Skip to main content

LLM Credentials — /api/zeq/llm/credentials/*

Account-scoped LLM credentials. Pasted once, stored AES-256-GCM-encrypted with ZEQ_FIELD_KEY, prefix-only after creation. Used by every agent endpoint that takes a credential_id (page-chat, generate-html, agent spawn enrichment).

Concept: BYOK. Source: shared/api-core/src/routes/zeqLlm.ts.

Endpoints

MethodPathAuthPurpose
POST/api/zeq/llm/credentialsBearer (paid+)Create — full key echoed once
GET/api/zeq/llm/credentialsBearer (paid+)List caller's credentials (prefix only)
GET/api/zeq/llm/credentials/:idBearer (paid+)Show one (prefix only)
DELETE/api/zeq/llm/credentials/:idBearer (paid+)Soft-disable (active=false)
POST/api/zeq/llm/credentials/:id/system-defaultFoundation onlyPromote one credential to be the framework's free-tier default.

All routes return HTTP 402 SUBSCRIPTION_REQUIRED for free-tier callers. Why: BYOK exists to let paying customers bypass our daily ZEQ cap on LLM tokens — there's no economic reason to give the bypass to the free tier.

The Pulse's free guest mode (data-zid="guest") is unaffected — it uses the foundation-seeded Fireworks credential via /api/chat/free and doesn't go through /api/zeq/llm/credentials/* at all.

Provider list

IDProviderDefault model
openaiOpenAIgpt-4o-mini
anthropicAnthropic Claudeclaude-3-5-haiku-20241022
deepseekDeepSeekdeepseek-chat
ollamaOllama (self-hosted, base_url required)(provider default)
openrouterOpenRouter(provider default)
togetherTogether AI(provider default)
groqGroq(provider default)
fireworksFireworks AIaccounts/fireworks/models/llama-v3p3-70b-instruct

Encryption

Each row stores three encrypted fields:

api_key_encrypted    bytea       AES-256-GCM ciphertext
api_key_iv           bytea       12-byte IV per row
api_key_prefix       text        first 4 + "…" + last 4 (UI only)

ZEQ_FIELD_KEY is loaded from a secret manager / env at boot, never stored on disk in the repo. Rotation requires re-paste of every credential.