Skip to content

ProviderKey

Source: src/Cloudflare/AI/ProviderKey.ts

Declares a Cloudflare AI Gateway BYOK provider key.

Cloudflare requires BYOK secrets to live in the gateway’s attached Secrets Store, be scoped to ai_gateway, and use the exact {gatewayId}_{providerSlug}_{alias} name. This helper keeps that naming contract with the GatewayProvider declaration so app stacks do not have to wire the secret and provider config manually.

The children are namespaced under the given id: a Secret (child Secret) holding the key, and a GatewayProvider (child Provider) referencing it. It returns { secret, gatewayProvider } so either underlying resource stays addressable.

Rotating value updates the secret in place. Changing alias (or providerSlug) renames the secret — a replacement — and cascades: the provider config is replaced and re-pointed at the new secret.

Bring your own OpenAI key

const store = yield* Cloudflare.SecretsStore.Store("Store");
const gateway = yield* Cloudflare.AI.Gateway("Gateway", {
id: "my-gateway",
storeId: store.storeId,
});
const { secret, gatewayProvider } = yield* Cloudflare.AI.ProviderKey("OpenAiKey", {
store,
gatewayId: gateway.gatewayId,
providerSlug: "openai",
value: yield* Config.redacted("OPENAI_API_KEY"),
});

Multiple keys for one provider

Distinguish keys for the same provider with an alias — each alias gets its own secret and provider config.

const production = yield* Cloudflare.AI.ProviderKey("OpenAiKey", {
store,
gatewayId: gateway.gatewayId,
providerSlug: "openai",
value: yield* Config.redacted("OPENAI_API_KEY"),
});
const evals = yield* Cloudflare.AI.ProviderKey("OpenAiEvalsKey", {
store,
gatewayId: gateway.gatewayId,
providerSlug: "openai",
alias: "evals",
value: yield* Config.redacted("OPENAI_EVALS_API_KEY"),
});