coder
diff --git a/‎aibridge/bridge.go‎
Lines changed: 7 additions & 8 deletions b/‎aibridge/bridge.go‎
Lines changed: 7 additions & 8 deletions
diff --git a/‎aibridge/config/config.go‎
Lines changed: 6 additions & 30 deletions b/‎aibridge/config/config.go‎
Lines changed: 6 additions & 30 deletions
diff --git a/‎aibridge/intercept/chatcompletions/base.go‎
Lines changed: 20 additions & 30 deletions b/‎aibridge/intercept/chatcompletions/base.go‎
Lines changed: 20 additions & 30 deletions
diff --git a/‎aibridge/intercept/chatcompletions/base_internal_test.go‎
Lines changed: 1 addition & 1 deletion b/‎aibridge/intercept/chatcompletions/base_internal_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aibridge/intercept/chatcompletions/blocking.go‎
Lines changed: 28 additions & 21 deletions b/‎aibridge/intercept/chatcompletions/blocking.go‎
Lines changed: 28 additions & 21 deletions
@@ -262,8 +262,8 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 			Client:                string(client),
 			ClientSessionID:       sessionID,
 			CorrelatingToolCallID: interceptor.CorrelatingToolCallID(),
-			CredentialKind:        string(cred.Kind),
-			CredentialHint:        cred.Hint,
+			CredentialKind:        string(cred.Kind()),
+			CredentialHint:        cred.Hint(),
 		}); err != nil {
 			span.SetStatus(codes.Error, fmt.Sprintf("failed to record interception: %v", err))
 			logger.Warn(ctx, "failed to record interception", slog.Error(err))
@@ -277,16 +277,16 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 			slog.F("provider", p.Name()),
 			slog.F("user_agent", r.UserAgent()),
 			slog.F("streaming", interceptor.Streaming()),
-			slog.F("credential_kind", string(cred.Kind)),
+			slog.F("credential_kind", string(cred.Kind())),
 		)
 
 		// Log BYOK credentials. Centralized credentials are set by
 		// the key failover loop.
 		credLogFields := []slog.Field{}
-		if cred.Kind == intercept.CredentialKindBYOK {
+		if cred.Kind() == intercept.CredentialKindBYOK {
 			credLogFields = append(credLogFields,
-				slog.F("credential_hint", cred.Hint),
-				slog.F("credential_length", cred.Length),
+				slog.F("credential_hint", cred.Hint()),
+				slog.F("credential_length", cred.Length()),
 			)
 		}
 		log.Debug(ctx, "interception started", credLogFields...)
@@ -303,8 +303,7 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 		})
 		// For centralized, the hint now reflects the last attempted
 		// key from the failover loop.
-		credHint := interceptor.Credential().Hint
-		credLen := interceptor.Credential().Length
+		credHint, credLen := cred.Hint(), cred.Length()
 		if execErr != nil {
 			if m != nil {
 				m.InterceptionCount.WithLabelValues(p.Name(), interceptor.Model(), metrics.InterceptionCountStatusFailed, route, r.Method, actor.ID, string(client)).Add(1)
 
@@ -12,32 +12,17 @@ const (
 	ProviderCopilot   = "copilot"
 )
 
-// Anthropic carries configuration for an Anthropic provider.
-//
-// Authentication is mutually exclusive across these three fields,
-// set per interception in the provider's CreateInterceptor:
-//   - KeyPool: centralized requests with automatic key failover.
-//   - Key: BYOK with X-Api-Key (single attempt, no failover).
-//   - BYOKBearerToken: BYOK with Authorization Bearer (single
-//     attempt, no failover).
-//
-// TODO(ssncferreira): consolidate the three authentication
-// fields into a single abstraction per
-// https://github.com/coder/aibridge/issues/266.
+// Anthropic carries configuration for an Anthropic provider. KeyPool holds the
+// centralized keys (with failover); BYOK credentials are resolved per request
+// from the incoming headers, not configured here.
 type Anthropic struct {
 	// Name is the provider instance name. If empty, defaults to "anthropic".
 	Name             string
 	BaseURL          string
-	Key              string
 	KeyPool          *keypool.Pool
 	APIDumpDir       string
 	CircuitBreaker   *CircuitBreaker
 	SendActorHeaders bool
-	ExtraHeaders     map[string]string
-	// BYOKBearerToken is set in BYOK mode when the user authenticates
-	// with a access token. When set, the access token is used for upstream
-	// LLM requests instead of the API key.
-	BYOKBearerToken string
 }
 
 type AWSBedrock struct {
@@ -50,26 +35,17 @@ type AWSBedrock struct {
 	BaseURL string
 }
 
-// OpenAI carries configuration for an OpenAI provider.
-//
-// Authentication is mutually exclusive across these two fields,
-// set per interception in the provider's CreateInterceptor:
-//   - KeyPool: centralized requests with automatic key failover.
-//   - Key: BYOK with Authorization Bearer (single attempt, no
-//     failover).
-//
-// TODO(ssncferreira): consolidate the authentication fields per
-// https://github.com/coder/aibridge/issues/266.
+// OpenAI carries configuration for an OpenAI provider. KeyPool holds the
+// centralized keys (with failover); BYOK credentials are resolved per request
+// from the incoming headers, not configured here.
 type OpenAI struct {
 	// Name is the provider instance name. If empty, defaults to "openai".
 	Name             string
 	BaseURL          string
-	Key              string
 	KeyPool          *keypool.Pool
 	APIDumpDir       string
 	CircuitBreaker   *CircuitBreaker
 	SendActorHeaders bool
-	ExtraHeaders     map[string]string
 }
 
 type Copilot struct {
 
@@ -17,7 +17,6 @@ import (
 	"go.opentelemetry.io/otel/trace"
 
 	"cdr.dev/slog/v3"
-	"github.com/coder/coder/v2/aibridge/config"
 	aibcontext "github.com/coder/coder/v2/aibridge/context"
 	"github.com/coder/coder/v2/aibridge/intercept"
 	"github.com/coder/coder/v2/aibridge/intercept/apidump"
@@ -29,56 +28,46 @@ import (
 )
 
 type interceptionBase struct {
-	id           uuid.UUID
-	providerName string
-	req          *ChatCompletionNewParamsWrapper
-	cfg          config.OpenAI
+	id  uuid.UUID
+	req *ChatCompletionNewParamsWrapper
+
+	cfg  intercept.Config
+	cred intercept.Credential
 
 	// clientHeaders are the original HTTP headers from the client request.
-	clientHeaders  http.Header
-	authHeaderName string
+	clientHeaders http.Header
 
 	logger slog.Logger
 	tracer trace.Tracer
 
-	recorder   recorder.Recorder
-	mcpProxy   mcp.ServerProxier
-	credential intercept.CredentialInfo
+	recorder recorder.Recorder
+	mcpProxy mcp.ServerProxier
 }
 
 // newCompletionsService builds the SDK service used for upstream
 // calls. BYOK auth is set here. Centralized auth is set
 // per-attempt by the failover loop.
 func (i *interceptionBase) newCompletionsService() openai.ChatCompletionService {
-	// TODO(ssncferreira): validate auth is configured per
-	// https://github.com/coder/aibridge/issues/266.
-
 	var opts []option.RequestOption
-	// BYOK auth.
-	if i.cfg.KeyPool == nil {
-		opts = append(opts, option.WithAPIKey(i.cfg.Key))
+	// BYOK sets its key here; centralized injects per-attempt in the failover
+	// loop. The OpenAI SDK presents the key as an Authorization bearer.
+	if byok, ok := intercept.AsBYOK(i.cred); ok {
+		opts = append(opts, option.WithAPIKey(byok.Secret))
 	}
 	opts = append(opts, option.WithBaseURL(i.cfg.BaseURL))
 
-	// Add extra headers if configured.
-	// Some providers require additional headers that are not added by the SDK.
-	// TODO(ssncferreira): remove as part of https://github.com/coder/aibridge/issues/192
-	for key, value := range i.cfg.ExtraHeaders {
-		opts = append(opts, option.WithHeader(key, value))
-	}
-
 	// Forward client headers to upstream. This middleware runs after the SDK
 	// has built the request, and replaces the outgoing headers with the sanitized
 	// client headers plus provider auth.
 	if i.clientHeaders != nil {
 		opts = append(opts, option.WithMiddleware(func(req *http.Request, next option.MiddlewareNext) (*http.Response, error) {
-			req.Header = intercept.BuildUpstreamHeaders(req.Header, i.clientHeaders, i.authHeaderName)
+			req.Header = intercept.BuildUpstreamHeaders(req.Header, i.clientHeaders, i.cred.AuthHeader())
 			return next(req)
 		}))
 	}
 
 	// Add API dump middleware if configured
-	if mw := apidump.NewBridgeMiddleware(i.cfg.APIDumpDir, i.providerName, i.Model(), i.id, i.logger, quartz.NewReal()); mw != nil {
+	if mw := apidump.NewBridgeMiddleware(i.cfg.APIDumpDir, i.cfg.ProviderName, i.Model(), i.id, i.logger, quartz.NewReal()); mw != nil {
 		opts = append(opts, option.WithMiddleware(mw))
 	}
 
@@ -89,8 +78,8 @@ func (i *interceptionBase) ID() uuid.UUID {
 	return i.id
 }
 
-func (i *interceptionBase) Credential() intercept.CredentialInfo {
-	return i.credential
+func (i *interceptionBase) Credential() intercept.Credential {
+	return i.cred
 }
 
 func (i *interceptionBase) Setup(logger slog.Logger, rec recorder.Recorder, mcpProxy mcp.ServerProxier) {
@@ -117,7 +106,7 @@ func (i *interceptionBase) baseTraceAttributes(r *http.Request, streaming bool)
 		attribute.String(tracing.RequestPath, r.URL.Path),
 		attribute.String(tracing.InterceptionID, i.id.String()),
 		attribute.String(tracing.InitiatorID, aibcontext.ActorIDFromContext(r.Context())),
-		attribute.String(tracing.Provider, i.providerName),
+		attribute.String(tracing.Provider, i.cfg.ProviderName),
 		attribute.String(tracing.Model, i.Model()),
 		attribute.Bool(tracing.Streaming, streaming),
 	}
@@ -219,14 +208,15 @@ func (i *interceptionBase) writeUpstreamError(w http.ResponseWriter, oaiErr *int
 // code. Returns true if the status was a key-specific failover
 // trigger so callers can retry with the next key.
 func (i *interceptionBase) markKeyOnError(ctx context.Context, key *keypool.Key, err error) bool {
-	if i.cfg.KeyPool == nil {
+	centralized, ok := intercept.AsCentralized(i.cred)
+	if !ok {
 		return false
 	}
 	var apiErr *openai.Error
 	if !errors.As(err, &apiErr) {
 		return false
 	}
-	return i.cfg.KeyPool.MarkKeyOnStatus(
+	return centralized.Pool.MarkKeyOnStatus(
 		ctx, key, apiErr.Response, i.logger,
 	)
 }
 
@@ -141,7 +141,7 @@ func TestMarkKeyOnError(t *testing.T) {
 			key, keyPoolErr := pool.Walker().Next()
 			require.Nil(t, keyPoolErr)
 
-			base := &interceptionBase{cfg: config.OpenAI{KeyPool: pool}, logger: slog.Make()}
+			base := &interceptionBase{cred: &intercept.Centralized{Pool: pool}, logger: slog.Make()}
 
 			got := base.markKeyOnError(context.Background(), key, tc.err)
 			assert.Equal(t, tc.expectedReturn, got)
 
@@ -16,7 +16,6 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog/v3"
-	"github.com/coder/coder/v2/aibridge/config"
 	aibcontext "github.com/coder/coder/v2/aibridge/context"
 	"github.com/coder/coder/v2/aibridge/intercept"
 	"github.com/coder/coder/v2/aibridge/intercept/eventstream"
@@ -33,22 +32,18 @@ type BlockingInterception struct {
 func NewBlockingInterceptor(
 	id uuid.UUID,
 	req *ChatCompletionNewParamsWrapper,
-	providerName string,
-	cfg config.OpenAI,
+	cfg intercept.Config,
+	cred intercept.Credential,
 	clientHeaders http.Header,
-	authHeaderName string,
 	tracer trace.Tracer,
-	cred intercept.CredentialInfo,
 ) *BlockingInterception {
 	return &BlockingInterception{interceptionBase: interceptionBase{
-		id:             id,
-		providerName:   providerName,
-		req:            req,
-		cfg:            cfg,
-		clientHeaders:  clientHeaders,
-		authHeaderName: authHeaderName,
-		tracer:         tracer,
-		credential:     cred,
+		id:            id,
+		req:           req,
+		cfg:           cfg,
+		cred:          cred,
+		clientHeaders: clientHeaders,
+		tracer:        tracer,
 	}}
 }
 
@@ -91,7 +86,11 @@ func (i *BlockingInterception) ProcessRequest(w http.ResponseWriter, r *http.Req
 	// Sum the key attempts across all iterations and record once when the
 	// interception completes.
 	var totalKeyAttempts int
-	defer func() { i.cfg.KeyPool.RecordAttempts(totalKeyAttempts) }()
+	defer func() {
+		if centralized, ok := intercept.AsCentralized(i.cred); ok {
+			centralized.Pool.RecordAttempts(totalKeyAttempts)
+		}
+	}()
 
 	for {
 		// TODO add outer loop span (https://github.com/coder/aibridge/issues/67)
@@ -278,12 +277,15 @@ func (i *BlockingInterception) ProcessRequest(w http.ResponseWriter, r *http.Req
 // failover, returning the upstream completion, the number of key attempts
 // made for this call, and any error.
 func (i *BlockingInterception) newChatCompletion(ctx context.Context, svc openai.ChatCompletionService, opts []option.RequestOption) (*openai.ChatCompletion, int, error) {
-	// BYOK: single attempt, no failover.
-	if i.cfg.KeyPool == nil {
+	switch i.cred.Kind() {
+	case intercept.CredentialKindCentralized:
+		return i.newChatCompletionWithKeyFailover(ctx, svc, opts)
+	case intercept.CredentialKindBYOK:
 		completion, err := i.newChatCompletionWithKey(ctx, svc, opts)
 		return completion, 0, err
+	default:
+		return nil, 0, xerrors.New("no credential configured")
 	}
-	return i.newChatCompletionWithKeyFailover(ctx, svc, opts)
 }
 
 // newChatCompletionWithKey performs a single upstream call.
@@ -300,16 +302,21 @@ func (i *BlockingInterception) newChatCompletionWithKey(ctx context.Context, svc
 // trigger failover and are returned to the caller. It returns the upstream
 // completion, the number of key attempts made for this call, and any error.
 func (i *BlockingInterception) newChatCompletionWithKeyFailover(ctx context.Context, svc openai.ChatCompletionService, opts []option.RequestOption) (*openai.ChatCompletion, int, error) {
-	walker := i.cfg.KeyPool.Walker()
+	centralized, ok := intercept.AsCentralized(i.cred)
+	if !ok {
+		// Centralized but pool-less (no centralized keys configured): one attempt.
+		completion, err := i.newChatCompletionWithKey(ctx, svc, opts)
+		return completion, 0, err
+	}
+	walker := centralized.Pool.Walker()
 	for {
 		key, keyPoolErr := walker.Next()
 		if keyPoolErr != nil {
 			return nil, walker.Attempts(), keyPoolErr
 		}
-		// Record the key in use so the hint reflects the last attempted key.
-		i.credential = intercept.NewCredentialInfo(intercept.CredentialKindCentralized, key.Value())
+		centralized.SetKey(key.Value())
 		i.logger.Debug(ctx, "using centralized api key",
-			slog.F("credential_hint", i.Credential().Hint), slog.F("credential_length", i.Credential().Length))
+			slog.F("credential_hint", i.cred.Hint()), slog.F("credential_length", i.cred.Length()))
 
 		requestOpts := append([]option.RequestOption{}, opts...)
 		requestOpts = append(requestOpts,