Authentication

When an executor runs a task, it has to authenticate with a language model provider (Anthropic, Google, OpenAI). Rebyte supports three authentication modes. The admin picks one per executor, and the executor uses exactly that mode — there’s no silent fallback between them.

The three modes

Mode	Who pays	Where tokens live	Who configures it
Credits	Org’s Rebyte credit balance	Rebyte model proxy (no user action)	Automatic
BYOK (API key)	Org pays the provider directly	One org-wide API key	Admin
OAuth	Each member’s own subscription (e.g., Claude Max, Google)	Per-user OAuth tokens	Each member binds once

Credits is the default. An admin can switch any executor to BYOK or OAuth in Settings → Integrations → Code Agents.

Credits mode

The executor routes LLM requests through the Rebyte model proxy. The proxy uses Rebyte’s provider credentials and bills your organization in credits.

• Works for every executor (Claude Code, Gemini CLI, Codex, Rebyte Code).
• No per-member setup — it just works.
• Models available depend on the executor — see the model table in Agent Harness.
• If the org runs out of credits, the task is blocked until more credits are added.

BYOK (Bring Your Own Key)

BYOK lets the organization route LLM requests directly to the provider using its own API key. Nothing touches the Rebyte model proxy; no credits are consumed.

• Available for Claude, Gemini, and Codex. (Rebyte Code is credits-only.)
• One API key per executor, shared by every member of the org.
• Admin adds the key once under Settings → Integrations → Code Agents; members don’t see this step.
• With BYOK, each executor is restricted to its native provider’s models — Claude to Anthropic, Codex to OpenAI, Gemini to Google. Models from other providers aren’t available until you switch back to Credits.

Requires an active Rebyte subscription; otherwise the executor falls back to Credits so the org isn’t left in a broken state.

OAuth mode

OAuth lets each member connect their own Claude or Google account. Traffic goes directly to the provider, authenticated with that member’s personal token. The cost is absorbed by the member’s own subscription (Claude Pro / Max / Team / Enterprise, or Google Cloud Code Assist).

• Available for Claude Code and Gemini CLI only. Codex doesn’t offer an equivalent OAuth flow.
• Each member binds once per account. Tokens are stored per-user in Rebyte and refreshed automatically.
• No org-wide key — if a member hasn’t connected, they cannot use that executor.
• No credits consumed. No fallback to Credits if a member is unbound — they get a clear “Connect your account” prompt and must bind before they can run the task.

Requires an active Rebyte subscription on the org.

Your subscription, the official binary

OAuth mode runs the official CLI binaries shipped by Anthropic and Google — the same claude and gemini commands you would install on your laptop. Rebyte doesn’t re-implement the inference call; the binary runs inside your Agent Computer, reads your OAuth tokens from ~/.claude/.credentials.json or ~/.gemini/oauth_creds.json, and talks to api.anthropic.com / generativelanguage.googleapis.com directly. We don’t see or intercept the traffic.

In other words: it’s exactly the same as you running claude or gemini on your own machine. Your subscription’s terms of service cover this usage the same way — it’s a legitimate use of the CLI against your own account, just with the CLI hosted in a cloud VM instead of your laptop. Rate limits, message caps, and billing all come from the provider’s normal subscription rules.

How to connect your account (OAuth)

When the admin switches an executor to OAuth, each member has to connect once. There are two places this can happen:

From the task input (recommended). Open the executor dropdown on any task. Unconnected OAuth executors show a small CONNECT badge next to the name. Click the entry and a dialog opens focused on that executor.

From the Connect Code Agent button. If you have no authenticated executors at all, the task input shows a Connect Code Agent button directly — same dialog.

In the dialog:

1. Click Connect next to the agent name.
2. A popup opens on claude.ai (for Claude) or accounts.google.com (for Gemini). Sign in and approve.
3. The provider shows a short authorization code. Copy it.
4. Paste the code back into the Rebyte dialog and click Complete.

Once connected, the agent is immediately usable. Tokens refresh automatically; you won’t be asked again unless you disconnect.

Who sees what

You are…	What you see when an executor needs OAuth
A member, haven’t bound yet	Executor appears in the dropdown with a CONNECT badge. Click → bind dialog.
A member, already bound	Executor appears normally and is selectable.
An admin	Same as above, plus the full Settings → Integrations → Code Agents page where you set the policy and manage the org’s BYOK API keys.

Admin-configured issues (missing API key, expired subscription) stay hidden from members, because only the admin can resolve them. Members only see things they can act on.

Switching between modes

The admin can change a policy at any time. Effects:

• Credits → OAuth / BYOK: members without credentials get a clear Connect your account prompt (OAuth) or the org needs an API key (BYOK). Existing credits balance is preserved.
• OAuth / BYOK → Credits: no member action needed; the next task uses credits immediately.
• OAuth ↔ BYOK: credentials from the other mode are not reused. Members re-bind (OAuth) or the admin re-enters the key (BYOK).

Policy changes take effect on the next task created; in-progress tasks finish on whatever mode they started with.

Disconnecting

To disconnect your OAuth account for an executor, open the same dialog (executor dropdown → the connected agent) and click Disconnect. The token is revoked and deleted from Rebyte. You can reconnect later.