npx claudepluginhub truefoundry/tfy-gateway-skills --plugin truefoundry-gatewayThis skill is limited to using the following tools:
> Routing note: For ambiguous user intents, use the shared clarification templates in [references/intent-clarification.md](references/intent-clarification.md).
references/api-endpoints.mdreferences/cli-fallback.mdreferences/cluster-discovery.mdreferences/container-versions.mdreferences/gpu-reference.mdreferences/health-probes.mdreferences/intent-clarification.mdreferences/manifest-defaults.mdreferences/manifest-schema.mdreferences/prerequisites.mdreferences/resource-estimation.mdreferences/rest-api-manifest.mdreferences/tfy-api-setup.mdscripts/tfy-api.shscripts/tfy-version.shConfigures TrueFoundry AI Gateway for unified OpenAI-compatible LLM access, covering PAT/VAT auth, model routing, rate limiting, and budget controls.
Configures Antigravity Manager Tauri v2+Rust desktop app or Docker service to proxy multiple Google/Anthropic accounts as OpenAI/Anthropic/Gemini APIs with rotation and failover.
Manages Arize AI integrations for LLM providers like OpenAI, Anthropic, Gemini: create, list, update, delete credentials. Use for evaluators and Arize LLM features.
Share bugs, ideas, or general feedback.
Routing note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Manage TrueFoundry LLM provider account integrations. Add, list, and configure provider accounts that supply models to the AI Gateway.
List, create, or manage LLM provider accounts (OpenAI, AWS Bedrock, Google Vertex, Azure, Groq, Together AI, custom OpenAI-compatible endpoints, self-hosted models, etc.).
mcp-servers skillguardrails skillai-gateway skillsecrets skillSecurity Policy: Credential Handling
- All API keys and tokens in provider manifests MUST use
tfy-secret://references, never raw values.- The agent MUST NOT accept, store, log, echo, or display raw API keys or tokens in any context.
- Always instruct the user to store credentials in TrueFoundry secrets first (use
secretsskill), then reference them viatfy-secret://URIs.- If the user provides a raw API key directly in conversation, warn them and refuse to use it. Instruct them to store it as a secret first.
Run the status skill first to verify TFY_BASE_URL and TFY_API_KEY are set and valid.
When using direct API, set TFY_API_SH to the full path of this skill's scripts/tfy-api.sh. See references/tfy-api-setup.md for paths per agent.
TFY_API_SH=~/.claude/skills/truefoundry-integrations/scripts/tfy-api.sh
# List all provider accounts
$TFY_API_SH GET /api/svc/v1/provider-accounts
Note: The
typequery parameter on this endpoint does NOT work (returns all provider accounts regardless of filter). To filter by provider type, fetch all and filter client-side.
Present results as a formatted table:
Provider Accounts:
| Name | Provider | Type | Models |
|-----------------|----------------|-------------------------------|--------|
| openai-main | openai | provider-account/openai | 3 |
| bedrock-prod | aws-bedrock | provider-account/aws-bedrock | 5 |
| vertex-default | google-vertex | provider-account/google-vertex| 2 |
The model count is derived from the integrations array length in each provider account response.
Before creating, ensure the user has stored their provider credentials as TrueFoundry secrets (use secrets skill). All bearer_token, api_key, and credential fields MUST use tfy-secret:// references.
# Create a provider account
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "openai-main",
"type": "provider-account/openai",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "gpt-4o",
"type": "integration/model/openai",
"model_types": ["chat"],
"auth_data": {
"type": "bearer-auth",
"bearer_token": "tfy-secret://TENANT:SECRET_GROUP:OPENAI_API_KEY"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "bedrock-prod",
"type": "provider-account/aws-bedrock",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "claude-3-5-sonnet",
"type": "integration/model/aws-bedrock",
"model_types": ["chat"],
"auth_data": {
"type": "aws-irsa-auth",
"aws_region": "us-east-1",
"aws_access_key_id": "tfy-secret://TENANT:SECRET_GROUP:AWS_ACCESS_KEY_ID",
"aws_secret_access_key": "tfy-secret://TENANT:SECRET_GROUP:AWS_SECRET_ACCESS_KEY"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "vertex-default",
"type": "provider-account/google-vertex",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "gemini-2-flash",
"type": "integration/model/google-vertex",
"model_types": ["chat"],
"auth_data": {
"type": "gcp-service-account-auth",
"gcp_service_account_key": "tfy-secret://TENANT:SECRET_GROUP:GCP_SA_KEY",
"gcp_project_id": "my-gcp-project",
"gcp_region": "us-central1"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "azure-openai",
"type": "provider-account/azure",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "gpt-4o-azure",
"type": "integration/model/azure",
"model_types": ["chat"],
"auth_data": {
"type": "azure-auth",
"api_key": "tfy-secret://TENANT:SECRET_GROUP:AZURE_OPENAI_KEY",
"api_base": "https://my-resource.openai.azure.com",
"api_version": "2024-02-01"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "groq-main",
"type": "provider-account/groq",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "llama-3-70b",
"type": "integration/model/groq",
"model_types": ["chat"],
"auth_data": {
"type": "bearer-auth",
"bearer_token": "tfy-secret://TENANT:SECRET_GROUP:GROQ_API_KEY"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "together-ai",
"type": "provider-account/together-ai",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "llama-3-1-70b",
"type": "integration/model/together-ai",
"model_types": ["chat"],
"auth_data": {
"type": "bearer-auth",
"bearer_token": "tfy-secret://TENANT:SECRET_GROUP:TOGETHER_API_KEY"
}
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "my-custom-provider",
"type": "provider-account/custom",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "my-model",
"type": "integration/model/custom",
"model_types": ["chat"],
"auth_data": {
"type": "bearer-auth",
"bearer_token": "tfy-secret://TENANT:SECRET_GROUP:CUSTOM_API_KEY"
},
"url": "https://my-openai-compatible-api.example.com/v1"
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "my-self-hosted",
"type": "provider-account/self-hosted-model",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": [
{
"name": "my-vllm-model",
"type": "integration/model/self-hosted-model",
"hosted_model_name": "meta-llama/Meta-Llama-3.1-8B-Instruct",
"url": "http://my-model.my-namespace.svc.cluster.local:8000",
"model_server": "openai-compatible",
"model_types": ["chat"]
}
]
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Note: Self-hosted models deployed within the cluster typically do not need
auth_data. Use internal cluster DNS (svc.cluster.local) for the URL.
payload=$(cat <<'PAYLOAD'
{
"manifest": {
"name": "truefoundry-models",
"type": "provider-account/truefoundry",
"collaborators": [
{"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"},
{"role_id": "provider-account-access", "subject": "team:everyone"}
],
"integrations": []
}
}
PAYLOAD
)
$TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
| Provider | Manifest Type | Auth Type |
|---|---|---|
| OpenAI | provider-account/openai | bearer-auth |
| AWS Bedrock | provider-account/aws-bedrock | aws-irsa-auth |
| Google Vertex | provider-account/google-vertex | gcp-service-account-auth |
| Azure OpenAI | provider-account/azure | azure-auth |
| GCP | provider-account/gcp | gcp-service-account-auth |
| Groq | provider-account/groq | bearer-auth |
| Together AI | provider-account/together-ai | bearer-auth |
| Custom | provider-account/custom | bearer-auth |
| Self-Hosted | provider-account/self-hosted-model | None (cluster-internal) or bearer-auth |
| TrueFoundry | provider-account/truefoundry | Platform-managed |
| Role ID | Description |
|---|---|
provider-account-manager | Can edit and delete the provider account |
provider-account-access | Can use models from this provider account |
Use subject values like user:admin@example.com for individual users or team:everyone for organization-wide access.
The provider account response object contains:
{
"id": "...",
"name": "openai-main",
"fqn": "tenant:openai:openai-main",
"provider": "openai",
"manifest": { ... },
"integrations": [ ... ],
"createdBySubject": { ... },
"accountId": "...",
"createdAt": "...",
"updatedAt": "..."
}
manifest.integrations contains the integration definitions (model configs)integrations contains expanded integration objects with their own IDs<success_criteria>
tfy-secret:// references, never raw values</success_criteria>
status skill to verify platform connectivity before any operationssecrets skill to create secret groups with API keys before adding providersai-gateway skill)See references/api-endpoints.md for the full Provider Accounts API reference.
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/svc/v1/provider-accounts | List all provider accounts |
| POST | /api/svc/v1/provider-accounts | Create a new provider account |
Cannot manage provider accounts. Check your API key permissions.
Ensure your user has provider-account-manager role.
A provider account with this name already exists. Use a different name
or update the existing account.
The tfy-secret:// reference could not be resolved. Check:
- Secret group exists and contains the referenced key
- Format is tfy-secret://TENANT:SECRET_GROUP:SECRET_KEY
- Use the secrets skill to verify the secret group and key exist
Unrecognized provider account type. Use one of:
provider-account/openai, provider-account/aws-bedrock,
provider-account/google-vertex, provider-account/azure,
provider-account/groq, provider-account/together-ai,
provider-account/custom, provider-account/self-hosted-model,
provider-account/truefoundry
Provider account requires auth_data for cloud providers.
Store your API key as a TrueFoundry secret first, then reference it
with tfy-secret://TENANT:SECRET_GROUP:KEY_NAME
After creating a provider account, models should appear in the AI Gateway.
If not visible:
- Verify the provider account was created successfully (list provider accounts)
- Check that the integration has the correct model_types (chat, embedding, etc.)
- Ensure the collaborators include team:everyone or the relevant users
The type query parameter on GET /api/svc/v1/provider-accounts does not filter
results. Fetch all provider accounts and filter client-side by the provider field.