ProviderKey
Source:
src/Cloudflare/AI/ProviderKey.ts
Declares a Cloudflare AI Gateway BYOK provider key.
Cloudflare requires BYOK secrets to live in the gateway’s attached Secrets
Store, be scoped to ai_gateway, and use the exact
{gatewayId}_{providerSlug}_{alias} name. This helper keeps that naming
contract with the GatewayProvider declaration so app stacks do not
have to wire the secret and provider config manually.
The children are namespaced under the given id: a Secret (child
Secret) holding the key, and a GatewayProvider (child Provider)
referencing it. It returns { secret, gatewayProvider } so either
underlying resource stays addressable.
Rotating value updates the secret in place. Changing alias (or
providerSlug) renames the secret — a replacement — and cascades: the
provider config is replaced and re-pointed at the new secret.
Bringing your own key
Section titled “Bringing your own key”Bring your own OpenAI key
const store = yield* Cloudflare.SecretsStore.Store("Store");
const gateway = yield* Cloudflare.AI.Gateway("Gateway", { id: "my-gateway", storeId: store.storeId,});
const { secret, gatewayProvider } = yield* Cloudflare.AI.ProviderKey("OpenAiKey", { store, gatewayId: gateway.gatewayId, providerSlug: "openai", value: yield* Config.redacted("OPENAI_API_KEY"),});Multiple keys for one provider
Distinguish keys for the same provider with an alias — each alias gets
its own secret and provider config.
const production = yield* Cloudflare.AI.ProviderKey("OpenAiKey", { store, gatewayId: gateway.gatewayId, providerSlug: "openai", value: yield* Config.redacted("OPENAI_API_KEY"),});
const evals = yield* Cloudflare.AI.ProviderKey("OpenAiEvalsKey", { store, gatewayId: gateway.gatewayId, providerSlug: "openai", alias: "evals", value: yield* Config.redacted("OPENAI_EVALS_API_KEY"),});