Stats
Actions
Tags
From bento
Registers AI-provider API keys (OpenAI, Anthropic, OpenRouter, Gemini, etc.) on a bento VPS via SSH and propagates them to all BENTO_MANAGED stacks. Validates keys and updates running services.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bento:authThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are handling a secret (an API key) on the user's behalf. **Never echo the
You are handling a secret (an API key) on the user's behalf. Never echo the
key into any output, log line, or command you display — keep it out of
narration and out of BENTO_VERBOSE traces. All artifacts stay in English.
<host>"This is API KEYS only. If the user wants to use a subscription
(Claude Pro/Max, ChatGPT Plus), do NOT use bento-auth — point them at the app's
native sign-in (e.g. openclaw models auth login --provider openai, or
paperclip's bundled claude /login). bento-auth's old subscription snapshots
went stale in days and were removed.
| Input | Source | Notes |
|---|---|---|
| VPS host + SSH user | user message; default user root | reachable via SSH |
| provider | user message | must be a bento-auth catalog id (see below) |
| API key | user message — collect privately, NEVER display it back |
Discover the valid provider ids from the host itself (don't hardcode):
ssh "$user@$host" "bash /root/.local/share/bento/scripts/bento-auth --help"
bento-auth reads the key from stdin (read -rs) and honours
BENTO_AUTH_ASSUME_YES=1 to skip the "store anyway?" prompt on a failed
validation. So you can pipe the key in without a TTY. Read the key into a shell
variable WITHOUT printing it, then:
# Collect the key into $KEY by whatever private means; do not echo it.
printf '%s\n' "$KEY" | ssh "$user@$host" \
"BENTO_AUTH_ASSUME_YES=1 bash /root/.local/share/bento/scripts/bento-auth <provider>"
unset KEY
For an exotic OpenAI-compatible endpoint not in the catalog:
printf '%s\n' "$KEY" | ssh "$user@$host" \
"BENTO_AUTH_ASSUME_YES=1 bash /root/.local/share/bento/scripts/bento-auth openai-compat <label> <base_url>"
bento-auth validates the key (where the catalog defines a validate URL),
persists it to state.providers.<ENV>, and runs auth_propagate_state_providers
to docker service update --env-add it onto every running BENTO_MANAGED stack.
Future deploys inherit it automatically.
If validation fails, bento-auth (with ASSUME_YES) still stores it and prints a warning — surface that warning to the user so they can re-check the key.
ssh "$user@$host" "bash /root/.local/share/bento/scripts/bento-auth list"
This prints registered keys MASKED — safe to show the user. Confirm the provider's env var appears.
${ENV} in an openclaw custom-provider
definition if they want it there.Full reference: docs/reference/bento-auth.md on the host (and in the repo).
npx claudepluginhub felipefontoura/bento --plugin bentoDrives an end-to-end bento install on a fresh Ubuntu/Debian VPS via SSH: pre-flight checks, unattended setup, infra and app deploys, recovery, and final report. For first-run only; use deploy skill for existing servers.
Guides BYOK API key setup in Cursor for OpenAI, Anthropic, Google Gemini, Azure, AWS Bedrock, and custom endpoints. Use when configuring AI models beyond Cursor's quota.
Audits API key usage in production AI systems and recommends migrating to short-lived OIDC bearer tokens. Covers credential storage, gateway deployment, and deprecation planning.