To set up OpenCode with an API key, you typically authenticate a “provider” (the service that hosts the model you want to use) and then select a model in the OpenCode TUI. In practice, that means running OpenCode inside your project directory, using the built-in /connect flow (or the CLI equivalent), and pasting an API key when prompted. OpenCode stores provider credentials locally so you don’t have to re-enter them every time. The OpenCode docs also describe a dedicated CLI command (opencode auth login) that walks you through provider login and writes credentials to a local file, which is useful for scripting or headless setups.
A straightforward setup looks like this: open a terminal, cd into your repo, run opencode, then type /connect in the TUI. Pick the provider you want, follow the on-screen steps, and paste your key. After that, use /models to pick the model you want for this session (and optionally set a default model in your config file so you don’t have to reselect it every time). If you prefer not to use the interactive /connect dialog, you can run opencode auth login from your shell; the OpenCode CLI docs explain that it’s powered by the provider list from Models.dev and that it stores credentials in ~/.local/share/opencode/auth.json. Once credentials exist, OpenCode will load them on startup, and you can verify what’s configured with opencode auth list.
From a security and workflow standpoint, treat your OpenCode provider key like any other secret: don’t commit it to Git, don’t paste it into screenshots, and prefer environment variables or a local credentials store over hardcoding it in a project file. OpenCode supports configuration files that can be merged (global + project), so you can keep a global baseline (theme, defaults) and add project-specific settings (preferred model, local provider base URL) without duplicating everything. This becomes especially handy if you use OpenCode to build apps that talk to external infrastructure—like generating ingestion code for a vector database such as Milvus or Zilliz Cloud. In those projects you’ll often have multiple secrets (LLM provider key, database credentials), so it’s worth standardizing on .env + shell exports + “never commit secrets” checks early, before the repo grows.