Skip to main content

API Keys

API keys allow you to authenticate programmatic access to the Clove API without requiring interactive login. You can manage your keys from Settings > API Keys.

Key Limits

You can have a maximum of 2 active API keys at any time. The settings page shows your current count (e.g., "1 / 2 active keys"). You must disable or delete an existing key before creating a new one if you are at the limit.

Creating an API Key

  1. Go to Settings > API Keys.
  2. Click Create API Key.
  3. Enter a descriptive name for the key (e.g., "CI Pipeline", "Development").
  4. Select an expiration period:
    • 30 days
    • 60 days
    • 90 days (default)
    • 180 days
    • 365 days
  5. Click Create.

After creation, you will see both the API Key ID and the Secret Key. Copy buttons are provided for each.

warning

The secret key is only displayed once at creation time. Copy it immediately and store it in a secure location. You will not be able to view it again.

Managing API Keys

Your keys are displayed as cards showing:

  • Name — The label you gave the key.
  • API Key ID — The unique identifier (always visible).
  • Status — Current state of the key.
  • Created date — When the key was generated.
  • Expires date — When the key will automatically expire.
  • Last used — When the key was last used for authentication, or "Never used".

Key Statuses

StatusMeaning
ActiveThe key is valid and can be used for authentication.
SuspendedThe key has been manually disabled and cannot authenticate until re-enabled.
ExpiredThe key has passed its expiration date and can no longer be used.
CompromisedThe key has been flagged as compromised and is permanently disabled.

Actions

Click the menu icon on any key card to access available actions. The actions depend on the key's current status:

  • Active keys — You can Disable or Delete them.
  • Suspended keys — You can Enable or Delete them.
  • Expired or Compromised keys — You can only Delete them.

Disabling a Key

Disabling a key temporarily suspends it. The key still exists and can be re-enabled later. This is useful if you suspect a key may be compromised but want to investigate before permanently deleting it.

Enabling a Key

Re-enabling a suspended key restores it to active status so it can authenticate again.

Deleting a Key

Deleting a key permanently removes it. This action cannot be undone. You will be asked to confirm before the key is deleted.

Using Your API Key with Claude Code

You can use your Clove API key to connect Claude Code to your organization's Third Loop instance. This routes all Claude Code requests through Clove, so your organization's usage policies and audit logging apply.

note

This setup uses Claude Code in the terminal. The Claude Code VS Code extension does not currently support connecting via API key to a custom endpoint.

  1. Create an API key in Settings > API Keys and copy the API Key ID and Secret Key.

  2. Open a terminal and set the following environment variables. Pick the section that matches the shell you are using.

    Replace <api_domain> with your organization's Third Loop API domain (shown on the About page in your user settings), and fill in your actual key ID and secret key.

    macOS / Linux — Bash or Zsh

    export ANTHROPIC_BASE_URL="https://<api_domain>"
    export ANTHROPIC_API_KEY="<api_key_id>;<api_secret_key>"

    macOS / Linux — Fish

    set -x ANTHROPIC_BASE_URL "https://<api_domain>"
    set -x ANTHROPIC_API_KEY "<api_key_id>;<api_secret_key>"

    Windows — PowerShell

    $env:ANTHROPIC_BASE_URL = "https://<api_domain>"
    $env:ANTHROPIC_API_KEY  = "<api_key_id>;<api_secret_key>"

    Windows — Command Prompt (cmd.exe)

    set ANTHROPIC_BASE_URL=https://<api_domain>
    set ANTHROPIC_API_KEY=<api_key_id>;<api_secret_key>

  3. Run Claude Code:

    claude

That's it — Claude Code will now use your Clove instance.

Making the Environment Variables Permanent

The commands above only apply to the current terminal session. To set them automatically every time you open a new shell, use the option below for your shell.

Bash — append the export lines to ~/.bashrc (Linux) or ~/.bash_profile (macOS), then reload with source ~/.bashrc.

Zsh (default on macOS) — append the export lines to ~/.zshrc, then reload with source ~/.zshrc.

Fish — set the variables in your universal config so they persist across sessions:

set -Ux ANTHROPIC_BASE_URL "https://<api_domain>"
set -Ux ANTHROPIC_API_KEY "<api_key_id>;<api_secret_key>"

PowerShell — store the values in your user environment so every new PowerShell session picks them up:

[Environment]::SetEnvironmentVariable("ANTHROPIC_BASE_URL", "https://<api_domain>", "User")
[Environment]::SetEnvironmentVariable("ANTHROPIC_API_KEY",  "<api_key_id>;<api_secret_key>", "User")

Close and reopen PowerShell for the change to take effect.

Windows — Command Prompt — use setx to write the variables to your user environment:

setx ANTHROPIC_BASE_URL "https://<api_domain>"
setx ANTHROPIC_API_KEY "<api_key_id>;<api_secret_key>"

Close and reopen the Command Prompt for the change to take effect. (setx does not update the current session.)

You can also set them through the Windows GUI: Settings > System > About > Advanced system settings > Environment Variables.

warning

These environment variables contain your secret key. On shared machines, prefer setting them per-user (as shown above) rather than system-wide, and avoid committing shell config files that contain the secret to source control.

Using Your API Key with opencode

You can also use your Clove API key with opencode, an open-source terminal-based AI coding agent. Like the Claude Code setup above, this routes all requests through your organization's Third Loop instance.

  1. Create an API key in Settings > API Keys and copy the API Key ID and Secret Key.

  2. In the root of your project, create a file named opencode.json with the following contents, replacing <api_domain> with your organization's Third Loop API domain (shown on the About page in your user settings):

    {
      "$schema": "https://opencode.ai/config.json",
      "enabled_providers": ["thirdloop"],
      "model": "thirdloop/claude-sonnet-4-5-20250929",
      "provider": {
        "thirdloop": {
          "npm": "@ai-sdk/anthropic",
          "name": "Third Loop",
          "options": {
            "baseURL": "https://<api_domain>/v1",
            "apiKey": "{env:ANTHROPIC_API_KEY}",
            "headers": {
              "anthropic-version": "2023-06-01"
            }
          },
          "models": {
            "claude-sonnet-4-5-20250929": { "name": "Claude Sonnet 4.5" },
            "claude-opus-4-5-20251101":   { "name": "Claude Opus 4.5" }
          }
        }
      }
    }
    note

    The filename must be exactly opencode.json (no leading dot). opencode will silently ignore .opencode.json and fall back to its default providers.

    A few details worth noting:

    • The baseURL must end in /v1. opencode's Anthropic provider posts to /messages relative to this URL, and Third Loop's API expects the full /v1/messages path.
    • Model IDs are dated (e.g. claude-sonnet-4-5-20250929) — these are the exact upstream Anthropic model identifiers. The display name is what you'll see in the opencode model picker.
    • The enabled_providers allowlist locks opencode to your Third Loop provider only. If the configuration is wrong, opencode will fail loudly instead of silently falling back to Anthropic, OpenAI, or any other provider.

  3. Set the ANTHROPIC_API_KEY environment variable to your combined API Key ID and Secret Key, joined by a semicolon. If you already set this up for Claude Code (above), you can skip this step — opencode reads the same variable.

    macOS / Linux — Bash or Zsh

    export ANTHROPIC_API_KEY="<api_key_id>;<api_secret_key>"

    Windows — PowerShell

    $env:ANTHROPIC_API_KEY = "<api_key_id>;<api_secret_key>"

    See Making the Environment Variables Permanent above for how to persist this across terminal sessions in other shells (Fish, Command Prompt, etc.).

  4. Run opencode from your project root:

    opencode

    You can switch between configured models from within opencode using the model picker.

tip

Because the only secret in opencode.json is referenced via {env:ANTHROPIC_API_KEY} — not inlined — the file is safe to commit to source control. This lets your whole team share a single canonical configuration. Just don't replace the {env:...} placeholder with a real key.

Verifying opencode Is Routed Through Third Loop

After your first prompt, refresh Settings > API Keys. The Last used timestamp on your key should update to the current time. If it still shows "Never used," opencode isn't reaching Third Loop — double-check the filename, the environment variables, and that the baseURL has no extra spaces or typos.

Why Route AI Coding Tools Through Third Loop?

Running tools like Claude Code or opencode through your organization's Third Loop instance instead of directly through Anthropic gives you several advantages:

  • Privacy — Your prompts and code stay within your organization's managed environment. Third Loop does not use your data for model training, so sensitive code and proprietary information remain private.
  • Cost control — Usage is tracked and managed through your organization's Third Loop account. Administrators can monitor token consumption across the team from a single dashboard rather than managing individual Anthropic API subscriptions.
  • Access management — API keys are scoped to your organization and can be disabled or deleted at any time. If someone leaves the team or a key is compromised, access can be revoked immediately without affecting other users.
  • Audit logging — All requests are logged through your Third Loop instance, giving your organization visibility into how AI tools are being used across the team.
  • Consistency — Everyone on your team connects through the same endpoint with the same policies, ensuring a uniform experience and making it easier to enforce usage guidelines.
important

The export commands above only apply to your current terminal session. If you open a new terminal window, you will need to run them again. To make this permanent, add the export lines to your shell profile (~/.bashrc, ~/.zshrc, etc.) so they are set automatically each time you open a terminal.

Using Your API Key with OpenCode

You can use your Clove API key to connect OpenCode to your organization's Third Loop instance. This allows you to use OpenCode with your organization's managed AI environment.

  1. Create an API key in Settings > API Keys and copy the API Key ID and Secret Key.

  2. Set your API key as an environment variable:

Linux/macOS:

export ANTHROPIC_API_KEY="<api_key_id>;<api_secret_key>"

Windows (Command Prompt):

set ANTHROPIC_API_KEY=<api_key_id>;<api_secret_key>

Windows (PowerShell):

$env:ANTHROPIC_API_KEY="<api_key_id>;<api_secret_key>"

Replace <api_key_id> and <api_secret_key> with your actual key ID and secret key.

  1. Set up your configuration. You have two options:

Option A: Global configuration (recommended) — Configure OpenCode once to use Third Loop for all projects.

Create or update ~/.config/opencode/opencode.json (Linux/macOS) or %APPDATA%\opencode\opencode.json (Windows):

{
  "$schema": "https://opencode.ai/config.json",
  "enabled_providers": ["thirdloop"],
  "model": "thirdloop/claude-sonnet-4-5-20250929",
  "provider": {
    "thirdloop": {
      "npm": "@ai-sdk/anthropic",
      "name": "Third Loop",
      "options": {
        "baseURL": "https://<api_domain>/v1",
        "apiKey": "{env:ANTHROPIC_API_KEY}",
        "headers": {
          "anthropic-version": "2023-06-01"
        }
      },
      "models": {
        "claude-sonnet-4-5-20250929": { "name": "Claude Sonnet 4.5" },
        "claude-opus-4-5-20251101": { "name": "Claude Opus 4.5" }
      }
    }
  }
}

Option B: Per-project configuration — Configure OpenCode for a specific project only.

Your project structure will look like:

your-project/
├── opencode.json           # OpenCode configuration
└── ... (your project files)

If you choose per-project plugin setup (see step 4), you'll also need:

your-project/
├── opencode.json
├── .opencode/
│   └── plugins/
│       └── thirdloop-session.ts  # Session tracking plugin
└── ... (your project files)

Create or update your opencode.json configuration file in your project root:

{
  "$schema": "https://opencode.ai/config.json",
  "enabled_providers": ["thirdloop"],
  "model": "thirdloop/claude-sonnet-4-5-20250929",
  "provider": {
    "thirdloop": {
      "npm": "@ai-sdk/anthropic",
      "name": "Third Loop",
      "options": {
        "baseURL": "https://<api_domain>/v1",
        "apiKey": "{env:ANTHROPIC_API_KEY}",
        "headers": {
          "anthropic-version": "2023-06-01"
        }
      },
      "models": {
        "claude-sonnet-4-5-20250929": { "name": "Claude Sonnet 4.5" },
        "claude-opus-4-5-20251101": { "name": "Claude Opus 4.5" }
      }
    }
  }
}

Replace <api_domain> with your organization's Third Loop API domain (displayed in the About page in your user settings).

note

The models listed in the configuration examples may vary depending on your tenant. Contact Third Loop to verify which models are available to your organization.

  1. Create the session tracking plugin. You have two options:

Option A: Global setup (recommended) — Create the plugin once to apply it to all projects.

Linux/macOS:

mkdir -p ~/.config/opencode/plugins

Then create ~/.config/opencode/plugins/thirdloop-session.ts:

Windows:

mkdir %APPDATA%\opencode\plugins

Then create %APPDATA%\opencode\plugins\thirdloop-session.ts:

import { createHash } from "node:crypto"
import type { Plugin } from "@opencode-ai/plugin"

const toUuid = (sessionID: string): string => {
  const h = createHash("sha1").update(sessionID).digest("hex").slice(0, 32)
  return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`
}

export const ThirdLoopSession: Plugin = async () => ({
  "chat.headers": async (input, output) => {
    output.headers["x-claude-code-session-id"] = toUuid(input.sessionID)
  },
})

Option B: Per-project setup — Create the plugin at .opencode/plugins/thirdloop-session.ts in each project (use the same code as above).

This plugin ensures that OpenCode sessions are properly tracked in your Third Loop instance's audit logs.

  1. Run OpenCode in your project directory:
opencode
  1. Verify the connection: When OpenCode starts, you should see "Third Loop" displayed as the provider in your session. This confirms that all requests are being routed through your organization's Third Loop instance.
Data Privacy

Always verify that "Third Loop" is shown as the provider before starting work. If you see a different provider (like "Anthropic" or "OpenAI"), your requests are NOT going through Third Loop and may be sent to external services, potentially causing data leaks. Only proceed when you confirm "Third Loop" is the active provider.

OpenCode will now use your organization's Third Loop instance for all AI requests.

Custom Instructions with AGENTS.md

You can provide custom instructions to OpenCode to customize its behavior for your specific project or workflow. OpenCode reads instructions from AGENTS.md files, which work similarly to Cursor's rules files.

Project-Specific Instructions

Create an AGENTS.md file in your project root to provide project-specific guidance:

Example AGENTS.md:

# Third Loop Development Guidelines

## Project Context
This project uses Third Loop's API for AI model access. All code must route through 
our organization's Third Loop instance for compliance and audit logging.

## Code Standards
- Always verify the OpenCode provider shows "Third Loop" before starting work
- Use TypeScript with strict mode enabled
- Follow our internal security guidelines for handling API keys
- Test commands should use: `npm test`
- Build commands should use: `npm run build`

## Important Conventions
- API keys should never be committed to the repository
- All environment variables should be documented in .env.example
- Session tracking must be enabled for audit compliance

This file should be committed to your Git repository so the instructions are shared across your team.

Global Instructions

You can also create a global AGENTS.md file at ~/.config/opencode/AGENTS.md (Linux/macOS) or %APPDATA%\opencode\AGENTS.md (Windows) for personal preferences that apply to all your projects:

Example global AGENTS.md:

# My Personal OpenCode Preferences

## Communication Style
- Be concise and direct
- Always explain why you're making specific changes
- Ask before making destructive operations

## Third Loop
- I always use Third Loop for work projects
- Remind me if I'm not connected to Third Loop when working in ~/work/ directories

Using opencode.json for Instructions

You can also reference instruction files directly in your configuration:

Global config (~/.config/opencode/opencode.json):

{
  "$schema": "https://opencode.ai/config.json",
  "instructions": [
    "~/.config/opencode/third-loop-guidelines.md",
    "~/Documents/coding-standards.md"
  ]
}

Project config (opencode.json):

{
  "$schema": "https://opencode.ai/config.json",
  "instructions": [
    "CONTRIBUTING.md",
    "docs/development-guidelines.md",
    ".cursor/rules/*.md"
  ]
}

You can even reference remote URLs:

{
  "$schema": "https://opencode.ai/config.json",
  "instructions": [
    "https://raw.githubusercontent.com/your-org/standards/main/opencode-rules.md"
  ]
}

Initializing AGENTS.md

OpenCode can automatically generate an AGENTS.md file for your project by running:

/init

This command will scan your repository and create project-specific guidance including build commands, test commands, architecture notes, and conventions.

File Precedence

When OpenCode starts, it looks for instruction files in this order:

  1. Project files - AGENTS.md in your project directory (or parent directories)
  2. Global file - ~/.config/opencode/AGENTS.md
  3. Config-specified files - Files listed in the instructions field of your opencode.json

All matching instruction files are combined and provided to OpenCode as context.

For more details about custom instructions, see the OpenCode Rules documentation.

Persisting Environment Variables

Linux/macOS: The export command only applies to your current terminal session. To make this permanent, add the export line to your shell profile (~/.bashrc, ~/.zshrc, etc.) so it is set automatically each time you open a terminal.

Windows Command Prompt: The set command only applies to your current session. To make it permanent, use:

setx ANTHROPIC_API_KEY "<api_key_id>;<api_secret_key>"

Note: You'll need to restart your terminal after using setx.

Windows PowerShell: To make the variable permanent, add the $env:ANTHROPIC_API_KEY line to your PowerShell profile. Run notepad $PROFILE to edit it (create the file if it doesn't exist).

Best Practices

  • Name keys descriptively so you can identify their purpose later (e.g., "Production Backend", "Local Development").
  • Rotate keys regularly — Use shorter expiration periods for sensitive environments.
  • Disable before deleting — If you suspect a key is compromised, disable it first while you investigate.
  • Never share secret keys in code repositories, chat messages, or documentation.