Configure LLM providers
How llm steps resolve a model provider and credentials — configured at the worker, not in the workflow.
Where credentials live
LLM provider credentials are configured at the worker level, not in the workflow. A workflow's llm step declares the model class it needs (e.g., gpt-4o-mini); the worker resolves the actual provider and credentials from ~/.cori/config.toml.
Never put API keys in a workflow manifest or step file. Workflow files are meant to be shared and version-controlled. Credentials belong in your local config.
Configure a provider
Add your provider credentials to ~/.cori/config.toml:
[llm.openai]
api_key = "sk-..."
[llm.anthropic]
api_key = "sk-ant-..."Or set them via cori config set:
cori config set llm.openai.api_key sk-...Tokens are stored in the OS keychain. Only metadata (which provider is configured) is stored in config.toml. Cori never writes raw credentials to disk.
First-run prompt
If a workflow has an llm step and the required provider isn't configured, Cori prompts you for the API key the first time you run the workflow. The key is stored in the OS keychain and used for subsequent runs — you won't be prompted again.
Model resolution
An llm step declares a model value (e.g., gpt-4o-mini, claude-3-5-sonnet-20241022). Cori infers the provider from the model name and looks up the corresponding credentials in config. If the credentials aren't found, it falls back to the first-run prompt.
Keeping credentials out of workflows
Never put API keys, tokens, or any credentials in:
manifest.mdfrontmatter- Step files (
steps/*.ts) types.ts- Any file in the workflow folder
Workflow folders are shared. Any credential in a workflow folder becomes a credential leak when the folder is pushed to a git repository.
All credentials go in ~/.cori/config.toml (via cori config set) or as environment variables on the machine running the worker.