d6e08b3da0
* feat(ai): add Cloudflare Workers AI as a provider
Cloudflare Workers AI hosts open-weight LLMs (Kimi K2.6, GPT-OSS,
GLM-4.7, Llama 4, Gemma 4, Nemotron 3) on Cloudflare's GPU network with
an OpenAI-compatible endpoint. Reuses the openai-completions API
protocol; the per-account URL contains a {CLOUDFLARE_ACCOUNT_ID}
placeholder resolved at request time by a small helper.
Pi automatically sets x-session-affinity for prefix caching:
https://developers.cloudflare.com/workers-ai/features/prompt-caching/
Auth: CLOUDFLARE_API_KEY (matches pi's *_API_KEY convention) +
CLOUDFLARE_ACCOUNT_ID. The User-Agent identifies traffic as
'pi-coding-agent' in Cloudflare analytics.
Verified end-to-end against a real Cloudflare account: 17 e2e tests
pass across stream/empty/tokens/unicode/tool-call-without-result/
total-tokens against @cf/moonshotai/kimi-k2.6.
Cloudflare AI Gateway is a separate, larger change (it requires routing
through provider-specific subpaths with the matching API protocol per
upstream) and will land in a follow-up PR.
* refactor(ai): move Cloudflare User-Agent and session-affinity flag to per-model metadata
Instead of conditionally setting them in openai-completions.ts based on
provider detection, declare them as model-level fields in the catalog
(headers + compat). This is consistent with how the github-copilot and
kimi-coding entries already declare their static headers.
packages/ai/scripts/generate-models.ts: emit headers and compat fields
on each cloudflare-workers-ai entry (CLOUDFLARE_STATIC_HEADERS).
packages/ai/src/providers/openai-completions.ts: drop the
isCloudflareProvider conditional that injected User-Agent and the
isCloudflareWorkersAI override of sendSessionAffinityHeaders.
packages/ai/src/models.generated.ts: re-spliced 8 cloudflare-workers-ai
entries with headers + compat.
Behavior is unchanged - verified via fetch interceptor that User-Agent
and x-session-affinity / session_id / x-client-request-id are still sent
on outbound requests. 5/5 e2e tests pass.
7.3 KiB
Providers
Pi supports subscription-based providers via OAuth and API key providers via environment variables or auth file. For each provider, pi knows all available models. The list is updated with every pi release.
Table of Contents
Subscriptions
Use /login in interactive mode, then select a provider:
- Claude Pro/Max
- ChatGPT Plus/Pro (Codex)
- GitHub Copilot
- Google Gemini CLI
- Google Antigravity
Use /logout to clear credentials. Tokens are stored in ~/.pi/agent/auth.json and auto-refresh when expired.
GitHub Copilot
- Press Enter for github.com, or enter your GitHub Enterprise Server domain
- If you get "model not supported", enable it in VS Code: Copilot Chat → model selector → select model → "Enable"
Google Providers
- Gemini CLI: Standard Gemini models via Cloud Code Assist
- Antigravity: Sandbox with Gemini 3, Claude, and GPT-OSS models
- Both free with any Google account, subject to rate limits
- For paid Cloud Code Assist: set
GOOGLE_CLOUD_PROJECTenv var
OpenAI Codex
- Requires ChatGPT Plus or Pro subscription
- Personal use only; for production, use the OpenAI Platform API
API Keys
Environment Variables or Auth File
Use /login in interactive mode and select a provider to store an API key in auth.json, or set credentials via environment variable:
export ANTHROPIC_API_KEY=sk-ant-...
pi
| Provider | Environment Variable | auth.json key |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
anthropic |
| Azure OpenAI Responses | AZURE_OPENAI_API_KEY |
azure-openai-responses |
| OpenAI | OPENAI_API_KEY |
openai |
| DeepSeek | DEEPSEEK_API_KEY |
deepseek |
| Google Gemini | GEMINI_API_KEY |
google |
| Mistral | MISTRAL_API_KEY |
mistral |
| Groq | GROQ_API_KEY |
groq |
| Cerebras | CEREBRAS_API_KEY |
cerebras |
| Cloudflare Workers AI | CLOUDFLARE_API_KEY (+ CLOUDFLARE_ACCOUNT_ID) |
cloudflare-workers-ai |
| xAI | XAI_API_KEY |
xai |
| OpenRouter | OPENROUTER_API_KEY |
openrouter |
| Vercel AI Gateway | AI_GATEWAY_API_KEY |
vercel-ai-gateway |
| ZAI | ZAI_API_KEY |
zai |
| OpenCode Zen | OPENCODE_API_KEY |
opencode |
| OpenCode Go | OPENCODE_API_KEY |
opencode-go |
| Hugging Face | HF_TOKEN |
huggingface |
| Fireworks | FIREWORKS_API_KEY |
fireworks |
| Kimi For Coding | KIMI_API_KEY |
kimi-coding |
| MiniMax | MINIMAX_API_KEY |
minimax |
| MiniMax (China) | MINIMAX_CN_API_KEY |
minimax-cn |
Reference for environment variables and auth.json keys: const envMap in packages/ai/src/env-api-keys.ts.
Auth File
Store credentials in ~/.pi/agent/auth.json:
{
"anthropic": { "type": "api_key", "key": "sk-ant-..." },
"openai": { "type": "api_key", "key": "sk-..." },
"deepseek": { "type": "api_key", "key": "sk-..." },
"google": { "type": "api_key", "key": "..." },
"opencode": { "type": "api_key", "key": "..." },
"opencode-go": { "type": "api_key", "key": "..." }
}
The file is created with 0600 permissions (user read/write only). Auth file credentials take priority over environment variables.
Key Resolution
The key field supports three formats:
- Shell command:
"!command"executes and uses stdout (cached for process lifetime){ "type": "api_key", "key": "!security find-generic-password -ws 'anthropic'" } { "type": "api_key", "key": "!op read 'op://vault/item/credential'" } - Environment variable: Uses the value of the named variable
{ "type": "api_key", "key": "MY_ANTHROPIC_KEY" } - Literal value: Used directly
{ "type": "api_key", "key": "sk-ant-..." }
OAuth credentials are also stored here after /login and managed automatically.
Cloud Providers
Azure OpenAI
export AZURE_OPENAI_API_KEY=...
export AZURE_OPENAI_BASE_URL=https://your-resource.openai.azure.com
# also supported: https://your-resource.cognitiveservices.azure.com
# root endpoints are auto-normalized to /openai/v1
# or use resource name instead of base URL
export AZURE_OPENAI_RESOURCE_NAME=your-resource
# Optional
export AZURE_OPENAI_API_VERSION=2024-02-01
export AZURE_OPENAI_DEPLOYMENT_NAME_MAP=gpt-4=my-gpt4,gpt-4o=my-gpt4o
Amazon Bedrock
# Option 1: AWS Profile
export AWS_PROFILE=your-profile
# Option 2: IAM Keys
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
# Option 3: Bearer Token
export AWS_BEARER_TOKEN_BEDROCK=...
# Optional region (defaults to us-east-1)
export AWS_REGION=us-west-2
Also supports ECS task roles (AWS_CONTAINER_CREDENTIALS_*) and IRSA (AWS_WEB_IDENTITY_TOKEN_FILE).
pi --provider amazon-bedrock --model us.anthropic.claude-sonnet-4-20250514-v1:0
Prompt caching is enabled automatically for Claude models whose ID contains a recognizable model name (base models and system-defined inference profiles). For application inference profiles (whose ARNs don't contain the model name), set AWS_BEDROCK_FORCE_CACHE=1 to enable cache points:
export AWS_BEDROCK_FORCE_CACHE=1
pi --provider amazon-bedrock --model arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123
If you are connecting to a Bedrock API proxy, the following environment variables can be used:
# Set the URL for the Bedrock proxy (standard AWS SDK env var)
export AWS_ENDPOINT_URL_BEDROCK_RUNTIME=https://my.corp.proxy/bedrock
# Set if your proxy does not require authentication
export AWS_BEDROCK_SKIP_AUTH=1
# Set if your proxy only supports HTTP/1.1
export AWS_BEDROCK_FORCE_HTTP1=1
Cloudflare Workers AI
CLOUDFLARE_API_KEY can be set via /login. CLOUDFLARE_ACCOUNT_ID must be set as an environment variable.
export CLOUDFLARE_API_KEY=... # or use /login
export CLOUDFLARE_ACCOUNT_ID=...
pi --provider cloudflare-workers-ai --model "@cf/moonshotai/kimi-k2.6"
Pi automatically sets x-session-affinity for prefix caching discounts.
Google Vertex AI
Uses Application Default Credentials:
gcloud auth application-default login
export GOOGLE_CLOUD_PROJECT=your-project
export GOOGLE_CLOUD_LOCATION=us-central1
Or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
Custom Providers
Via models.json: Add Ollama, LM Studio, vLLM, or any provider that speaks a supported API (OpenAI Completions, OpenAI Responses, Anthropic Messages, Google Generative AI). See models.md.
Via extensions: For providers that need custom API implementations or OAuth flows, create an extension. See custom-provider.md and examples/extensions/custom-provider-gitlab-duo.
Resolution Order
When resolving credentials for a provider:
- CLI
--api-keyflag auth.jsonentry (API key or OAuth token)- Environment variable
- Custom provider keys from
models.json