Store and manage LLM provider credentials securely — API keys or browser-based OAuth
praisonai auth stores provider credentials locally so praisonai run works without exporting env vars every session. Two methods are supported: a long-lived API key, or a short-lived OAuth token signed in via your browser.
# Interactive — key is hidden at the promptpraisonai auth login openai# Then run immediatelypraisonai run "What is 2+2?"
# Browser opens; sign in; tokens stored + auto-refreshedpraisonai auth login acme --method oauthpraisonai run "What is 2+2?"
OAuth login is available per provider. If a provider isn’t OAuth-capable, auto falls back to the API-key prompt. Today, OAuth is primarily for self-hosted gateways — praisonai auth login openai --method oauth will fail with a clear error until OpenAI is added to the registry.
# Prints a URL + code instead of opening a browserpraisonai auth login acme --method oauth --no-browser# To sign in, visit https://acme.example/device and enter code: ABCD-EFGHpraisonai run "What is 2+2?"
~/.praisonai/credentials.json (unchanged from API-key flow)
Legacy fallback
~/.praison/credentials.json is still read if the canonical file doesn’t exist yet; migrated onto the canonical file on the next write. No auth logout/re-login needed.
Permissions
0o600, atomic writes
Refresh
Transparent on next use, ~60 s before expires_at
Refresh failure
CLI returns no token rather than a stale one — re-run auth login
praisonai auth login ships an empty built-in OAuth registry — production providers are added per release. To enable OAuth for a self-hosted gateway today, register a provider config from Python before invoking the flow:
Expires shows (n/a) for API keys, 59m, 1h 23m, <1m, or expired for OAuth tokens, and (no expiry) when the provider didn’t include one.
The auth list and auth status table columns changed in this release — two new columns (Method, Expires) were added. Scripts that parse the table output need to be updated. The --json output is additive only (no existing keys removed).
Read-only fallback: ~/.praison/credentials.json. Any write transparently migrates its entries onto the canonical file.
Permissions
0o600 (auto-corrected on read if loose)
Writes
Atomic via temp file + os.replace
Display
Keys/tokens redacted as at-9***xyz1 everywhere except the file
OAuth internals
refresh_token, token_url, client_id are scrubbed before crossing into the LLM resolver — never sent to the provider
Path change — auto-migrated. Prior releases stored credentials at ~/.praison/credentials.json. The canonical path is now ~/.praisonai/credentials.json; the legacy path is still read if the canonical file doesn’t exist yet, and any subsequent auth login or setup transparently migrates your old entries onto the canonical file. No re-login is required.
The OAuth flow uses the requests library. It is lazy-imported, so users on the API-key path never see it. If a user runs --method oauth without it installed:
OAuth login requires the optional 'requests' package. Install it with: pip install requests