Skip to main content
POST
/
admin
/
connections
Create a credential
curl --request POST \
  --url https://{organization_id}.platform.barndoor.ai/api/llm-gateway/admin/connections \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "OpenAI Production",
  "model_provider": "openai",
  "base_url": "https://api.openai.com/v1",
  "auth_type": "api_key",
  "api_key": "sk-xxxxxxxxxxxxxxxxxxxx",
  "credentials": {},
  "settings": {}
}
'
{
  "id": "4f8b2a3c-12ee-4d92-9c7b-e7d2f8b0a111",
  "org_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "OpenAI Production",
  "model_provider": "openai",
  "auth_type": "api_key",
  "base_url": "https://api.openai.com/v1",
  "settings": {
    "region": "us-east-1",
    "model_api_family": "anthropic_messages"
  },
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z"
}
Create a reusable upstream credential. One credential can back many providers (for example, a single OpenAI key shared across multiple environments or routes).

Choosing the auth method

The model_provider and auth_type together determine which fields are required:
  • API key (auth_type: api_key) — pass api_key with the upstream key.
  • AWS Bedrock IAM role (auth_type: aws_role) — pass credentials with iam_role_arn and external_id. Use POST /admin/connections/aws-role-validate to confirm Barndoor can assume the role before saving.
  • Google Vertex (auth_type: google_adc, google_service_account, google_impersonation) — for service accounts, pass the JSON key fields under credentials. Use POST /admin/connections/google-vertex-validate to confirm end-to-end access.
  • Anthropic OAuth passthrough — configured directly on a provider; this endpoint is not used for OAuth providers.
The plaintext key (or credentials JSON) is written to Barndoor’s encrypted secret store and is never returned by any subsequent API call. Update or rotate it later with PUT /admin/connections/{id}.

Example

curl -X POST https://app.barndoor.ai/api/llm-gateway/admin/connections \
  -H "Authorization: Bearer $BARNDOOR_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "OpenAI Production",
    "model_provider": "openai",
    "base_url": "https://api.openai.com/v1",
    "api_key": "sk-..."
  }'
For a guided walkthrough, see Configure the Gateway.

Authorizations

Authorization
string
header
required

JWT obtained through Barndoor's authentication flow. Pass the token verbatim in Authorization: Bearer <token>. Use the Barndoor SDK's loginInteractive() helper to obtain a token in scripts and notebooks.

Body

application/json
name
string
required
Example:

"OpenAI Production"

model_provider
enum<string>
required

Slug of the upstream model provider this resource speaks to

Available options:
openai,
anthropic,
azure_openai,
google_ai,
bedrock,
vertex,
groq,
together,
mistral,
cohere,
xai,
fireworks,
perplexity,
openrouter,
deepseek,
custom
Example:

"openai"

base_url
string<uri>
required
Example:

"https://api.openai.com/v1"

auth_type
string

Optional. Defaults to the conventional auth type for the provider (api_key for most vendors, aws_role for Bedrock, google_adc for Vertex, etc.).

Example:

"api_key"

api_key
string<password>

Plaintext upstream API key. Required when auth_type is api_key (or any vendor-specific key flavor like bedrock_api_key). Not required when auth_type is role- or service-account-based — pass the role/SA fields under credentials instead.

Example:

"sk-xxxxxxxxxxxxxxxxxxxx"

credentials
object

Provider-specific credentials. Use this for non-API-key auth schemes (AWS keys, Google service-account JSON fields, Bedrock role+external_id). The shape mirrors what the provider expects; consult the corresponding How-To guide for each provider's required keys.

settings
object

Non-secret provider settings (region, project_id, api_version, etc.).

Response

The newly created credential

A reusable upstream credential, called Credentials in the portal UI. One credential can back multiple providers (e.g. a single OpenAI key used by several routes).

id
string<uuid>
required
Example:

"4f8b2a3c-12ee-4d92-9c7b-e7d2f8b0a111"

org_id
string<uuid>
required

The organization that owns this credential

name
string
required
Example:

"OpenAI Production"

model_provider
enum<string>
required

Slug of the upstream model provider this resource speaks to

Available options:
openai,
anthropic,
azure_openai,
google_ai,
bedrock,
vertex,
groq,
together,
mistral,
cohere,
xai,
fireworks,
perplexity,
openrouter,
deepseek,
custom
Example:

"openai"

auth_type
string
required

The authentication scheme this credential or provider uses to talk to the upstream model provider. Valid values depend on model_provider: for OpenAI/Anthropic-style vendors this is typically api_key; for AWS Bedrock it is one of aws_role, aws_keys, or bedrock_api_key; for Google Vertex it is google_adc, google_service_account, or google_impersonation; Anthropic OAuth passthrough uses oauth_passthrough.

Example:

"api_key"

base_url
string<uri>
required

Upstream base URL the credential points at. Defaults to the public provider URL but can be overridden for self-hosted or proxy setups.

Example:

"https://api.openai.com/v1"

settings
object
required

Provider-specific settings that aren't sensitive (e.g. AWS region, Vertex project id, Azure API version). Sensitive credentials live in the encrypted secret store and are never returned by the API.

Example:
{
  "region": "us-east-1",
  "model_api_family": "anthropic_messages"
}
created_at
string<date-time>
required
updated_at
string<date-time>
required