

Bring Your Own Keys (BYOP)

Your own Anthropic, OpenAI, Gemini, xAI, OpenRouter, or Bedrock keys. Set as env vars or in ~/.openanalyst/.env.

1. OpenAnalyst Account Login (recommended)

The fastest path from a fresh install to a working AI call. One credential covers every frontier model the CLI knows about, billed against a single credit balance you can top up at 10x.in.

Don't have an account yet?
Sign up at 10x.in — it's free, takes 30 seconds, and new accounts get free credits to try the CLI immediately. You'll also get access to 10x.in/skills (curated slash commands) and 10x.in/plugins (CRM, deploy, doc-reader tools). 
# Sign in with email + OTP — no browser, no API key
openanalyst account login

# Skip the email prompt
openanalyst account login --email you@example.com

# See plan + credits anytime
openanalyst account status

# Sign out
openanalyst account logout

How the OTP flow works

  1. The CLI asks for your email.
  2. It hits POST ai.10x.in/v2/auth/passwordless/start — a 6-digit code is emailed to you.
  3. You paste the code; the CLI hits POST ai.10x.in/v2/auth/passwordless/confirm.
  4. On success the dedicated OpenAnalyst access token is stored locally in ~/.openanalyst/credentials.json as OPENANALYST_AUTH_TOKEN with auth_method="oauth".
  5. Subsequent CLI runs pick it up automatically — inference flows through api.openanalyst.com/api/v1 with that token as a Bearer.
Token lifetime
The CLI-issued access token expires after ~1 hour. The web console (openanalyst --serve → Settings → Account) auto-refreshes it. For the pure-CLI path, just re-run openanalyst account login if you see a 401 — the round trip takes about 10 seconds.

2. OpenAnalyst API Key

Prefer a long-lived static credential? Mint an sk-oa-v1-* key at 10x.in → Dashboard → API Keys, then expose it:

Shell or ~/.openanalyst/.env
# Either as an env var
export OPENANALYST_API_KEY=sk-oa-v1-...

# Or persist once in the dotenv file
echo "OPENANALYST_API_KEY=sk-oa-v1-..." >> ~/.openanalyst/.env

Same model catalog, same credits as the account-login path — just authenticated with a static key instead of a session. The API key is sent as x-api-key; the OAuth token is sent as Authorization: Bearer. The OpenAnalyst gateway accepts both schemes interchangeably.

3. Bring Your Own Provider Keys (BYOP)

Already pay Anthropic / OpenAI / Gemini / xAI directly and want to use those keys? Fully supported. The CLI auto-discovers what's available based on which env vars are set and surfaces only the models you can actually use.

~/.openanalyst/.env
# Anthropic / Claude
ANTHROPIC_API_KEY=sk-ant-api03-...

# OpenAI / GPT / Codex
OPENAI_API_KEY=sk-...

# Google Gemini
GEMINI_API_KEY=AIzaSy...

# xAI / Grok
XAI_API_KEY=xai-...

# OpenRouter (350+ models behind one key)
OPENROUTER_API_KEY=sk-or-v1-...

# Amazon Bedrock
BEDROCK_API_KEY=your-bedrock-key

# Image generation
STABILITY_API_KEY=...
GEMINI_IMAGE_API_KEY=...   # or reuse GEMINI_API_KEY
OPENAI_IMAGE_API_KEY=...   # or reuse OPENAI_API_KEY

# Web search (used by /scrape and the WebSearch tool)
BRAVE_SEARCH_API_KEY=...
TAVILY_API_KEY=...
SERPER_API_KEY=...
EXA_API_KEY=...

You can mix BYOP with an OpenAnalyst login. Both work side-by-side; you choose per-session which one inference uses via the --model flag (the CLI picks the right credential for the model you name) or via the web console's Settings → Account → "Use account login / Use API key" chooser.

Provider Resolution Order

When you name a model with -m or the /model slash command, the CLI picks the credential like this:

Model aliasProviderAuth (in order)
openanalyst-beta, openanalyst-maxOpenAnalyst gatewayOPENANALYST_AUTH_TOKEN (OAuth) → OPENANALYST_API_KEY (manual)
opus, sonnet, haikuAnthropic or OpenAnalyst gatewayDirect: ANTHROPIC_API_KEY · via OA: routed automatically
claude-opus-4-6, claude-sonnet-4-6Anthropic (direct)ANTHROPIC_API_KEY
gpt-5, gpt-4.1, o3, o4-miniOpenAI or OpenAnalyst gatewayDirect: OPENAI_API_KEY · via OA: routed automatically
gemini-3-pro, gemini-3-flashGoogle or OpenAnalyst gatewayDirect: GEMINI_API_KEY · via OA: routed automatically
grok-4, grok-4-fastxAI or OpenAnalyst gatewayDirect: XAI_API_KEY · via OA: routed automatically
openrouter/*OpenRouterOPENROUTER_API_KEY
bedrock/*BedrockBEDROCK_API_KEY

Credentials File

All credentials — both account login tokens and manually-pasted keys — live in:

~/.openanalyst/credentials.json

Schema: one entry per provider, each carrying an encrypted secret, auth_method (oauth for OTP-issued tokens, api_key for manual keys), and metadata (email, expiry, refresh cookie for OAuth). The file is automatically managed — do not edit it by hand.

Never commit credentials
Don't commit credentials.json or .env to version control. The entire ~/.openanalyst/ directory should stay local. Credentials are encrypted at rest using a per-machine key, but anything committed to a repo is effectively public the moment it's pushed.

Signing Out

# Sign out of your OpenAnalyst account
openanalyst account logout

# Wipe ALL credentials (account + BYOP keys)
openanalyst logout

# From within the TUI
/logout
← Quick Start LLM Providers →