API Key Usage Boundaries

nexus-agents routes tasks through multiple CLI tools. Each tool has its own authentication requirements and API key restrictions. Violating provider terms of service risks account suspension.

CLI Authentication Matrix

CLIAPI Key SourceEnv VariableRisk Level
Claude (claude CLI)Anthropic subscription or API keyANTHROPIC_API_KEYSafe — this IS Claude Code
Gemini (gemini CLI)Google AI API keyGOOGLE_AI_API_KEYSafe — separate provider
Codex (codex CLI)OpenAI API keyOPENAI_API_KEYSafe — separate provider
OpenCode (opencode CLI)Internal config file~/.config/opencode/opencode.jsonConditional — see below

OpenCode API Key Boundary

Claude Code subscription API keys are restricted to use only within Claude Code itself. Using a Claude Code subscription key with any third-party tool (including OpenCode, direct API calls, or any non-Claude-Code application) violates Anthropic’s terms of service.

When OpenCode Is Safe

  • OpenCode uses its built-in free models (e.g., opencode/big-pickle)
  • OpenCode is configured with a separate Anthropic API key from console.anthropic.com (paid API tier)
  • OpenCode is configured with non-Anthropic providers only (OpenAI-compatible endpoints, Google, etc.)

When OpenCode Violates Terms

  • OpenCode is configured with an anthropic provider that uses the same API key from a Claude Code subscription
  • The opencode-custom-opus or opencode-custom-sonnet model IDs route through a custom/claude-* provider that uses a subscription key

Startup Warning

nexus-agents automatically detects and warns when OpenCode has Anthropic/Claude models configured:

WARN: OpenCode has Anthropic/Claude models configured.
      Ensure these use a SEPARATE API key from console.anthropic.com,
      NOT a Claude Code subscription key (which is restricted to Claude Code only).

This warning appears during adapter initialization when anthropic/ or custom/claude models are found in OpenCode’s available models list.

Safe Multi-Model Diversity

For consensus voting and multi-model orchestration, 4 CLIs (claude, gemini, codex, opencode) provide diversity:

StrategyCLIs UsedSufficient For
3-CLI votingclaude + gemini + codexMajority votes (2/3), supermajority (3/3)
4-CLI votingAll 4Maximum diversity (requires proper OpenCode key setup)
Budget-consciousclaude + gemini2-model comparison
# nexus-agents.yaml — safe multi-model setup
adapters:
  claude:
    # Uses ANTHROPIC_API_KEY from environment (subscription or API key)
    enabled: true
  gemini:
    # Uses GOOGLE_AI_API_KEY from environment
    enabled: true
  codex:
    # Uses OPENAI_API_KEY from environment
    enabled: true
  opencode:
    # Only enable if you have a SEPARATE Anthropic API key configured
    # OR are using non-Anthropic providers only
    enabled: false

Current behavior: cross-CLI warning (#1429)

The shipped behavior is advisory, not enforcing. When OpenCode is detected with an Anthropic/Claude provider configured, nexus-agents logs a warning (#1429, opencode-adapter.ts) so you notice that an Anthropic model could be routed through a non-Claude CLI. It does not refuse the route — the router does not block the request. Avoid the situation by following the safe-config example above.

Why there is no hard enforcement (see #3997)

The guardrail is intentionally advisory. nexus-agents does not refuse to route Anthropic models through non-Claude CLIs, and there is no NEXUS_ENFORCE_KEY_BOUNDARIES-style switch that would do so.

A blanket “refuse Anthropic → non-Claude CLI” rule would be wrong: CLIs like OpenCode legitimately route multi-vendor models, including Anthropic models backed by a separate paid API key from console.anthropic.com. Hard-blocking every cross-vendor route would break those valid configurations while doing nothing the warning above doesn’t already surface. The real concern — reusing a Claude Code subscription key outside Claude Code — is a key-provenance question the router can’t reliably distinguish from a legitimate paid-API key, so it warns and leaves the choice (and the terms-of-service responsibility) to you.

Hard enforcement was proposed in #3997 and closed as won’t-do for the reasons above. The advisory cross-CLI warning (#1429) is the actual shipped guardrail.