- Organization AI providers: defaults available across every project in the organization.
- Project AI providers: overrides for the currently selected project.
abc...xyz) and a Last updated timestamp that tracks when the key value itself was last changed, along with the user who made the change. Renaming a provider or editing other metadata does not bump this timestamp. Keys that have not been rotated in over six months display a warning indicator. Braintrust recommends disabling and rotating AI provider secrets periodically.
Add an organization-level provider
Organization-level keys serve as defaults across all projects in the organization.- Go to Settings > AI providers.
- Under Organization AI providers, click Organization provider and choose the provider you want to configure.
- Enter your API key for that provider.
- Click Save.
Authentication methods
Most providers authenticate with a long-lived API key. Some also support alternatives that avoid storing a long-lived provider credential in Braintrust:- Workload identity federation: Braintrust exchanges a short-lived, Braintrust-signed OIDC token for a provider access token at request time, so no long-lived key is stored. Available for OpenAI, Anthropic, Google Vertex AI, and Azure AI Foundry, for organization-level providers on Braintrust-hosted organizations with the gateway enabled.
- Cloud-native role assumption: Bedrock supports AWS
AssumeRoleinstead of storing long-lived access keys.
Add a project-level provider
Use a project-level provider when:- Different projects need separate billing or rate limits.
- You want to isolate API usage by project.
- Projects require different provider accounts or credentials.
- A project must use a specific regional endpoint (for example, US-specific OpenAI keys to keep traffic in-region).
- Go to your project.
- Go to Settings > AI providers.
- Under Project AI providers, click Project provider and choose the provider you want to configure.
- Enter your API key for that provider.
- Click Save.
Custom providers
Braintrust supports custom AI providers at both the organization and project level. Add them from the same Organization provider or Project provider picker. See Custom providers for endpoint configuration, headers, streaming, and cost metadata.How project overrides work
A request specifies a model, such asgpt-4o. To serve it, Braintrust:
- Determines which providers are available to the project.
- Routes the request to one of them that supports the requested model.
- Built-in providers override by provider type.
- Custom providers override by exact name, which is case-sensitive.
Staging OpenAI does not override an organization-level custom provider named Production OpenAI. Both remain available. Adding a differently named provider doesn’t force Braintrust to use it, it just adds another eligible option.
| Goal | What to do |
|---|---|
| Override a built-in provider | Add a project-level provider with the same provider type |
| Override a custom provider | Add a project-level provider with the exact same name |
| Add another provider option | Use a different provider type or custom provider name |
OpenAI Proxy, openai proxy, and OpenAI proxy are three different providers.
To confirm which provider served a request, check the x-bt-used-endpoint response header, which contains the name of the provider that handled it.
These rules describe the gateway. The legacy AI proxy uses the same override rule, but applies it per model: a project-level provider overrides the organization-level one only for the models it serves. When several different-named providers are eligible for the same model, the proxy selects among them at random.
Permissions and access
Visibility of the two sections depends on the role of the signed-in user:- Organization admins see both Organization AI providers and Project AI providers.
- Project admins with only the project-level Update permission see just Project AI providers.
- Project members without Update don’t see the Project AI providers section at all.
- In your project, go to Settings > Project permissions.
- Remove the Update permission from non-admin users or their permission groups. Without Update, they can’t add or modify project-level AI providers.
- To preserve normal project work, create a permission group that grants Read, Create, and Delete but not Update, then assign those users to it.
Update controls, see What Update covers.
Removing Update doesn’t cut off access to organization-level providers. Those stay available to every user for playgrounds, experiments, and the gateway, regardless of project permissions.
API keys are stored as one-way cryptographic hashes, never in plaintext.
Manage built-in models
Topics use a family of Braintrust-served models (brain-*) for facet summarization, embeddings, and cluster naming. Braintrust hosts these models on Baseten, which is included in the Braintrust DPA as a subprocessor.
For Braintrust-hosted (SaaS) organizations, built-in models are enabled by default. For self-hosted organizations, built-in models are disabled by default so that no trace data leaves your network boundary. Self-hosted organizations must enable built-in models to use Topics.
To enable or disable built-in models:
- Go to Settings > AI providers.
- Under Built-in models, turn Allow built-in models on or off.
Only members of the Owners permission group, or a custom permission group with the Manage settings organization permission, can enable or disable built-in models.
GLM-5.2
GLM-5.2 is available for a limited time, through July 31, 2026.
glm-5.2.
On Starter and Pro plans, GLM-5.2 usage draws down your monthly credit, shared with Topics, at $1.40 per million input tokens, $4.40 per million output tokens, and $0.26 per million cached input tokens. On Starter, GLM-5.2 is available once you enable on-demand usage, and your included credit still applies first. Usage beyond the credit continues at the same rates.
Next steps
- Browse supported AI providers for provider-specific configuration.
- Manage permissions to control who can add or modify project-level AI providers.