# Provider Credentials Update Command - Documentation **Created at** 2025-12-10 **Created by** Manoj Vala ## Overview The `update-provider-credentials` command is a CLI tool that allows you to update AI provider API keys (like OpenAI, Anthropic, etc.) across **all your tenants/workspaces simultaneously** with a single command. ### What Problem Does It Solve? Imagine you have 50 workspaces using OpenAI, and your API key needs to be rotated. Without this command, you would need to: 1. Login to each workspace manually 2. Navigate to settings → providers 3. Enter the new API key 4. Save and verify 5. Repeat 49 more times... --- ## Key Features ✅ **Bulk Updates** - Update all tenants at once ✅ **Single Tenant Updates** - Update just one tenant ✅ **Automatic Validation** - Credentials are validated before saving ✅ **Automatic Encryption** - Each tenant's credentials are encrypted separately ✅ **Cache Management** - Automatically clears cached credentials ✅ **Error Isolation** - One tenant's failure doesn't stop others ✅ **Detailed Logging** - Clear success/failure reporting --- ## Quick Start ### Basic Usage ```bash flask update-provider-credentials \ --provider "openai" \ --credentials '{"openai_api_key": "sk-proj-your-new-key"}' \ --all-tenants ``` That's it! This will update OpenAI credentials for **every tenant** in your system. --- ## Command Reference ### Command Syntax ```bash flask update-provider-credentials [OPTIONS] ``` ### Required Options | Option | Description | Example | |--------|-------------|---------| | `--provider` | The AI provider name | `openai`, `anthropic` | | `--credentials` | JSON string with API credentials | `'{"openai_api_key": "sk-xxx"}'` | ### Optional Flags | Flag | Description | When to Use | |------|-------------|-------------| | `--all-tenants` | Update all tenants | When rolling out keys to everyone | | `--tenant-id` | Update specific tenant | When testing or updating one workspace | ### Important Notes **If you don't specify `--tenant-id` or `--all-tenants`, the command will default to updating ALL tenants.** --- ## Usage Examples ### Example 1: Update OpenAI for All Tenants **Scenario:** Your OpenAI API key has been rotated and needs to be updated everywhere. ```bash flask update-provider-credentials \ --provider "openai" \ --credentials '{"openai_api_key": "sk-proj-abc123xyz"}' \ --all-tenants ``` **Output:** ``` Updating provider "openai" for 50 tenant(s)... ✓ Updated credentials for tenant: tenant-001 ✓ Updated credentials for tenant: tenant-002 ✓ Updated credentials for tenant: tenant-003 ... ✓ Updated credentials for tenant: tenant-050 ================================================================================ Summary: Success: 50 tenant(s) ================================================================================ ``` --- ### Example 2: Update Anthropic for Single Tenant **Scenario:** Testing new Anthropic credentials on a staging workspace before rolling out. ```bash flask update-provider-credentials \ --tenant-id "staging-workspace-123" \ --provider "anthropic" \ --credentials '{"anthropic_api_key": "sk-ant-api03-xyz"}' ``` **Output:** ``` Updating provider "anthropic" for 1 tenant(s)... ✓ Updated credentials for tenant: staging-workspace-123 ================================================================================ Summary: Success: 1 tenant(s) ================================================================================ ``` --- ### Example 3: Azure OpenAI with Multiple Parameters **Scenario:** Setting up Azure OpenAI requires multiple configuration parameters. ```bash flask update-provider-credentials \ --provider "azure_openai" \ --credentials '{ "openai_api_base": "https://your-instance.openai.azure.com", "openai_api_key": "your-azure-key-here", "openai_api_version": "2023-05-15" }' \ --all-tenants ``` --- ### Example 4: Interactive Mode **Scenario:** You don't remember the exact syntax. ```bash flask update-provider-credentials ``` **The command will prompt you:** ``` Provider name: openai Credentials (JSON format): {"openai_api_key": "sk-proj-xyz"} ``` Then it will proceed with the update for all tenants. --- ## Credential Format Guide Different providers require different credential formats. Here are the most common ones: ### OpenAI ```json { "openai_api_key": "sk-proj-your-key-here" } ``` ### Anthropic (Claude) ```json { "anthropic_api_key": "sk-ant-api03-your-key-here" } ``` ### Cohere ```json { "api_key": "your-cohere-key" } ``` ### Hugging Face ```json { "huggingfacehub_api_token": "hf_your-token" } ``` --- ## What Happens Behind the Scenes When you run the command, here's what happens automatically: ``` 1. Validate Credentials ├─ Parse JSON format ├─ Check provider exists └─ Validate with provider API 2. Process Each Tenant ├─ Encrypt credentials with tenant's key ├─ Save to database ├─ Clear Redis cache └─ Log result (success/failure) 3. Generate Report ├─ Count successes ├─ List failures (if any) └─ Display summary All of this happens in 30-45 seconds! ``` --- ## Best Practices ### 1. **Always Test First** Before updating all tenants, test on one: ```bash # Test on staging/test tenant flask update-provider-credentials \ --tenant-id "test-workspace" \ --provider "openai" \ --credentials '{"openai_api_key": "sk-new"}' # Verify it works in the application # Then roll out flask update-provider-credentials \ --all-tenants \ --provider "openai" \ --credentials '{"openai_api_key": "sk-new"}' ``` --- ### 2. **Use Environment Variables for Security** Don't expose keys in command history: ```bash # Set environment variable export OPENAI_KEY="sk-proj-your-key-here" # Use in command (keys not logged in history) flask update-provider-credentials \ --provider "openai" \ --credentials "{\"openai_api_key\": \"$OPENAI_KEY\"}" \ --all-tenants ``` --- ### 3. **Validate JSON Format** Use a JSON validator before running: ```bash # Test your JSON is valid echo '{"openai_api_key": "sk-test"}' | python -m json.tool # If it prints formatted JSON, it's valid! ``` --- ### 4. **Keep a Backup List** Before major updates, export current state: ```bash # List all providers flask list-provider-credentials --all-tenants > backup_$(date +%Y%m%d).txt ``` --- ## Common Issues & Solutions ### Issue 1: JSON Format Error **Error:** ``` Error: Invalid JSON format for credentials. ``` **Solution:** - Use **single quotes** around the JSON - Use **double quotes** inside the JSON ```bash # Correct --credentials '{"openai_api_key": "sk-xyz"}' # Wrong --credentials {"openai_api_key": "sk-xyz"} # Missing outer quotes --credentials '{'openai_api_key': 'sk-xyz'}' # Single quotes inside ``` --- ### Issue 2: Credential Validation Failed **Error:** ``` ✗ Failed for tenant tenant-001: Credential validation failed ``` **Possible Causes:** - Invalid API key - Wrong credential format - Network connectivity issues - Provider API is down **Solution:** 1. Verify the key works by testing manually with the provider 2. Check the credential format matches the provider's requirements 3. Ensure server has internet access to validate credentials --- ### Issue 3: Partial Success **Output:** ``` Summary: Success: 45 tenant(s) Failed: 5 tenant(s) ``` **Solution:** This is normal! Failed tenants might have: - Different configurations - Locked databases - Temporary connection issues You can retry just the failed tenants individually: ```bash flask update-provider-credentials \ --tenant-id "failed-tenant-123" \ --provider "openai" \ --credentials '{"openai_api_key": "sk-xyz"}' ``` --- ## Pro Tips ### Tip 1: Use a Credentials File For complex credentials, store in a file: ```bash # Create credentials.json cat > credentials.json <<EOF { "openai_api_base": "https://your-instance.openai.azure.com", "openai_api_key": "your-key", "openai_api_version": "2023-05-15" } EOF # Use in command flask update-provider-credentials \ --provider "azure_openai" \ --credentials "$(cat credentials.json)" \ --all-tenants # Clean up rm credentials.json ``` --- ### Tip 2: Script for Multiple Providers Update multiple providers at once: ```bash #!/bin/bash # update_all_providers.sh # OpenAI flask update-provider-credentials \ --provider "openai" \ --credentials '{"openai_api_key": "sk-new-openai"}' \ --all-tenants # Anthropic flask update-provider-credentials \ --provider "anthropic" \ --credentials '{"anthropic_api_key": "sk-new-anthropic"}' \ --all-tenants echo "All providers updated!" ``` --- ## Related Commands ```bash # Validate credentials before updating flask validate-provider-credentials \ --provider "openai" \ --credentials '{"openai_api_key": "sk-test"}' # Test connection after update flask test-provider-connection \ --tenant-id "abc-123" \ --provider "openai" ``` --- ## Support & Troubleshooting If you encounter issues: 1. **Check logs** - Review command output for specific errors 2. **Test single tenant** - Isolate the problem 3. **Verify credentials** - Use the validation command 4. **Check network** - Ensure server can reach provider APIs --- # Logged all the commands locally: ## Not Found Tenant: ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "openai-api-key"}' --tenant-id c12681f9-2aa8-45b4-861c-306e64dcbc90 --validate false /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: No Tenant 'c12681f9-2aa8-45b4-861c-306e64dcbc90' not found. ``` ## Invalid Tenant Id (UUID): ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "openai-api-key"}' --tenant-id c12681f9-2aa8-45b4-861c-306e64dcbc9 --validate false /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: No Invalid tenant ID. Must be UUID. ``` ## Wrong OpenAI API key (Default Validation True): ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "wrong-openai-api-key"}' /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: Yes Validating credentials for provider "openai"... INFO:httpx:HTTP Request: POST https://api.openai.com/v1/chat/completions "HTTP/1.1 401 Unauthorized" ✗ Validation failed: Error code: 401 - {'error': {'message': 'Incorrect API key provided: sk-proj-**********************************************************************************************************************************************************8ABB. You can find your API key at https://platform.openai.com/account/api-keys.', 'type': 'invalid_request_error', 'code': 'invalid_api_key', 'param': None}, 'status': 401} Credentials validation failed. Aborting update. ``` ## Correct OpenAI API key and Specified Tenant (Default Validation True): ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "correct-openai-api-key"}' --tenant-id 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: Yes Validating credentials for provider "openai"... INFO:httpx:HTTP Request: POST https://api.openai.com/v1/chat/completions "HTTP/1.1 200 OK" ✓ Credentials are valid! Validated credentials: openai_api_key: sk-proj-...Tm8A Updating provider 'openai' for tenant: 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ✓ Updated credentials → 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ============================================================================ Summary Success: 1 Failed: 0 ============================================================================ ``` ## Without Validation CORRECT key (Explicitly Validation False): ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "correct-openai-api-key"}' --tenant-id 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 --validate false /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: No Updating provider 'openai' for tenant: 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ✓ Updated credentials → 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ================================================================================ Summary Success: 1 Failed: 0 ================================================================================ ``` ## Without Validation INCORRECT Key: ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "wrong-openai-api-key"}' --tenant-id 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 --validate false /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: No Updating provider 'openai' for tenant: 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ✓ Updated credentials → 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ================================================================================ Summary Success: 1 Failed: 0 ================================================================================ ``` ## With Validation CORRECT Key: ```bash $ flask update-provider-credentials --provider "openai" --credentials '{"openai_api_key": "correct-openai-api-key"}' --validate true /home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/jieba/_compat.py:18: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources INFO:pinecone_plugin_interface.logging:Discovering subpackages in _NamespacePath(['/home/theonetech/Manoj/MyBuddyAI/mybuddy/api/.venv/lib/python3.10/site-packages/pinecone_plugins']) INFO:pinecone_plugin_interface.logging:Looking for plugins in pinecone_plugins.inference INFO:pinecone_plugin_interface.logging:Installing plugin inference into Pinecone INFO:root:vader_lexicon not found, downloading now... [nltk_data] Downloading package vader_lexicon to [nltk_data] /home/theonetech/nltk_data... [nltk_data] Package vader_lexicon is already up-to-date! INFO:root:vader_lexicon downloaded successfully. INFO:root:Sentiment model loaded successfully. Validation needed before saving: Yes Validating credentials for provider "openai"... INFO:httpx:HTTP Request: POST https://api.openai.com/v1/chat/completions "HTTP/1.1 200 OK" ✓ Credentials are valid! Validated credentials: openai_api_key: sk-proj-...Tm8A Updating provider 'openai' for 2 tenant(s)... ✓ Updated credentials → 28e5f20f-0f9e-42a8-b99e-768fee6a51c4 (Manoj Vala's Workspace) ✓ Updated credentials → c12681f9-2aa8-45b4-861c-306e64dcbc99 (Manoj Vala's Workspace) ================================================================================ Summary Success: 2 Failed: 0 ================================================================================ ```