AI Connection
The second wizard step connects an AI provider. xyva is BYOK — every provider runs against keys you supply. Keys are encrypted by the local agent before leaving your machine.
Supported providers
| Provider | Notes |
|---|---|
| Google Gemini | API key or gcloud ADC |
| OpenAI | API key |
| Anthropic Claude | API key |
| Azure OpenAI | endpoint + key + deployment name |
| OpenRouter | API key |
| Groq | API key |
| DeepSeek | API key |
| Ollama | local URL (default http://localhost:11434) |
| LM Studio | local URL (default http://localhost:1234/v1) |
| Codex CLI / Codex Proxy | for direct-chat workflows |
| MS Copilot | enterprise rollouts via AI Proxy |
| AI Proxy | xyva.ai's hosted proxy for centrally managed keys |
How keys are stored
- You paste the key in the portal.
- The portal forwards it over the WebSocket bridge to the local agent.
- The agent encrypts it with the OS keychain (
safeStorageon macOS/Windows, libsecret on Linux) and writes the ciphertext to~/.xyva/credentials.json. - Only the encrypted form is mirrored back to the portal database, and only if you opt in to portable settings (off by default).
The raw key never sits in plaintext on the portal side.
Observer Mode
If you don't want to attach AI yet, pick Observer Mode. You keep:
- Runner, Test Hub, Test Builder
- Accessibility Auditor
- Run history, reports, PDF export
You skip:
- Brain (AI chat), Auto-Fix
- Swarm QA's AI enrichment (you can still run agents without enrichment)
- Project Scout
You can connect a provider later from Settings → AI Providers.
Recommended flow
- Pick the provider where your team's billing already lives.
- Paste the key, click Verify connection — the agent makes a low-cost test call to confirm.
- Pick a default model from the catalogue (e.g.
gemini-2.5-flash,gpt-4o-mini,claude-sonnet-4-6). - Adjust the Agent Sandbox if you plan to run Builder/Operator-mode AI workflows.
Troubleshooting
| Symptom | Fix |
|---|---|
| 401 / 403 on verify | Wrong region/endpoint, or key lacks model access |
connection refused for Ollama | Make sure ollama serve is running and reachable from the agent |
| Azure rejects request | Check AZURE_OPENAI_API_VERSION and the deployment name |
| Corporate proxy blocks call | Set HTTPS_PROXY for the agent process; see Proxy & Network |