Environment:Promptfoo Promptfoo Provider API Keys

Knowledge Sources	Promptfoo Provider Documentation
Domains	Infrastructure, Authentication
Last Updated	2026-02-14 08:00 GMT

Overview

Environment variables for authenticating with 30+ LLM provider APIs, loaded via dotenv and the centralized `getEnvString()` accessor.

Description

Promptfoo supports over 30 LLM providers, each requiring one or more API keys passed as environment variables. The `src/envars.ts` module defines all supported variables with their types and uses dotenv for automatic `.env` file loading. Keys are accessed through the `getEnvString()` function which first checks CLI state overrides, then falls back to `process.env`. API keys are never logged or cached; the logger sanitizes them automatically.

Usage

Required when running evaluations or red team scans against any cloud-hosted LLM provider. Set the relevant API key for the provider(s) you are using. Keys can be provided via environment variables, `.env` files, or the `--env-file` CLI flag.

System Requirements

Category	Requirement	Notes
Network	Internet access	Required for cloud provider API calls
Proxy	Optional	Supports HTTP_PROXY, HTTPS_PROXY, ALL_PROXY, NO_PROXY

Dependencies

Node.js Packages

`dotenv` >= 17.2.4 (automatic `.env` loading)

Credentials

Core Provider API Keys (most commonly used):

`OPENAI_API_KEY`: OpenAI API key for GPT models
`ANTHROPIC_API_KEY`: Anthropic API key for Claude models
`GROQ_API_KEY`: Groq API key for fast inference
`MISTRAL_API_KEY`: Mistral AI API key (set via env overrides)

Cloud Platform Keys:

`AWS_BEDROCK_REGION`: AWS region for Bedrock access
`AWS_BEARER_TOKEN_BEDROCK`: Bearer token for Bedrock
`AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`: Azure AD credentials
`AZURE_DEPLOYMENT_NAME`: Azure OpenAI deployment identifier
`VERTEX_API_VERSION`: Google Vertex AI API version

Other Provider Keys:

`AI21_API_KEY`: AI21 Labs
`AIML_API_KEY`: AI/ML API
`CEREBRAS_API_KEY`: Cerebras
`CLOUDFLARE_ACCOUNT_ID`, `CLOUDFLARE_API_KEY`: Cloudflare Workers AI
`COHERE_*`: Cohere (multiple settings)
`COMETAPI_KEY`: CometAPI
`ELEVENLABS_API_KEY`: ElevenLabs voice AI
`FAL_KEY`: fal.ai image generation
`GITHUB_TOKEN`: GitHub Models
`GROQ_API_KEY`: Groq
`HELICONE_API_KEY`: Helicone gateway
`HF_TOKEN`: Hugging Face
`HYPERBOLIC_API_KEY`: Hyperbolic
`LLAMA_API_KEY`: Llama API
`NSCALE_API_KEY`: Nscale
`OLLAMA_BASE_URL`: Ollama (local, no key needed)
`OPENROUTER_API_KEY`: OpenRouter
`PORTKEY_API_KEY`: Portkey
`REPLICATE_*`: Replicate (multiple settings)
`SLACK_BOT_TOKEN`: Slack
`SNOWFLAKE_API_KEY`: Snowflake Cortex
`TOGETHER_API_KEY`: Together AI
`TRUEFOUNDRY_API_KEY`: TrueFoundry
`VOYAGE_API_KEY`: Voyage AI embeddings
`WATSONX_AI_APIKEY`: IBM WatsonX
`WITHPI_API_KEY`: Pi Labs
`XAI_API_KEY`: xAI Grok

Proxy Configuration:

`HTTP_PROXY` / `http_proxy`: HTTP proxy URL
`HTTPS_PROXY` / `https_proxy`: HTTPS proxy URL
`ALL_PROXY` / `all_proxy`: Fallback proxy
`NO_PROXY` / `no_proxy`: Proxy bypass list

SSL/TLS Certificate Configuration:

`NODE_EXTRA_CA_CERTS`: Additional CA certificates
`PROMPTFOO_CA_CERT_PATH`: Custom CA certificate
`PROMPTFOO_INSECURE_SSL`: Disable SSL verification (not recommended)

Quick Install

# Create a .env file in your project root
cat > .env << 'EOF'
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
EOF

# Use with eval command
promptfoo eval -c config.yaml --env-file .env

Code Evidence

Environment variable accessor from `src/envars.ts:425-441`:

export function getEnvString(key: EnvVarKey, defaultValue?: string): string | undefined {
  // First check if the key exists in CLI state env config
  if (cliState.config?.env && typeof cliState.config.env === 'object') {
    const envValue = cliState.config.env[key as keyof typeof cliState.config.env];
    if (envValue !== undefined) {
      return String(envValue);
    }
  }
  // Fallback to process.env
  const value = process.env[key as string];
  if (value === undefined) {
    return defaultValue;
  }
  return value;
}

CI detection from `src/envars.ts:528-543`:

export function isCI() {
  return (
    getEnvBool('CI') || getEnvBool('GITHUB_ACTIONS') || getEnvBool('TRAVIS') ||
    getEnvBool('CIRCLECI') || getEnvBool('JENKINS') || getEnvBool('GITLAB_CI') ||
    getEnvBool('APPVEYOR') || getEnvBool('CODEBUILD_BUILD_ID') ||
    getEnvBool('TF_BUILD') || getEnvBool('BITBUCKET_COMMIT') ||
    getEnvBool('BUDDY') || getEnvBool('BUILDKITE') || getEnvBool('TEAMCITY_VERSION')
  );
}

Common Errors

Error Message	Cause	Solution
`OPENAI_API_KEY is not set`	Missing API key for OpenAI	Set `OPENAI_API_KEY` in environment or `.env` file
`401 Unauthorized`	Invalid or expired API key	Verify the API key is correct and active
`403 Forbidden`	API key lacks required permissions	Check provider account permissions and billing
`ECONNREFUSED` with proxy settings	Proxy misconfiguration	Verify `HTTP_PROXY`/`HTTPS_PROXY` values; check `NO_PROXY`

Compatibility Notes

dotenv: Keys are loaded automatically from `.env` files via the `dotenv` package.
CLI Override: The `--env-file` flag can specify an alternative `.env` file.
Config Override: Keys set in `env:` block of promptfoo config take precedence over `process.env`.
Security: Never commit `.env` files. The logger auto-sanitizes API keys in debug output.
Proxy: Both uppercase and lowercase proxy variables are supported (e.g., `HTTP_PROXY` and `http_proxy`).

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.

Principle

Implementation

Heuristic

Environment