Skip to main content
Each registry provider is a JSON file in registry/ that conforms to the registry-provider.schema.json schema.

Top-level fields

FieldTypeRequiredDescription
providerstringyesUnique provider identifier (e.g. openai, stripe)
vaultSecretsobjectnoMaps canonical secret names to auth template placeholders
authobject/stringyesAuth strategy configuration
hostsstring[]yesAllowed upstream hosts
capabilitiesobject[]yesCapability definitions

vaultSecrets

Maps the secret names operators use with secrets create --name to template placeholders in the auth configuration. 
{
  "vaultSecrets": {
    "OPENAI_API_KEY": "secret"
  }
}
This means: when someone stores OPENAI_API_KEY, it maps to {{secret}} in the auth template. For multi-secret providers: 
{
  "vaultSecrets": {
    "TRELLO_API_KEY": "api_key",
    "TRELLO_TOKEN": "token"
  }
}

auth

The auth field supports these variants: 
{
  "auth": {
    "header": {
      "header_name": "authorization",
      "value_template": "Bearer {{secret}}"
    }
  }
}

query

{
  "auth": {
    "query": {
      "param_name": "key"
    }
  }
}

path

{
  "auth": {
    "path": {
      "prefix_template": "/bot{{secret}}"
    }
  }
}

multi_header

{
  "auth": {
    "multi_header": [
      { "header_name": "DD-API-KEY", "value_template": "{{api_key}}" },
      { "header_name": "DD-APPLICATION-KEY", "value_template": "{{app_key}}" }
    ]
  }
}

multi_query

{
  "auth": {
    "multi_query": [
      { "param_name": "key", "value_template": "{{api_key}}" },
      { "param_name": "token", "value_template": "{{token}}" }
    ]
  }
}

o_auth2

{
  "auth": {
    "o_auth2": {
      "grant_type": "refresh_token",
      "token_endpoint": "https://accounts.spotify.com/api/token",
      "scopes": ["playlist-read-private"]
    }
  }
}

aws_sig_v4

{
  "auth": {
    "aws_sig_v4": {
      "service": "bedrock-runtime",
      "region": "us-east-1"
    }
  }
}

hmac

{
  "auth": {
    "hmac": {
      "algorithm": "sha256",
      "header_name": "x-hub-signature-256",
      "value_template": "sha256={{signature}}"
    }
  }
}

basic / mtls

{ "auth": "basic" }
{ "auth": "mtls" }

hosts

Array of allowed upstream hostnames. Wildcards are supported for per-tenant providers: 
{ "hosts": ["api.openai.com"] }
{ "hosts": ["*.myshopify.com"] }

capabilities

Each capability defines:
FieldTypeRequiredDescription
idstringyesUnique capability ID (e.g. openai/chat-completions)
providerstringyesMust match the top-level provider
allow.hostsstring[]yesAllowed hosts (usually matches top-level hosts)
allow.methodsstring[]yesAllowed HTTP methods (e.g. ["POST", "GET"])
allow.pathPrefixesstring[]yesAllowed path prefixes (e.g. ["/v1/chat/completions"])
{
  "capabilities": [
    {
      "id": "openai/chat-completions",
      "provider": "openai",
      "allow": {
        "hosts": ["api.openai.com"],
        "methods": ["POST", "GET"],
        "pathPrefixes": ["/v1/chat/completions"]
      }
    }
  ]
}

Full example

{
  "$schema": "./schemas/registry-provider.schema.json",
  "provider": "openai",
  "vaultSecrets": {
    "OPENAI_API_KEY": "secret"
  },
  "auth": {
    "header": {
      "header_name": "authorization",
      "value_template": "Bearer {{secret}}"
    }
  },
  "hosts": ["api.openai.com"],
  "capabilities": [
    {
      "id": "openai/chat-completions",
      "provider": "openai",
      "allow": {
        "hosts": ["api.openai.com"],
        "methods": ["POST", "GET"],
        "pathPrefixes": ["/v1/chat/completions"]
      }
    },
    {
      "id": "openai/transcription",
      "provider": "openai",
      "allow": {
        "hosts": ["api.openai.com"],
        "methods": ["POST"],
        "pathPrefixes": ["/v1/audio/transcriptions"]
      }
    }
  ]
}
Next: Operations