Skip to content
Open Agent SDK Open Agent SDK Open Agent SDK Docs

Provider & Auth Strategy

Open Agent SDK is API-aligned with Claude Agent SDK workflows, but intentionally supports a broader provider strategy.

Use this guide to decide how to configure providers without locking your architecture too early.

Provider selection model

Section titled “Provider selection model”

Pick one default provider per environment, then keep at least one fallback provider for operational resilience.

  • Primary provider: best fit for your latency, cost, and model quality targets
  • Fallback provider: used for outages, quota limits, or targeted workloads
  • Migration provider: temporary provider during staged migrations

Authentication patterns

Section titled “Authentication patterns”

Recommended pattern:

  1. Store provider keys in environment variables
  2. Resolve credentials at runtime by environment
  3. Keep provider selection explicit in integration code
  4. For Codex OAuth, reuse a local codex login session instead of hardcoding API keys

Typical variables:

  • OPENAI_API_KEY
  • GEMINI_API_KEY
  • ANTHROPIC_API_KEY
  • CODEX_HOME
  • OAS_CODEX_AUTH_PATH

Codex OAuth

Section titled “Codex OAuth”

Codex is a separate provider path in the SDK:

const result = await prompt('Summarize this repo.', {
  model: 'gpt-5.4',
  provider: 'codex',
});

Recommended setup:

  1. Run codex login
  2. Let the SDK import ~/.codex/auth.json
  3. Only override codexOAuth.codexAuthPath or OAS_CODEX_AUTH_PATH when you need a non-default login location

For non-interactive runners such as terminal-bench, you can also:

  • pass a refreshable credentials blob via OAS_CODEX_OAUTH_JSON
  • point at another provider-auth file via OAS_CODEX_AUTH_PATH
  • pass a short-lived access token via OAS_CODEX_API_KEY

Prefer OAS_CODEX_OAUTH_JSON or OAS_CODEX_AUTH_PATH when you want automatic refresh behavior.

Use provider: 'openai' with OPENAI_API_KEY when you want standard usage-based OpenAI Platform billing instead of Codex OAuth.

Base URL strategy

Section titled “Base URL strategy”

Use baseURL only when you need:

  • API gateway routing
  • enterprise proxy requirements
  • compatible endpoints in controlled environments

Keep default base URLs in local development unless you have a hard requirement to override.

Rollout checklist

Section titled “Rollout checklist”
  • Start with one stable provider in production
  • Add integration tests for one fallback provider
  • Validate session, permission, and tool behavior for both providers
  • Track cost and latency before switching defaults

Continue

Section titled “Continue”