AI Provider Setup
xyva is BYOK: you bring keys, the local agent encrypts them, and the portal acts as the control surface. Configure providers under Portal → Settings → AI Providers.
Supported providers
| Provider | Key field | Default model |
|---|---|---|
| Google Gemini | API key or gcloud ADC | gemini-2.5-flash |
| OpenAI | API key | gpt-4o-mini |
| Anthropic Claude | API key | claude-sonnet-4-6 |
| Azure OpenAI | endpoint + key + deployment | configured per-deployment |
| OpenRouter | API key | openrouter/auto |
| Groq | API key | llama-3.3-70b-versatile |
| DeepSeek | API key | deepseek-chat |
| Ollama | local URL | llama3.1:8b |
| LM Studio | local URL | configured locally |
| Codex CLI / Codex Proxy | local socket / proxy URL | — |
| MS Copilot | via AI Proxy | enterprise-managed |
| AI Proxy | proxy URL + tenant token | enterprise-managed |
How keys are stored
- Paste in the portal.
- The portal forwards over the WebSocket bridge to the local agent.
- The agent encrypts via OS keychain and writes to
~/.xyva/credentials.json. - Plain key never reaches the portal database. With portable settings opted in, the encrypted blob is mirrored to the portal so it follows you across machines.
Picking a default
Settings → AI Providers → Default Provider sets the model used by Brain, Swarm enrichment, Auto-Fix and Project Scout. Each module can override at run time.
Recommended flow
- Connect the provider where billing already lives.
- Click Verify connection — the agent makes a small test call.
- Pick a balanced default model (cheap + fast for everyday use).
- For high-stakes tasks (architecture audit, RCA), pin a stronger model on the per-feature override.
- Configure the Agent Sandbox before allowing Builder/Operator-mode workflows.
Rotating keys
Replace the key in the field, click Verify. The agent re-encrypts and overwrites the credential file. Old runs keep their original key context for replay; new runs use the new key.