SesameSesame
Agents

Credentials

Configure API keys and subscription tokens for AI agents

Sesame supports two authentication methods for AI agents: API keys (pay-per-token) and subscription credentials (flat monthly rate). This page covers how to set up both.

API Keys vs Subscriptions

MethodBillingSetupBest For
API KeysPay-per-tokenSimpleLight/moderate usage
SubscriptionsMonthly flat rateOAuth flowHeavy usage, existing subscriptions

Setting Up API Keys

Per-User Keys

Users can add their own API keys:

  1. Click your avatar → Settings
  2. Go to API Keys tab
  3. Enter keys for your preferred agents
  4. Click Save

Keys are encrypted at rest and only used for your tasks.

System-Wide Keys

Admins can set default API keys via environment variables. These are used when users don't have their own keys configured.

.env
# Agent API keys
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
GEMINI_API_KEY=...
COPILOT_GITHUB_TOKEN=ghp_...

System-wide keys are shared by all users. For multi-user deployments, encourage users to add their own keys.

Setting Up Subscription Credentials

Use your existing AI subscriptions instead of pay-per-token billing.

Accessing Agent Credentials

  1. Click your avatar in the top-right corner
  2. Select Agent Credentials
  3. Expand the agent you want to configure
  4. Follow the setup instructions
  5. Click Save Credentials

Claude Code (Anthropic)

Supported subscriptions: Claude Max ($200/mo), Claude Pro ($20/mo)

  1. Open a terminal and run: 
    claude setup-token
  2. Complete the browser authentication flow
  3. Copy the generated token (starts with sk-ant-oat01-)
  4. Paste in Sesame's Agent Credentials dialog

How it works: Sesame creates a credentials file that Claude Code reads on startup.

Codex (OpenAI)

Supported subscriptions: ChatGPT Plus ($20/mo), ChatGPT Pro ($200/mo)

  1. Enable device code auth in ChatGPT security settings
  2. Run in terminal: 
    codex login --device-auth
  3. Complete the authentication flow
  4. Copy contents of ~/.codex/auth.json
  5. Enter the access token (and optionally refresh token) in Sesame

Copilot (GitHub)

Supported subscriptions: Copilot Individual ($10/mo), Business ($19/mo), Enterprise

  1. Go to GitHub Personal Access Tokens
  2. Create a fine-grained token with Copilot permission
  3. Paste the token in Sesame's Agent Credentials dialog

This is separate from the GitHub PAT used for repository access. The Copilot token specifically needs the "Copilot" permission.

Gemini (Google)

API key only - Gemini CLI doesn't support subscription-based authentication headlessly.

Google One AI Premium requires browser-based authentication that can't be automated. Use an API key:

  1. Go to Google AI Studio
  2. Create or copy your API key
  3. Enter in Settings → API Keys (or GEMINI_API_KEY env var)

OpenCode

OpenCode has its own provider management system that supports both API keys and OAuth.

Supported OAuth providers:

  • Anthropic: Claude Max ($200/mo), Claude Pro ($20/mo)
  • OpenAI: ChatGPT Plus ($20/mo), ChatGPT Pro ($200/mo)

Setup via Provider Management UI:

  1. Select OpenCode as the agent when creating a task
  2. Click Manage Providers next to the model dropdown
  3. Click Connect on your preferred provider
  4. Choose Use Subscription for OAuth or Use API Key
  5. Complete the authentication flow

OAuth Flows:

  • Anthropic (code flow): Visit URL, copy code, paste back in Sesame
  • OpenAI (device code flow): Visit URL, enter device code, wait for auto-completion

See OpenCode for complete details.

Credential Priority

When running a task, Sesame checks for credentials in order:

Security

Encryption

  • All credentials encrypted at rest using AES-256
  • Encryption key set via ENCRYPTION_KEY environment variable
  • Credentials only decrypted when executing a task

Isolation

  • Each user's credentials are isolated
  • Users cannot access other users' credentials
  • Admins cannot view user credentials (only delete)

Revocation

To remove credentials:

  1. In Sesame: Agent Credentials → Remove Credentials
  2. At provider: Revoke the token in your provider's settings

Troubleshooting

"Authentication failed" Error

  • Verify your subscription is active
  • Check you copied the entire token
  • For Claude: ensure token starts with sk-ant-oat01-
  • For Codex: verify device auth is enabled in ChatGPT settings

Token Expired

OAuth tokens may expire. Re-run the setup command and update credentials:

# Claude
claude setup-token

# Codex
codex login --device-auth

Credentials Not Working

  1. Remove and re-add the credentials
  2. Check the agent's logs for specific error messages
  3. Verify your subscription hasn't expired
  4. Try using an API key instead to isolate the issue

Agents

How AI coding agents work in Sesame

Claude Code

Anthropic's Claude Code agent for AI-assisted coding

On this page

API Keys vs SubscriptionsSetting Up API KeysPer-User KeysSystem-Wide KeysSetting Up Subscription CredentialsAccessing Agent CredentialsClaude Code (Anthropic)Codex (OpenAI)Copilot (GitHub)Gemini (Google)OpenCodeCredential PrioritySecurityEncryptionIsolationRevocationTroubleshooting"Authentication failed" ErrorToken ExpiredCredentials Not Working