Add providers & keys

There are two different kinds of credential in merido. Keeping them straight is the key to a correct setup.

Two kinds of credential

1. Client / gateway keys — what callers use to authenticate to merido. Your coding CLIs put one of these in their Authorization: Bearer … header. They never leave your control. In the dashboard these are branded Gateway keys.
2. Upstream provider credentials — what merido uses to call the providers on your behalf: either a provider API key or an OAuth connection (for subscription accounts). These are stored encrypted at rest.

A request flows: your tool → (gateway key) → merido → (provider credential) → the upstream model.

Client (gateway) keys

Create one from the CLI:

cargo run -p merido -- keys create --name "my-laptop"
# optional expiry:
cargo run -p merido -- keys create --name "ci" --ttl-seconds 86400

The key is shown once — store it immediately. Or create and manage them in the dashboard under Gateway keys (rotate, rename, revoke).

Upstream providers — API key

Add a provider connection with an API key:

cargo run -p merido -- providers add --provider openai --api-key sk-...

• --provider is the provider key, e.g. openai, anthropic, openrouter, deepseek.
• --base-url is optional — it defaults to the provider's known endpoint from merido's registry.
• --label is an optional human-readable name.

The upstream key is encrypted at rest with your master key (data_dir/master.key, or MERIDO_MASTER_KEY). You can also add connections from the dashboard Providers page, which unifies API-key and OAuth providers in one place.

Upstream providers — OAuth (subscription accounts)

For providers that authenticate via OAuth (e.g. Claude, Codex, xAI, GitHub Copilot, Kiro), sign in interactively:

cargo run -p merido -- login claude

This runs the OAuth flow locally — a browser PKCE flow for most providers, or a device-code flow for CLI providers (it prints a code and a URL). On success the tokens are stored encrypted at rest. merido refreshes them in the background.

List and remove connected OAuth accounts:

cargo run -p merido -- accounts list
cargo run -p merido -- accounts remove <id>

Connecting an account to a remote gateway

To attach an OAuth account to a remote (e.g. Fly.io / multi-tenant) deployment, run the login locally but upload the captured tokens to the gateway, authenticated by a gateway key:

cargo run -p merido -- login claude --server https://your-gateway.example --token <gateway-key>

The OAuth dance still happens on your machine (the provider redirect can only land locally); the tokens are then sealed on the gateway, scoped to your org.

Where to go next

• Connect a coding CLI — point your tools at merido.
• Virtual models & fallback — combine targets across providers/accounts.