Skip to content

AiGatewayProviderConfig

Source: src/Cloudflare/AiGateway/ProviderConfig.ts

A BYOK (bring-your-own-key) provider credential on a Cloudflare AI Gateway.

Provider configs let the gateway authenticate against upstream model providers (OpenAI, Anthropic, Workers AI, …) with your own API key, stored in Cloudflare Secrets Store. Cloudflare exposes no update API for provider configs, so every prop change replaces the config (the old one is deleted first — a gateway allows only one config per provider slug and alias).

Cloudflare imposes a strict naming contract: the gateway must reference a Secrets Store via its storeId, and the secret must be scoped to ai_gateway and named exactly {gatewayId}_{providerSlug}_{alias}.

Creating a Provider Config

Section titled “Creating a Provider Config”

Bring your own OpenAI key

const store = yield* Cloudflare.SecretsStore("Store");


const gateway = yield* Cloudflare.AiGateway("Gateway", {
  id: "my-gateway",
  storeId: store.storeId,
});


// The secret name must be `{gatewayId}_{providerSlug}_{alias}`.
const secret = yield* Cloudflare.Secret("OpenAiKey", {
  store,
  name: "my-gateway_openai_default",
  value: Redacted.make(process.env.OPENAI_API_KEY!),
  scopes: ["ai_gateway"],
});


const byok = yield* Cloudflare.AiGatewayProviderConfig("OpenAi", {
  gatewayId: gateway.gatewayId,
  providerSlug: "openai",
  alias: "default",
  secretId: secret.secretId,
  defaultConfig: true,
});

Rate-limit a key

const byok = yield* Cloudflare.AiGatewayProviderConfig("OpenAi", {
  gatewayId: gateway.gatewayId,
  providerSlug: "openai",
  alias: "default",
  secretId: secret.secretId,
  rateLimit: 100,
  rateLimitPeriod: 60,
});