Setup

Provider credentials

Provider credentials belong to the agent CLI or provider you use, not to Coldtea's local terminal host.

Coldtea launches the agent. The agent decides how to authenticate with Anthropic, OpenAI, Google, OpenCode providers, local models, or any other backend it supports.

The simple rule

If an agent needs a model provider key, subscription, login, or provider config, set that up in the agent's normal flow.

That may mean:

  • A browser login opened by the agent.
  • A CLI auth command from the agent's docs.
  • Environment variables inherited from your shell.
  • A provider config file owned by the agent.
  • OpenCode's /connect flow or opencode auth login.

Do not paste provider keys into task descriptions, prompts, shared logs, or screenshots.

What Coldtea does not do

For local agent sessions, Coldtea does not need to store your model provider keys.

It also should not be used as a parallel provider setup screen when the agent already owns that setup. If Codex, Claude Code, Gemini, or OpenCode reports an auth problem, fix it in that agent's flow first.

Coldtea may use team or cloud integrations for collaboration features when your workspace enables them. Those are separate from the provider credentials your local agent CLI uses.

Check credentials safely

Before a real edit, start the agent and ask for a read-only action:

Say which model/provider you are using if the CLI exposes it, then inspect the repository structure. Do not edit files.

If the agent asks you to log in, complete the login in the agent's own prompt or terminal flow. If it prints an auth error, read the error from the terminal and follow that agent's setup docs.

Environment variables

Some agents and tools read provider credentials from environment variables. If you use that path, remember that a Coldtea-launched terminal can inherit shell environment just like a normal terminal.

Keep secrets out of committed files. Use local-only files or your shell's secret management when possible.

Team policy

For teams, agree on this before rollout:

  • Which provider accounts agents may use.
  • Whether production credentials are allowed in local agent sessions.
  • Which secrets must never be pasted into shared Coldtea surfaces.
  • Who can connect team integrations.

The safest default is boring: local agents use least-privilege credentials, and humans review before anything ships.

Next: agent setup or security and privacy.

Linear

Previous Page

Worktree scripts

Next Page

On this page

The simple ruleWhat Coldtea does not doCheck credentials safelyEnvironment variablesTeam policy