Authenticating Your AI Assistant

Before PumasAide can be useful, your AI coding assistant must be logged in to a model backend. This is separate from connecting the assistant to the PumasAide MCP server (see Getting Started with PumasAide). PumasAI does not provide model access; you bring your own subscription, API key, or cloud-provider account.

Pick the path that matches your org's policy. Many regulated environments (pharma, healthcare) require inference to route through an existing AWS, GCP, or Azure contract rather than calling a vendor SaaS directly.

Vendor docs are authoritative

Each section links to the vendor's auth doc. Check it if a snippet here fails or is out of date.

Where to put `export` lines

On JuliaHub, add export lines to ~/data/.bashrc (create the file if it does not exist; ~/data/ is the persistent storage location). On a desktop, use your shell's startup file (~/.bashrc, ~/.zshrc, fish config, etc.) or your platform's environment-variable settings.

Choosing a backend

Tool	Default backend	Enterprise cloud options	Cloud IdP federation
Claude Code	Anthropic API / Claude	AWS Bedrock, GCP Vertex, Azure Foundry, internal gateway	AWS IAM, GCP ADC, Entra ID
OpenAI Codex CLI	OpenAI / ChatGPT	Azure OpenAI	Azure is static-key only
GitHub Copilot CLI	GitHub-hosted Copilot	None (GitHub-hosted only)	GitHub identity only

Claude Code

Anthropic API or Claude subscription (default)

Run claude for the first time and follow the interactive login. Alternatively:

export ANTHROPIC_API_KEY=sk-ant-...

See Claude Code setup.

Amazon Bedrock

Enable Bedrock and set the region:

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1

Then pick one credential source.

SSO (typical for regulated orgs):

aws sso login --profile my-profile
export AWS_PROFILE=my-profile

Static IAM keys: run aws configure once to write keys to ~/.aws/credentials.
Bedrock-only API key: export AWS_BEARER_TOKEN_BEDROCK=.... Narrower than full AWS credentials; works only for Bedrock.
Attached instance role on EC2/ECS/EKS: nothing to set; the AWS SDK reads the role from instance metadata. Applies only when the role lives in the AWS account whose Bedrock you want to call and the host exposes the metadata service to your container.

Claude Code uses the standard AWS SDK credential chain, so the first source it finds wins.

AWS credentials are inherited by subprocesses

Credentials available to Claude Code flow to every shell command and MCP server it spawns. Scope the IAM policy tightly to Bedrock actions only.

See Claude Code on Amazon Bedrock.

Google Vertex AI

export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=global
export ANTHROPIC_VERTEX_PROJECT_ID=your-project-id

gcloud auth application-default login
# Or: export GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa-key.json
# Or: workload identity / attached service account on GCE/GKE.

To auto-refresh stale ADC tokens, add this to your settings.json:

{
  "gcpAuthRefresh": "gcloud auth application-default login"
}

See Claude Code on Google Vertex AI.

Microsoft Foundry (Azure)

az login

export CLAUDE_CODE_USE_FOUNDRY=1
export ANTHROPIC_FOUNDRY_RESOURCE=your-foundry-resource
# Optional: API key instead of Entra ID
# export ANTHROPIC_FOUNDRY_API_KEY=...

Claude Code uses the Azure SDK default credential chain after az login. No separate API key needed.

See Claude Code on Microsoft Foundry.

Internal LLM gateway

Use this path when your org fronts model inference with a corporate proxy (LiteLLM, an internal gateway, etc.) for central auth, audit logging, or cost tracking. Claude Code talks to the gateway directly. No vendor cloud credentials are required on the client.

Point Claude Code at the gateway:

export ANTHROPIC_BASE_URL=https://llm-gateway.your-org.example

Then pick one credential source.

Static bearer token:
```
export ANTHROPIC_AUTH_TOKEN=your-gateway-token
```
Sent as the Authorization header on every request.
Rotating or per-session token via apiKeyHelper. Add to ~/.claude/settings.json:
```
{
  "apiKeyHelper": "/path/to/get-token.sh",
  "env": {
    "CLAUDE_CODE_API_KEY_HELPER_TTL_MS": "3600000"
  }
}
```
The helper is any executable that prints a token to stdout (vault fetch, internal CLI, JWT mint). CLAUDE_CODE_API_KEY_HELPER_TTL_MS sets the refresh interval (here, one hour).

If the gateway needs extra headers (tenant ID, project tag), set them with ANTHROPIC_CUSTOM_HEADERS.

Gateway API requirements

The gateway must expose the Anthropic Messages API (/v1/messages and /v1/messages/count_tokens) and forward the anthropic-beta and anthropic-version headers through to the upstream model. LiteLLM's unified Anthropic endpoint satisfies this out of the box.

See Claude Code LLM gateway configuration.

OpenAI Codex CLI

OpenAI / ChatGPT (default)

codex login           # OAuth (ChatGPT subscription) or API key prompt
# Or:
export OPENAI_API_KEY=sk-...

See Codex CLI Authentication.

Azure OpenAI

Add a custom provider to ~/.codex/config.toml:

model = "gpt-5-codex"
model_provider = "azure"

[model_providers.azure]
name = "Azure OpenAI"
base_url = "https://YOUR_RESOURCE.openai.azure.com/openai/v1"
env_key = "AZURE_OPENAI_API_KEY"
wire_api = "responses"

Then:

export AZURE_OPENAI_API_KEY=...
codex

No native Entra ID

Codex CLI does not natively support Entra ID / az login against Azure OpenAI; it expects a static API key. As a workaround, configure a custom auth command that shells out to az account get-access-token and returns a bearer token.

See Azure Foundry: Codex with Azure OpenAI.

GitHub Copilot CLI

GitHub-hosted Copilot

copilot login

Or supply a token via environment variable (priority order: COPILOT_GITHUB_TOKEN, GH_TOKEN, GITHUB_TOKEN):

export COPILOT_GITHUB_TOKEN=gho_...

Accepted token prefixes: gho_, github_pat_, ghu_. Classic PATs (ghp_) are rejected.

GitHub Enterprise Cloud with data residency

copilot login --host HOSTNAME

See Authenticating GitHub Copilot CLI.

Enterprise considerations

Identity federation support varies

Claude Code is the only one of the three that accepts all three hyperscaler IdPs (AWS IAM/SSO, GCP ADC/Workload Identity, Entra ID) via the native credential chain. No static keys required. It also redirects natively to an internal Anthropic-compatible gateway via ANTHROPIC_BASE_URL, so orgs that mandate a central LLM proxy can adopt it without a shim.
Codex CLI against Azure OpenAI expects a static API key. Entra ID works only via a custom auth-command shim, which is a hurdle for organisations that disable key auth outright.
GitHub Copilot CLI federates identity only through GitHub. If your organisation already uses GitHub Enterprise Cloud with SAML SSO, this is straightforward; if not, there is no cloud-IdP path.