> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure AI providers

> Manage organization-level and project-level AI provider credentials for playgrounds, experiments, and the gateway.

Braintrust manages AI provider credentials on a single **AI providers** settings page. Configured providers are available in playgrounds, experiments, and the gateway without users needing individual API keys.

The page has two sections:

* **Organization AI providers**: defaults available across every project in the organization.
* **Project AI providers**: overrides for the currently selected project.

Each row shows a redacted preview of the key (for example, `abc...xyz`) and a **Last updated** timestamp that tracks when the key value itself was last changed, along with the user who made the change. Renaming a provider or editing other metadata does not bump this timestamp. Keys that have not been rotated in over six months display a warning indicator. Braintrust recommends disabling and rotating AI provider secrets periodically.

## Add an organization-level provider

Organization-level keys serve as defaults across all projects in the organization.

1. Go to **<Icon icon="settings-2" /> Settings** > [**<Icon icon="sparkle" /> AI providers**](https://www.braintrust.dev/app/~/configuration/org/secrets).
2. Under **Organization AI providers**, click <Icon icon="plus" /> **Organization provider** and choose the provider you want to configure.
3. Enter your API key for that provider.
4. Click **Save**.

For provider-specific configuration (authentication methods, regions, model registries), see the [AI provider integrations](/integrations/ai-providers).

### Authentication methods

Most providers authenticate with a long-lived API key. Some also support alternatives that avoid storing a long-lived provider credential in Braintrust:

* **Workload identity federation**: Braintrust exchanges a short-lived, Braintrust-signed OIDC token for a provider access token at request time, so no long-lived key is stored. Available for [OpenAI](/integrations/ai-providers/openai), [Anthropic](/integrations/ai-providers/anthropic), [Google Vertex AI](/integrations/ai-providers/google), and [Azure AI Foundry](/integrations/ai-providers/azure), for organization-level providers on Braintrust-hosted organizations with the gateway enabled.
* **Cloud-native role assumption**: [Bedrock](/integrations/ai-providers/bedrock) supports AWS `AssumeRole` instead of storing long-lived access keys.

See each provider's integration page for setup details.

## Add a project-level provider

Use a project-level provider when:

* Different projects need separate billing or rate limits.
* You want to isolate API usage by project.
* Projects require different provider accounts or credentials.

1. Go to your project.
2. Go to **<Icon icon="settings-2" /> Settings** > [**<Icon icon="sparkle" /> AI providers**](https://www.braintrust.dev/app/~/configuration/org/secrets).
3. Under **Project AI providers**, click <Icon icon="plus" /> **Project provider** and choose the provider you want to configure.
4. Enter your API key for that provider.
5. Click **Save**.

You can also add a project-level provider inline from playgrounds within that project. When you attempt to run a playground without a configured provider, you'll see an option to add your API key without leaving the page.

## How project overrides work

When a project-level provider has the same provider type (or, for custom providers, the same name — case-sensitive) as an organization-level provider, the project-level entry takes precedence for that project. An **Overridden** badge appears on the organization-level row to make the precedence explicit.

Common use cases:

* Regional endpoints (for example, US-specific OpenAI keys for a project that must keep traffic in-region).
* Project-specific credentials that override an org-wide default.
* Different model deployments for different teams sharing one organization.

## Custom providers

Braintrust supports custom AI providers at both the organization and project level. Add them from the same <Icon icon="plus" /> **Organization provider** or <Icon icon="plus" /> **Project provider** picker. See [Custom providers](/integrations/ai-providers/custom) for endpoint configuration, headers, streaming, and cost metadata.

## Permissions and access

Visibility of the two sections depends on the role of the signed-in user:

* **Organization admins** see both **Organization AI providers** and **Project AI providers**.
* **Project admins** with only the project-level **Update** permission see just **Project AI providers**.

To prevent project users from adding their own provider keys, remove the **Update** permission from their project access. See [Restrict AI provider access using project permissions](/kb/restrict-ai-provider-access-using-project).

<Note>
  API keys are stored as one-way cryptographic hashes, never in plaintext.
</Note>

## Manage built-in models

[Topics](/observe/topics) use a family of Braintrust-served models (`brain-*`) for facet summarization, embeddings, and cluster naming. Braintrust hosts these models on [Baseten](https://www.baseten.co/), which is included in the Braintrust [DPA](https://www.braintrust.dev/legal/dpa) as a subprocessor.

For Braintrust-hosted (SaaS) organizations, built-in models are enabled by default. For self-hosted organizations, built-in models are disabled by default so that no trace data leaves your network boundary. Self-hosted organizations must enable built-in models to use Topics.

To enable or disable built-in models:

1. Go to **<Icon icon="settings-2" /> Settings** > [**<Icon icon="sparkle" /> AI providers**](https://www.braintrust.dev/app/~/configuration/org/secrets).
2. Under **Built-in models**, turn **Allow built-in models** on or off.

Loop is unaffected by this setting. Its chat models always come from your configured AI providers.

<Warning>
  Disabling built-in models breaks Topics, which has no third-party fallback.
</Warning>

<Note>
  Only members of the **Owners** [permission group](/admin/access-control), or a custom permission group with the **Manage settings** organization permission, can enable or disable built-in models.
</Note>

## Next steps

* Browse [supported AI providers](/integrations/ai-providers) for provider-specific configuration.
* [Restrict AI provider access using project permissions](/kb/restrict-ai-provider-access-using-project).