shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
08045c2aac8cf260071afeb04882fe43edea2e95
coder/docs/ai-coder/ai-gateway/setup.md
T
Danny Kopping 08045c2aac feat: configure multiple AI Bridge providers of the same type (#23948) 
_Disclaimer: produced mostly by Claude Opus 4.6 following detailed
planning._

## Summary
- Support multiple instances of the same AI Bridge provider type via
indexed env vars (`CODER_AIBRIDGE_PROVIDER_<N>_<KEY>`), following the
`CODER_EXTERNAL_AUTH_<N>_<KEY>` pattern
- Existing single-provider env vars (`CODER_AIBRIDGE_OPENAI_KEY`, etc.)
continue to work unchanged
- Setting both a legacy env var and an indexed provider with the same
name errors at startup to prevent silent misconfiguration
- Mark legacy provider fields (`OpenAI`, `Anthropic`, `Bedrock`) as
deprecated in `AIBridgeConfig` in favor of `Providers`
  ## Example
```sh
CODER_AIBRIDGE_PROVIDER_0_TYPE=anthropic
CODER_AIBRIDGE_PROVIDER_0_NAME=anthropic-corp
CODER_AIBRIDGE_PROVIDER_0_KEY=sk-ant-corp-xxx

CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic

CODER_AIBRIDGE_PROVIDER_1_TYPE=anthropic
CODER_AIBRIDGE_PROVIDER_1_NAME=anthropic-direct
  CODER_AIBRIDGE_PROVIDER_1_KEY=sk-ant-direct-yyy         
  ```
  Each instance is routed by name:
- /api/v2/aibridge/**anthropic-corp**/v1/messages
- /api/v2/aibridge/**anthropic-direct**/v1/messages
Closes
[AIGOV-157](https://linear.app/codercom/issue/AIGOV-157/spike-to-understand-if-there-is-a-simple-way-to-handle-multi-api-key)

---------

Signed-off-by: Danny Kopping <danny@coder.com>
2026-04-15 07:59:37 +00:00

11 KiB
Raw Blame History

Setup

AI Gateway runs inside the Coder control plane (coderd), requiring no separate compute to deploy or scale. Once enabled, coderd runs the aibridged in-memory and brokers traffic to your configured AI providers on behalf of authenticated users.

Required:

  1. A Premium license with the AI Governance Add-On.
  2. Feature must be enabled using the server flag
  3. One or more providers API key(s) must be configured

Activation

You will need to enable AI Gateway explicitly:

export CODER_AIBRIDGE_ENABLED=true
coder server
# or
coder server --aibridge-enabled=true

Configure Providers

AI Gateway proxies requests to upstream LLM APIs. Configure at least one provider before exposing AI Gateway to end users.

OpenAI

Set the following when routing OpenAI-compatible traffic through AI Gateway:

  • CODER_AIBRIDGE_OPENAI_KEY or --aibridge-openai-key
  • CODER_AIBRIDGE_OPENAI_BASE_URL or --aibridge-openai-base-url

The default base URL (https://api.openai.com/v1/) works for the native OpenAI service. Point the base URL at your preferred OpenAI-compatible endpoint (for example, a hosted proxy or LiteLLM deployment) when needed.

If you'd like to create an OpenAI key with minimal privileges, this is the minimum required set:

List Models scope should be set to "Read", Model Capabilities set to "Request"

Anthropic

Set the following when routing Anthropic-compatible traffic through AI Gateway:

  • CODER_AIBRIDGE_ANTHROPIC_KEY or --aibridge-anthropic-key
  • CODER_AIBRIDGE_ANTHROPIC_BASE_URL or --aibridge-anthropic-base-url

The default base URL (https://api.anthropic.com/) targets Anthropic's public API. Override it for Anthropic-compatible brokers.

Anthropic does not allow API keys to have restricted permissions at the time of writing (Nov 2025).

Amazon Bedrock

Set the following when routing Amazon Bedrock traffic through AI Gateway:

  • CODER_AIBRIDGE_BEDROCK_REGION or --aibridge-bedrock-region
  • CODER_AIBRIDGE_BEDROCK_ACCESS_KEY or --aibridge-bedrock-access-key
  • CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET or --aibridge-bedrock-access-key-secret
  • CODER_AIBRIDGE_BEDROCK_MODEL or --aibridge-bedrock-model
  • CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL or --aibridge-bedrock-small-fast-model

Note

CODER_AIBRIDGE_BEDROCK_BASE_URL or --aibridge-bedrock-base-url may be used instead of CODER_AIBRIDGE_BEDROCK_REGION/--aibridge-bedrock-region if you would like to specify a URL which does not follow the form of https://bedrock-runtime.<region>.amazonaws.com - for example if using a proxy between AI Gateway and AWS Bedrock.

Obtaining Bedrock credentials

  1. Choose a region where you want to use Bedrock.

  2. Generate API keys in the AWS Bedrock console (replace us-east-1 in the URL with your chosen region):

    • Choose an expiry period for the key.
    • Click Generate.
    • This creates an IAM user with strictly-scoped permissions for Bedrock access.

  3. Create an access key for the IAM user:

    • After generating the API key, click "You can directly modify permissions for the IAM user associated".
    • In the IAM user page, navigate to the Security credentials tab.
    • Under Access keys, click Create access key.
    • Select "Application running outside AWS" as the use case.
    • Click Next.
    • Add a description like "Coder AI Gateway token".
    • Click Create access key.
    • Save both the access key ID and secret access key securely.

  4. Configure your Coder deployment with the credentials:

    export CODER_AIBRIDGE_BEDROCK_REGION=us-east-1
export CODER_AIBRIDGE_BEDROCK_ACCESS_KEY=<your-access-key-id>
export CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET=<your-secret-access-key>
coder server

GitHub Copilot

Configure a copilot provider using the indexed provider format with separate instances for Individual, Business, and Enterprise tiers.

See GitHub Copilot — Provider configuration for full setup instructions.

ChatGPT

Configure a ChatGPT provider by creating an openai-typed instance with the ChatGPT Codex base URL:

export CODER_AIBRIDGE_PROVIDER_0_TYPE=openai
export CODER_AIBRIDGE_PROVIDER_0_NAME=chatgpt
export CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex

Note

See the Supported APIs section below for precise endpoint coverage and interception behavior.

Multiple instances of the same provider

You can configure multiple instances of the same provider type — for example, to route different teams to separate API keys, use different base URLs per region, or connect to both a direct API and a proxy simultaneously. Use indexed environment variables following the pattern CODER_AIBRIDGE_PROVIDER_<N>_<KEY>:

# Anthropic routed through a corporate proxy
export CODER_AIBRIDGE_PROVIDER_0_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_0_NAME=anthropic-corp
export CODER_AIBRIDGE_PROVIDER_0_KEY=sk-ant-corp-xxx
export CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic

# Anthropic direct (for teams that need direct access)
export CODER_AIBRIDGE_PROVIDER_1_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_1_NAME=anthropic-direct
export CODER_AIBRIDGE_PROVIDER_1_KEY=sk-ant-direct-yyy

# Azure-hosted OpenAI deployment
export CODER_AIBRIDGE_PROVIDER_2_TYPE=openai
export CODER_AIBRIDGE_PROVIDER_2_NAME=azure-openai
export CODER_AIBRIDGE_PROVIDER_2_KEY=azure-key-zzz
export CODER_AIBRIDGE_PROVIDER_2_BASE_URL=https://my-deployment.openai.azure.com/

# Anthropic via AWS Bedrock
export CODER_AIBRIDGE_PROVIDER_3_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_3_NAME=anthropic-bedrock
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_REGION=us-west-2
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_ACCESS_KEY_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

coder server

Each provider instance gets a unique route based on its NAME. Clients send requests to /api/v2/aibridge/<NAME>/ to target a specific instance:

Instance name Route
anthropic-corp /api/v2/aibridge/anthropic-corp/v1/messages
anthropic-direct /api/v2/aibridge/anthropic-direct/v1/messages
azure-openai /api/v2/aibridge/azure-openai/v1/chat/completions
anthropic-bedrock /api/v2/aibridge/anthropic-bedrock/v1/messages

Supported keys per provider:

Key Required Description
TYPE Yes Provider type: openai, anthropic, or copilot
NAME No Unique instance name for routing. Defaults to TYPE
KEY No API key for upstream authentication (alias: KEYS)
BASE_URL No Base URL of the upstream API

For anthropic providers using AWS Bedrock, the following keys are also available: BEDROCK_BASE_URL, BEDROCK_REGION, BEDROCK_ACCESS_KEY (alias: BEDROCK_ACCESS_KEYS), BEDROCK_ACCESS_KEY_SECRET (alias: BEDROCK_ACCESS_KEY_SECRETS), BEDROCK_MODEL, BEDROCK_SMALL_FAST_MODEL.

Note

Indices must be contiguous and start at 0. Each instance must have a unique NAME — if two instances of the same TYPE omit NAME, they will both default to the type name and fail with a duplicate name error.

The legacy single-provider environment variables (CODER_AIBRIDGE_OPENAI_KEY, CODER_AIBRIDGE_ANTHROPIC_KEY, etc.) continue to work. However, setting both a legacy variable and an indexed provider with the same default name (e.g. CODER_AIBRIDGE_OPENAI_KEY and an indexed provider named openai) will produce a startup error — remove one or the other to resolve the conflict.

Data Retention

AI Gateway records prompts, token usage, tool invocations, and model reasoning for auditing and monitoring purposes. By default, this data is retained for 60 days.

Configure retention using --aibridge-retention or CODER_AIBRIDGE_RETENTION:

coder server --aibridge-retention=90d

Or in YAML:

aibridge:
  retention: 90d

Set to 0 to retain data indefinitely.

For duration formats, how retention works, and best practices, see the Data Retention documentation.

Structured Logging

AI Gateway can emit structured logs for every interception record, making it straightforward to export data to external SIEM or observability platforms.

Enable with --aibridge-structured-logging or CODER_AIBRIDGE_STRUCTURED_LOGGING:

coder server --aibridge-structured-logging=true

Or in YAML:

aibridge:
  structured_logging: true

These logs are written to the same output stream as all other coderd logs, using the format configured by --log-human (default, writes to stderr) or --log-json. For machine ingestion, set --log-json to a file path or /dev/stderr so that records are emitted as JSON.

Filter for AI Gateway records in your logging pipeline by matching on the "interception log" message. Each log line includes a record_type field that indicates the kind of event captured:

record_type Description Key fields
interception_start A new intercepted request begins. interception_id, initiator_id, provider, model, client, started_at
interception_end An intercepted request completes. interception_id, ended_at
token_usage Token consumption for a response. interception_id, input_tokens, output_tokens, created_at
prompt_usage The last user prompt in a request. interception_id, prompt, created_at
tool_usage A tool/function call made by the model. interception_id, tool, input, server_url, injected, created_at
model_thought Model reasoning or thinking content. interception_id, content, created_at
Reference in New Issue View Git Blame Copy Permalink