Providers
Omegon treats provider authentication as a runtime boundary, not just a login convenience. The active provider affects routing, allowed entry points, quota semantics, and what the operator sees in the engine footer.
Current provider auth modes
| Provider / mode | Configure | Allowed | Restrictions |
|---|---|---|---|
| Anthropic/Claude API key | omegon secret set ANTHROPIC_API_KEY --stdin | All Omegon entry points, including TUI, prompts, smoke, and cleave. | Subject to Anthropic API terms, quota, and model limits. |
| Anthropic/Claude OAuth / subscription | omegon auth login anthropic or /auth login anthropic | Interactive TUI sessions; headless Anthropic runs with an explicit operator-risk warning. | Omegon does not treat subscription OAuth as equivalent to an API key. If you want policy-clean prompts, smoke tests, cleave, or unattended automation, useANTHROPIC_API_KEY instead. |
| OpenAI API | omegon secret set OPENAI_API_KEY --stdin | All supported Omegon entry points. | Subject to OpenAI billing, quota, and model limits. |
| OpenAI/Codex OAuth | omegon auth login openai-codex or /auth login openai-codex | Supported Codex-backed Omegon flows, including interactive work and supported automation. | The engine footer may show a selected model such as gpt-5.4 while the limit row shows an upstream bucket name such as GPT-5.3-Codex-Spark. That limit row is provider telemetry, not a second model selector. |
| Ollama (Local) | export OLLAMA_HOST="http://127.0.0.1:11434" | All supported local-model workflows. | Local inference only; no external account auth. |
| Ollama Cloud | omegon auth login ollama-cloud, /auth login ollama-cloud, or /secrets set OLLAMA_API_KEY | All supported hosted-Ollama workflows. | Separate hosted provider from local Ollama. Uses OLLAMA_API_KEY against Ollama's cloud API. |
| OpenAI-compatible API key providers | /auth login openrouter, /auth login groq, /auth login xai, /auth login mistral, /auth login cerebras, /auth login opencode-go, or /auth login perplexity | All supported key-backed workflows. | Each provider has its own billing, quota, model catalog, and upstream error semantics. |
| Google Gemini | /auth login google or GOOGLE_API_KEY / GEMINI_API_KEY | All supported key-backed workflows. | Gemini models through Google's public API surface. |
| Google Antigravity | /auth login google-antigravity | Interactive and supported OAuth-backed workflows. | Gemini models through the Antigravity OAuth route. Distinct from the API-key Gemini provider. |
| GitHub Copilot | /auth login github-copilot | Interactive use with a Copilot-specific credential. | GitHub Copilot inference. Generic GitHub CLI and GITHUB_TOKEN credentials are diagnostic only and are not used for runtime inference. |
Route state and remediation
Omegon keeps the operator-selected route separate from the model bridge that is actually serving turns. That distinction matters when credentials expire, a rebuilt binary discovers external OAuth state, or a profile permits an explicit fallback provider.
- Selected route is the provider/model the operator or profile requested.
- Served bridge is the authenticated provider/model currently handling inference.
- Fallback only happens when the profile opts in with
fallbackProviders = ["provider-id"]. - Disconnected means no valid credential or allowed fallback is available; Omegon surfaces remediation instead of pretending another provider is active.
Use /auth status when startup or login looks wrong. It reports route state, credential diagnostics, and the next remediation step. The TUI footer also preserves route warnings so a fallback or disconnected startup is still visible after the immediate login/status message scrolls away.
Runtime identity honesty
Omegon now keeps provider identity explicit in operator-facing surfaces:
- Anthropic/Claude means Anthropic-backed execution
- OpenAI API means API-key execution against OpenAI's API surfaces
- OpenAI/Codex means the ChatGPT/Codex OAuth-backed route
- OpenRouter, Groq, xAI, Mistral AI, Cerebras, OpenCode Go, and Perplexity AI are independent OpenAI-compatible providers with their own credentials and limits
- Google Gemini means API-key execution against Google's Gemini API
- Google Antigravity means OAuth-backed Gemini execution through the Antigravity route
- Ollama (Local) means on-device inference against your local daemon
- Ollama Cloud means the hosted Ollama API route, authenticated separately from local Ollama
The footer's model row shows the selected runtime model. The limit row, when present, shows upstream provider quota telemetry. Those are intentionally different fields.
Anthropic subscription boundary
Anthropic/Claude subscription auth is the one credential class with an explicit operator-risk boundary. Interactive TUI use is allowed. Headless Anthropic paths warn and proceed rather than silently switching providers or pretending subscription OAuth has API-key automation semantics.
The consumer terms page is here:anthropic.com/legal/consumer-terms
Practical guidance
- If you want to work in the TUI by hand, Anthropic/Claude OAuth is a valid path.
- If you want unattended or scripted automation with clean provider terms, configure
ANTHROPIC_API_KEY. - If you want GPT-family routing without API-key setup, try
omegon auth login openai-codex. - If you want local-only inference, use
Ollama (Local). - If you want hosted Ollama without running a local daemon, use
Ollama Cloudvia/auth loginor/secrets. - If you want predictable automation with commercial API terms, prefer API-key-backed providers.
How this fits the rest of Omegon
The provider layer feeds the TUI, slash commands, smoke paths, and cleave orchestration. That means auth mode affects not just model access, but which entry points Omegon can honestly and safely expose.