1. Credential
Pick the provider from the catalog, then choose how to authenticate:- Managed credential — you paste an API key (or the provider’s cloud credential) and to11 stores it encrypted. The gateway attaches it to every request it routes to that provider.
- BYOK / passthrough — no key is stored. Every request your application sends must carry the provider key itself in the
Authorizationheader, and the gateway forwards it upstream. See Passthrough routing.
2. Name & routing
Give the connection a display name and a routing identifier. The routing identifier is the stable name you reference when you build routing rules, so choose something durable. The provider’s base URL is filled in from the catalog. Override it only when you reach the provider at a non-standard host — for example, a self-managed or regional endpoint.3. Environments
Choose which of the project’s environments this connection is active in. A provider you only want in staging stays out of production until you activate it there.4. Models
Select which of the provider’s models this connection exposes. For most providers, Test connection validates your credential and discovers the available models, which you then pick from. The models you select are the ones available when you build routes.A few providers — for example, Amazon Bedrock and Google Vertex AI — validate the credential on the first real request rather than from the drawer. You can still complete the connection; the gateway confirms the credential when it first routes to the provider.
See also
Providers
What a connected provider is.
Supported providers
Per-provider format, streaming, and tool-call support.