> ## Documentation Index
> Fetch the complete documentation index at: https://hyperlocalise.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Provider credentials

> Set credentials for OpenAI, Azure OpenAI, Anthropic, Gemini, Bedrock, LM Studio, Ollama, Groq, and remote TMS adapters.

`hyperlocalise` reads provider credentials from:

* Export variables in your current shell session.
* `.env` and `.env.local` files in your current project directory.

Precedence:

* Already-exported shell variables are kept as-is.
* For variables not already exported, `.env.local` overrides `.env`.

Example:

<CodeGroup>
  ```bash Export theme={null}
  export OPENAI_API_KEY="your-openai-api-key"
  export AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
  export AZURE_OPENAI_API_KEY="your-azure-openai-api-key"
  ```

  ```bash .env.local theme={null}
  OPENAI_API_KEY="your-openai-api-key"
  AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
  AZURE_OPENAI_API_KEY="your-azure-openai-api-key"
  ```
</CodeGroup>

## LLM providers

### OpenAI

<CodeGroup>
  ```bash Export theme={null}
  export OPENAI_API_KEY="your-openai-api-key"
  ```

  ```bash .env.local theme={null}
  OPENAI_API_KEY="your-openai-api-key"
  ```
</CodeGroup>

### Azure OpenAI

<CodeGroup>
  ```bash Export theme={null}
  # Example: https://<resource>.openai.azure.com/openai/v1
  export AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
  export AZURE_OPENAI_API_KEY="your-azure-openai-api-key"
  ```

  ```bash .env.local theme={null}
  # Example: https://<resource>.openai.azure.com/openai/v1
  AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
  AZURE_OPENAI_API_KEY="your-azure-openai-api-key"
  ```
</CodeGroup>

### Gemini

<CodeGroup>
  ```bash Export theme={null}
  export GEMINI_BASE_URL="https://generativelanguage.googleapis.com/v1beta/openai"
  export GEMINI_API_KEY="your-gemini-api-key"
  ```

  ```bash .env.local theme={null}
  GEMINI_BASE_URL="https://generativelanguage.googleapis.com/v1beta/openai"
  GEMINI_API_KEY="your-gemini-api-key"
  ```
</CodeGroup>

### Anthropic

<CodeGroup>
  ```bash Export theme={null}
  export ANTHROPIC_BASE_URL="https://api.anthropic.com/v1"
  export ANTHROPIC_API_KEY="your-anthropic-api-key"
  ```

  ```bash .env.local theme={null}
  ANTHROPIC_BASE_URL="https://api.anthropic.com/v1"
  ANTHROPIC_API_KEY="your-anthropic-api-key"
  ```
</CodeGroup>

### AWS Bedrock

<CodeGroup>
  ```bash Export theme={null}
  export AWS_REGION="us-east-1"
  export AWS_ACCESS_KEY_ID="your-access-key-id"
  export AWS_SECRET_ACCESS_KEY="your-secret-access-key"
  # Optional when using temporary credentials:
  export AWS_SESSION_TOKEN="your-session-token"
  ```

  ```bash .env.local theme={null}
  AWS_REGION="us-east-1"
  AWS_ACCESS_KEY_ID="your-access-key-id"
  AWS_SECRET_ACCESS_KEY="your-secret-access-key"
  # Optional when using temporary credentials:
  AWS_SESSION_TOKEN="your-session-token"
  ```
</CodeGroup>

### LM Studio

<CodeGroup>
  ```bash Export theme={null}
  export LM_STUDIO_BASE_URL="http://127.0.0.1:1234/v1"
  export LM_STUDIO_API_KEY="lm-studio"
  ```

  ```bash .env.local theme={null}
  LM_STUDIO_BASE_URL="http://127.0.0.1:1234/v1"
  LM_STUDIO_API_KEY="lm-studio"
  ```
</CodeGroup>

### Ollama

<CodeGroup>
  ```bash Export theme={null}
  export OLLAMA_BASE_URL="http://127.0.0.1:11434/v1"
  export OLLAMA_API_KEY="ollama"
  ```

  ```bash .env.local theme={null}
  OLLAMA_BASE_URL="http://127.0.0.1:11434/v1"
  OLLAMA_API_KEY="ollama"
  ```
</CodeGroup>

### Groq

<CodeGroup>
  ```bash Export theme={null}
  export GROQ_BASE_URL="https://api.groq.com/openai/v1"
  export GROQ_API_KEY="your-groq-api-key"
  ```

  ```bash .env.local theme={null}
  GROQ_BASE_URL="https://api.groq.com/openai/v1"
  GROQ_API_KEY="your-groq-api-key"
  ```
</CodeGroup>

## Storage adapters

### POEditor

<CodeGroup>
  ```bash Export theme={null}
  export POEDITOR_API_TOKEN="your-poeditor-token"
  ```

  ```bash .env.local theme={null}
  POEDITOR_API_TOKEN="your-poeditor-token"
  ```
</CodeGroup>

### LILT AI

<CodeGroup>
  ```bash Export theme={null}
  export LILT_API_TOKEN="your-lilt-token"
  ```

  ```bash .env.local theme={null}
  LILT_API_TOKEN="your-lilt-token"
  ```
</CodeGroup>

### Lokalise

<CodeGroup>
  ```bash Export theme={null}
  export LOKALISE_API_TOKEN="your-lokalise-token"
  ```

  ```bash .env.local theme={null}
  LOKALISE_API_TOKEN="your-lokalise-token"
  ```
</CodeGroup>

### Crowdin

<CodeGroup>
  ```bash Export theme={null}
  export CROWDIN_API_TOKEN="your-crowdin-token"
  ```

  ```bash .env.local theme={null}
  CROWDIN_API_TOKEN="your-crowdin-token"
  ```
</CodeGroup>

If you use Crowdin Enterprise, also set `storage.config.apiBaseURL` in `i18n.yml` to your Enterprise API host. Example: `https://example.api.crowdin.com`.

### Smartling

<CodeGroup>
  ```bash Export theme={null}
  export SMARTLING_USER_SECRET="your-smartling-user-secret"
  ```

  ```bash .env.local theme={null}
  SMARTLING_USER_SECRET="your-smartling-user-secret"
  ```
</CodeGroup>

Smartling also requires `storage.config.userIdentifier` in `i18n.yml`.

## Security guidance

* Prefer environment variables over hardcoded tokens.
* Keep `.env` and `.env.local` out of version control.
* Rotate tokens regularly and scope them to least privilege.

## Credential management standard for local and CI

Use this operating model for all remote storage adapters, including Smartling, Lokalise, and internal custom adapters.

### Local development

1. Commit only non-secret config (`*Env` variable names) to `i18n.yml`.
2. Store real tokens in `.env.local` (developer machine only).
3. Add `.env` and `.env.local` to `.gitignore`.
4. Use separate dev and production TMS credentials.

### CI environments

1. Store secrets in your CI secret manager (for example, GitHub Actions Secrets).
2. Inject secrets only into the sync job that needs them.
3. Map CI secrets to environment variables expected by your adapter config.
4. Use environment-scoped secrets and branch protections for production sync.

### Rotation and least privilege

* Rotate tokens on a fixed schedule (for example every 90 days) and on team member offboarding.
* Create dedicated CI service users per TMS workspace or project.
* Restrict each token to the minimum API scopes required for pull/push.
* Validate rotation by running one dry-run sync before deleting the previous credential.

### Audit-friendly logging policy

* Never print raw secrets to logs, debug output, screenshots, or issue comments.
* Log only credential source names (`SMARTLING_USER_SECRET`, `LOKALISE_API_TOKEN`), not values.
* Keep CLI output in machine-readable formats (`--output json` or `--output csv`) for audit trails.
* Store CI logs and sync artifacts according to your retention policy.

## TMS adapter security checklist

Use this checklist before enabling write-enabled CI jobs.

* [ ] All adapter secrets are provided through environment variables, not inline config.
* [ ] CI uses dedicated service credentials (no personal access tokens).
* [ ] Credential scopes are limited to required projects and operations.
* [ ] Rotation schedule is documented and owned by a team.
* [ ] Pipeline logs do not expose token values.
* [ ] Scheduled dry-run `sync pull` and `sync push` jobs run successfully.
* [ ] Manual approval is required before production write sync, if needed.

The same checklist applies to Smartling, Lokalise, and custom adapters built on the storage adapter interface.
