API Keys
This is where you manage the LLM provider credentials Chief uses on your behalf.
Adding a Key
- Click Add Key.
- Pick a provider (Anthropic, OpenAI, Gemini, Local).
- Paste the key.
- Click Validate & Save.
Chief sends a test request to the provider. If the key works, it’s encrypted with AES-256-GCM and stored. If it doesn’t work, the key is rejected and nothing is saved.
Provider keys are write-only after they’re saved. We never display the plaintext value back to you. If you lose your record of the key, rotate it with the provider and re-add.
Validation Status
Each saved key shows a status:
| Status | Meaning |
|---|---|
| ✅ Active | Key validated within the last 24 hours |
| ⚠️ Stale | Hasn’t been validated recently — Chief will retry on next use |
| ❌ Failing | Last call returned an auth error — needs rotation |
Chief revalidates active keys every 24 hours and on any auth failure during a task.
Removing a Key
Key → ⋮ → Delete. The encrypted ciphertext is wiped. If a cron or scheduled task depends on this key, the task is paused — not deleted — so you can re-add a key later and resume.
What’s Stored
| Stored | Format |
|---|---|
| Provider name | Plaintext (e.g., “anthropic”) |
| Key label | Plaintext (your label, e.g., “chief-prod”) |
| Key value | AES-256-GCM ciphertext only |
| Last validated | Timestamp |
| Status | Plaintext flag |
The plaintext key is never written to disk and never logged.
Per-Provider Notes
- Anthropic — Required for all plans. Key starts with
sk-ant-. - OpenAI — Enterprise only. Key starts with
sk-. Used for OpenAI / Codex routing. - Gemini — Enterprise only. Key from Google AI Studio.
- Local — Enterprise only. Configure host:port and optional auth header for self-hosted endpoints.
See Plans for the full provider matrix per plan.