Providers

Omegon treats provider authentication as a runtime boundary, not just a login convenience. The active provider affects routing, allowed entry points, quota semantics, and what the operator sees in the engine footer.

Current provider auth modes

Provider / modeConfigureAllowedRestrictions
Anthropic/Claude API keyomegon secret set ANTHROPIC_API_KEY --stdinAll Omegon entry points, including TUI, prompts, smoke, and cleave.Subject to Anthropic API terms, quota, and model limits.
Anthropic/Claude OAuth / subscriptionomegon auth login anthropic or /auth login anthropicInteractive TUI sessions; headless Anthropic runs with an explicit operator-risk warning.Omegon does not treat subscription OAuth as equivalent to an API key. If you want policy-clean prompts, smoke tests, cleave, or unattended automation, useANTHROPIC_API_KEY instead.
OpenAI APIomegon secret set OPENAI_API_KEY --stdinAll supported Omegon entry points.Subject to OpenAI billing, quota, and model limits.
OpenAI/Codex OAuthomegon auth login openai-codex or /auth login openai-codexSupported Codex-backed Omegon flows, including interactive work and supported automation.The engine footer may show a selected model such as gpt-5.4 while the limit row shows an upstream bucket name such as GPT-5.3-Codex-Spark. That limit row is provider telemetry, not a second model selector.
Ollama (Local)export OLLAMA_HOST="http://127.0.0.1:11434"All supported local-model workflows.Local inference only; no external account auth.
Ollama Cloudomegon auth login ollama-cloud, /auth login ollama-cloud, or /secrets set OLLAMA_API_KEYAll supported hosted-Ollama workflows.Separate hosted provider from local Ollama. Uses OLLAMA_API_KEY against Ollama's cloud API.
OpenAI-compatible API key providers/auth login openrouter, /auth login groq, /auth login xai, /auth login mistral, /auth login cerebras, /auth login opencode-go, or /auth login perplexityAll supported key-backed workflows.Each provider has its own billing, quota, model catalog, and upstream error semantics.
Google Gemini/auth login google or GOOGLE_API_KEY / GEMINI_API_KEYAll supported key-backed workflows.Gemini models through Google's public API surface.
Google Antigravity/auth login google-antigravityInteractive and supported OAuth-backed workflows.Gemini models through the Antigravity OAuth route. Distinct from the API-key Gemini provider.
GitHub Copilot/auth login github-copilotInteractive use with a Copilot-specific credential.GitHub Copilot inference. Generic GitHub CLI and GITHUB_TOKEN credentials are diagnostic only and are not used for runtime inference.

Route state and remediation

Omegon keeps the operator-selected route separate from the model bridge that is actually serving turns. That distinction matters when credentials expire, a rebuilt binary discovers external OAuth state, or a profile permits an explicit fallback provider.

Use /auth status when startup or login looks wrong. It reports route state, credential diagnostics, and the next remediation step. The TUI footer also preserves route warnings so a fallback or disconnected startup is still visible after the immediate login/status message scrolls away.

Runtime identity honesty

Omegon now keeps provider identity explicit in operator-facing surfaces:

The footer's model row shows the selected runtime model. The limit row, when present, shows upstream provider quota telemetry. Those are intentionally different fields.

Anthropic subscription boundary

Anthropic/Claude subscription auth is the one credential class with an explicit operator-risk boundary. Interactive TUI use is allowed. Headless Anthropic paths warn and proceed rather than silently switching providers or pretending subscription OAuth has API-key automation semantics.

The consumer terms page is here:anthropic.com/legal/consumer-terms

Practical guidance

How this fits the rest of Omegon

The provider layer feeds the TUI, slash commands, smoke paths, and cleave orchestration. That means auth mode affects not just model access, but which entry points Omegon can honestly and safely expose.