refactor(auth): simplify inline API key provider logic and improve configuration consistency

- Replaced `SyncInlineAPIKeys` with `MakeInlineAPIKeyProvider` for better clarity and reduced redundancy. - Removed legacy logic for inline API key syncing and migration. - Enhanced provider synchronization logic to handle empty states consistently. - Added normalization to API key handling across configurations. - Updated handlers to reflect streamlined provider update logic.
feat(auth): normalize OpenAI compatibility entries and enhance proxy configuration
2026-02-07 15:00:52 +08:00 · 2025-10-01 00:55:09 +08:00 · 2025-09-30 23:36:22 +08:00 · 2025-09-30 20:47:29 +08:00 · 2025-09-30 12:21:51 +08:00 · 2025-09-30 12:21:51 +08:00
98 changed files with 5374 additions and 1303 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -10,5 +10,7 @@ auths/*
 .serena/*
 AGENTS.md
 CLAUDE.md
+GEMINI.md
 *.exe
-temp/*
+temp/*
+cli-proxy-api
--- a/MANAGEMENT_API.md
+++ b/MANAGEMENT_API.md
@@ -95,7 +95,7 @@ If a plaintext key is detected in the config at startup, it will be bcrypt‑has
      ```
    - Response:
      ```json
-      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}],"allow-localhost-unauthenticated":true}
+      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01","AI...02","AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api","proxy-url":""},{"api-key":"sk-...q2","base-url":"https://example.com","proxy-url":""}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1","proxy-url":""}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk...01","proxy-url":""}],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-key-entries":[{"api-key":"sk...7e","proxy-url":"socks5://proxy.example.com:1080"}],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}]}
      ```

 ### Debug
@@ -335,14 +335,14 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
      ```
    - Response:
      ```json
-      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
+      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "", "proxy-url": "" } ] }
      ```
 - PUT `/codex-api-key` — Replace the list
    - Request:
      ```bash
      curl -X PUT -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
+        -d '[{"api-key":"sk-a","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"sk-b","base-url":"https://c.example.com","proxy-url":""}]' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - Response:
@@ -354,14 +354,14 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
      ```bash
      curl -X PATCH -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com","proxy-url":""}}' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - Request (by match):
      ```bash
      curl -X PATCH -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":"","proxy-url":"socks5://proxy.example.com:1080"}}' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - Response:
@@ -428,47 +428,24 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
    { "status": "ok" }
    ```

-### Allow Localhost Unauthenticated
- GET `/allow-localhost-unauthenticated` — Get boolean
-  - Request:
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - Response:
-    ```json
-    { "allow-localhost-unauthenticated": false }
-    ```
- PUT/PATCH `/allow-localhost-unauthenticated` — Set boolean
-  - Request:
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"value":true}' \
-      http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - Response:
-    ```json
-    { "status": "ok" }
-    ```
-
 ### Claude API KEY (object array)
 - GET `/claude-api-key` — List all
-  - Request:
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/claude-api-key
-    ```
-  - Response:
-    ```json
-    { "claude-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
-    ```
+    - Request:
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/claude-api-key
+      ```
+    - Response:
+      ```json
+      { "claude-api-key": [ { "api-key": "sk-a", "base-url": "", "proxy-url": "" } ] }
+      ```
 - PUT `/claude-api-key` — Replace the list
-  - Request:
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+    - Request:
+      ```bash
+      curl -X PUT -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '[{"api-key":"sk-a","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"sk-b","base-url":"https://c.example.com","proxy-url":""}]' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - Response:
    ```json
    { "status": "ok" }
@@ -478,16 +455,16 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com","proxy-url":""}}' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - Request (by match):
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":"","proxy-url":"socks5://proxy.example.com:1080"}}' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - Response:
    ```json
    { "status": "ok" }
@@ -514,14 +491,14 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
    ```
  - Response:
    ```json
-    { "openai-compatibility": [ { "name": "openrouter", "base-url": "https://openrouter.ai/api/v1", "api-keys": [], "models": [] } ] }
+    { "openai-compatibility": [ { "name": "openrouter", "base-url": "https://openrouter.ai/api/v1", "api-key-entries": [ { "api-key": "sk", "proxy-url": "" } ], "models": [] } ] }
    ```
 - PUT `/openai-compatibility` — Replace the list
  - Request:
    ```bash
    curl -X PUT -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk"],"models":[{"name":"m","alias":"a"}]}]' \
+      -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[{"name":"m","alias":"a"}]}]' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - Response:
@@ -533,20 +510,23 @@ These endpoints update the inline `config-api-key` provider inside the `auth.pro
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[]}}' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - Request (by index):
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"index":0,"value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      -d '{"index":0,"value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[]}}' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - Response:
    ```json
    { "status": "ok" }
    ```
+
+  - Notes:
+    - Legacy `api-keys` input remains accepted; keys are migrated into `api-key-entries` automatically so the legacy field will eventually remain empty in responses.
 - DELETE `/openai-compatibility` — Delete (`?name=` or `?index=`)
  - Request (by name):
    ```bash
@@ -664,7 +644,7 @@ These endpoints initiate provider login flows and return a URL to open in a brow
    ```bash
    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
      -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
      http://localhost:8317/v0/management/gemini-web-token
    ```
  - Response:
--- a/MANAGEMENT_API_CN.md
+++ b/MANAGEMENT_API_CN.md
@@ -95,7 +95,7 @@
      ```
    - 响应:
      ```json
-      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01", "AI...02", "AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api"},{"api-key":"sk-...q2","base-url":"https://example.com"}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1"}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk...01"],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-keys":["sk...7e"],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}],"allow-localhost-unauthenticated":true}
+      {"debug":true,"proxy-url":"","api-keys":["1...5","JS...W"],"quota-exceeded":{"switch-project":true,"switch-preview-model":true},"generative-language-api-key":["AI...01","AI...02","AI...03"],"request-log":true,"request-retry":3,"claude-api-key":[{"api-key":"cr...56","base-url":"https://example.com/api","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"cr...e3","base-url":"http://example.com:3000/api","proxy-url":""},{"api-key":"sk-...q2","base-url":"https://example.com","proxy-url":""}],"codex-api-key":[{"api-key":"sk...01","base-url":"https://example/v1","proxy-url":""}],"openai-compatibility":[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk...01","proxy-url":""}],"models":[{"name":"moonshotai/kimi-k2:free","alias":"kimi-k2"}]},{"name":"iflow","base-url":"https://apis.iflow.cn/v1","api-key-entries":[{"api-key":"sk...7e","proxy-url":"socks5://proxy.example.com:1080"}],"models":[{"name":"deepseek-v3.1","alias":"deepseek-v3.1"},{"name":"glm-4.5","alias":"glm-4.5"},{"name":"kimi-k2","alias":"kimi-k2"}]}]}
      ```

 ### Debug
@@ -335,14 +335,14 @@
      ```
    - 响应：
      ```json
-      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
+      { "codex-api-key": [ { "api-key": "sk-a", "base-url": "", "proxy-url": "" } ] }
      ```
 - PUT `/codex-api-key` — 完整改写列表
    - 请求：
      ```bash
      curl -X PUT -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
+        -d '[{"api-key":"sk-a","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"sk-b","base-url":"https://c.example.com","proxy-url":""}]' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - 响应：
@@ -354,14 +354,14 @@
      ```bash
      curl -X PATCH -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com","proxy-url":""}}' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - 请求（按匹配）：
      ```bash
      curl -X PATCH -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":"","proxy-url":"socks5://proxy.example.com:1080"}}' \
        http://localhost:8317/v0/management/codex-api-key
      ```
    - 响应：
@@ -428,47 +428,24 @@
    { "status": "ok" }
    ```

-### 允许本地未认证访问
- GET `/allow-localhost-unauthenticated` — 获取布尔值
-  - 请求：
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - 响应：
-    ```json
-    { "allow-localhost-unauthenticated": false }
-    ```
- PUT/PATCH `/allow-localhost-unauthenticated` — 设置布尔值
-  - 请求：
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"value":true}' \
-      http://localhost:8317/v0/management/allow-localhost-unauthenticated
-    ```
-  - 响应：
-    ```json
-    { "status": "ok" }
-    ```
-
 ### Claude API KEY（对象数组）
 - GET `/claude-api-key` — 列出全部
-  - 请求：
-    ```bash
-    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/claude-api-key
-    ```
-  - 响应：
-    ```json
-    { "claude-api-key": [ { "api-key": "sk-a", "base-url": "" } ] }
-    ```
+    - 请求：
+      ```bash
+      curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' http://localhost:8317/v0/management/claude-api-key
+      ```
+    - 响应：
+      ```json
+      { "claude-api-key": [ { "api-key": "sk-a", "base-url": "", "proxy-url": "" } ] }
+      ```
 - PUT `/claude-api-key` — 完整改写列表
-  - 请求：
-    ```bash
-    curl -X PUT -H 'Content-Type: application/json' \
-    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '[{"api-key":"sk-a"},{"api-key":"sk-b","base-url":"https://c.example.com"}]' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+    - 请求：
+      ```bash
+      curl -X PUT -H 'Content-Type: application/json' \
+      -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+        -d '[{"api-key":"sk-a","proxy-url":"socks5://proxy.example.com:1080"},{"api-key":"sk-b","base-url":"https://c.example.com","proxy-url":""}]' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - 响应：
    ```json
    { "status": "ok" }
@@ -478,16 +455,16 @@
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com"}}' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+        -d '{"index":1,"value":{"api-key":"sk-b2","base-url":"https://c.example.com","proxy-url":""}}' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - 请求（按匹配）：
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":""}}' \
-      http://localhost:8317/v0/management/claude-api-key
-    ```
+        -d '{"match":"sk-a","value":{"api-key":"sk-a","base-url":"","proxy-url":"socks5://proxy.example.com:1080"}}' \
+        http://localhost:8317/v0/management/claude-api-key
+      ```
  - 响应：
    ```json
    { "status": "ok" }
@@ -514,14 +491,14 @@
    ```
  - 响应：
    ```json
-    { "openai-compatibility": [ { "name": "openrouter", "base-url": "https://openrouter.ai/api/v1", "api-keys": [], "models": [] } ] }
+    { "openai-compatibility": [ { "name": "openrouter", "base-url": "https://openrouter.ai/api/v1", "api-key-entries": [ { "api-key": "sk", "proxy-url": "" } ], "models": [] } ] }
    ```
 - PUT `/openai-compatibility` — 完整改写列表
  - 请求：
    ```bash
    curl -X PUT -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":["sk"],"models":[{"name":"m","alias":"a"}]}]' \
+      -d '[{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[{"name":"m","alias":"a"}]}]' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - 响应：
@@ -533,20 +510,23 @@
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      -d '{"name":"openrouter","value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[]}}' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - 请求（按索引）：
    ```bash
    curl -X PATCH -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
-      -d '{"index":0,"value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-keys":[],"models":[]}}' \
+      -d '{"index":0,"value":{"name":"openrouter","base-url":"https://openrouter.ai/api/v1","api-key-entries":[{"api-key":"sk","proxy-url":""}],"models":[]}}' \
      http://localhost:8317/v0/management/openai-compatibility
    ```
  - 响应：
    ```json
    { "status": "ok" }
    ```
+
+  - 说明：
+    - 仍可提交遗留的 `api-keys` 字段，但所有密钥会自动迁移到 `api-key-entries` 中，返回结果中的 `api-keys` 会逐步留空。
 - DELETE `/openai-compatibility` — 删除（`?name=` 或 `?index=`）
  - 请求（按名称）：
    ```bash
@@ -664,7 +644,7 @@
    ```bash
    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
      -H 'Content-Type: application/json' \
-      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>"}' \
+      -d '{"secure_1psid": "<__Secure-1PSID>", "secure_1psidts": "<__Secure-1PSIDTS>", "label": "<LABEL>"}' \
      http://localhost:8317/v0/management/gemini-web-token
    ```
  - 响应：
--- a/README.md
+++ b/README.md
@@ -62,6 +62,16 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw

 ## Usage

+### GUI Client & Official WebUI
+
+#### [EasyCLI](https://github.com/router-for-me/EasyCLI)
+
+A cross-platform desktop GUI client for CLIProxyAPI. 
+
+#### [Cli-Proxy-API-Management-Center](https://github.com/router-for-me/Cli-Proxy-API-Management-Center)
+
+A web-based management center for CLIProxyAPI.  
+
 ### Authentication

 You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the same `auth-dir` and will be load balanced.
@@ -242,6 +252,7 @@ console.log(await claudeResponse.json());
 - claude-opus-4-1-20250805
 - claude-opus-4-20250514
 - claude-sonnet-4-20250514
+- claude-sonnet-4-5-20250929
 - claude-3-7-sonnet-20250219
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
@@ -270,26 +281,28 @@ The server uses a YAML configuration file (`config.yaml`) located in the project
 | `quota-exceeded.switch-project`         | boolean  | true               | Whether to automatically switch to another project when a quota is exceeded.                                                                                                              |
 | `quota-exceeded.switch-preview-model`   | boolean  | true               | Whether to automatically switch to a preview model when a quota is exceeded.                                                                                                              |
 | `debug`                                 | boolean  | false              | Enable debug mode for verbose logging.                                                                                                                                                    |
-| `auth`                                  | object   | {}                 | Request authentication configuration.                                                                                                                                                     |
-| `auth.providers`                        | object[] | []                 | Authentication providers. Includes built-in `config-api-key` for inline keys.                                                                                                             |
-| `auth.providers.*.name`                 | string   | ""                 | Provider instance name.                                                                                                                                                                   |
-| `auth.providers.*.type`                 | string   | ""                 | Provider implementation identifier (for example `config-api-key`).                                                                                                                        |
-| `auth.providers.*.api-keys`             | string[] | []                 | Inline API keys consumed by the `config-api-key` provider.                                                                                                                                |
+| `logging-to-file`                       | boolean  | true               | Write application logs to rotating files instead of stdout. Set to `false` to log to stdout/stderr.                                                                                      |
+| `usage-statistics-enabled`              | boolean  | true               | Enable in-memory usage aggregation for management APIs. Disable to drop all collected usage metrics.                                                                                    |
 | `api-keys`                              | string[] | []                 | Legacy shorthand for inline API keys. Values are mirrored into the `config-api-key` provider for backwards compatibility.                                                                 |
 | `generative-language-api-key`           | string[] | []                 | List of Generative Language API keys.                                                                                                                                                     |
-| `codex-api-key`                         | object   | {}                 | List of Codex API keys.                                                                                                                                                                   |
-| `codex-api-key.api-key`                 | string   | ""                 | Codex API key.                                                                                                                                                                            |
-| `codex-api-key.base-url`                | string   | ""                 | Custom Codex API endpoint, if you use a third-party API endpoint.                                                                                                                         |
-| `claude-api-key`                        | object   | {}                 | List of Claude API keys.                                                                                                                                                                  |
-| `claude-api-key.api-key`                | string   | ""                 | Claude API key.                                                                                                                                                                           |
-| `claude-api-key.base-url`               | string   | ""                 | Custom Claude API endpoint, if you use a third-party API endpoint.                                                                                                                        |
-| `openai-compatibility`                  | object[] | []                 | Upstream OpenAI-compatible providers configuration (name, base-url, api-keys, models).                                                                                                    |
-| `openai-compatibility.*.name`           | string   | ""                 | The name of the provider. It will be used in the user agent and other places.                                                                                                             |
-| `openai-compatibility.*.base-url`       | string   | ""                 | The base URL of the provider.                                                                                                                                                             |
-| `openai-compatibility.*.api-keys`       | string[] | []                 | The API keys for the provider. Add multiple keys if needed. Omit if unauthenticated access is allowed.                                                                                    |
-| `openai-compatibility.*.models`         | object[] | []                 | The actual model name.                                                                                                                                                                    |
-| `openai-compatibility.*.models.*.name`  | string   | ""                 | The models supported by the provider.                                                                                                                                                     |
-| `openai-compatibility.*.models.*.alias` | string   | ""                 | The alias used in the API.                                                                                                                                                                |
+| `codex-api-key`                                    | object   | {}                 | List of Codex API keys.                                                                                                                                                                   |
+| `codex-api-key.api-key`                            | string   | ""                 | Codex API key.                                                                                                                                                                            |
+| `codex-api-key.base-url`                           | string   | ""                 | Custom Codex API endpoint, if you use a third-party API endpoint.                                                                                                                         |
+| `codex-api-key.proxy-url`                          | string   | ""                 | Proxy URL for this specific API key. Overrides the global proxy-url setting. Supports socks5/http/https protocols.                                                                        |
+| `claude-api-key`                                   | object   | {}                 | List of Claude API keys.                                                                                                                                                                  |
+| `claude-api-key.api-key`                           | string   | ""                 | Claude API key.                                                                                                                                                                           |
+| `claude-api-key.base-url`                          | string   | ""                 | Custom Claude API endpoint, if you use a third-party API endpoint.                                                                                                                        |
+| `claude-api-key.proxy-url`                         | string   | ""                 | Proxy URL for this specific API key. Overrides the global proxy-url setting. Supports socks5/http/https protocols.                                                                        |
+| `openai-compatibility`                             | object[] | []                 | Upstream OpenAI-compatible providers configuration (name, base-url, api-keys, models).                                                                                                    |
+| `openai-compatibility.*.name`                      | string   | ""                 | The name of the provider. It will be used in the user agent and other places.                                                                                                             |
+| `openai-compatibility.*.base-url`                  | string   | ""                 | The base URL of the provider.                                                                                                                                                             |
+| `openai-compatibility.*.api-keys`                  | string[] | []                 | (Deprecated) The API keys for the provider. Use api-key-entries instead for per-key proxy support.                                                                                        |
+| `openai-compatibility.*.api-key-entries`           | object[] | []                 | API key entries with optional per-key proxy configuration. Preferred over api-keys.                                                                                                        |
+| `openai-compatibility.*.api-key-entries.*.api-key` | string   | ""                 | The API key for this entry.                                                                                                                                                               |
+| `openai-compatibility.*.api-key-entries.*.proxy-url` | string | ""                 | Proxy URL for this specific API key. Overrides the global proxy-url setting. Supports socks5/http/https protocols.                                                                      |
+| `openai-compatibility.*.models`                    | object[] | []                 | The actual model name.                                                                                                                                                                    |
+| `openai-compatibility.*.models.*.name`             | string   | ""                 | The models supported by the provider.                                                                                                                                                     |
+| `openai-compatibility.*.models.*.alias`            | string   | ""                 | The alias used in the API.                                                                                                                                                                |
 | `gemini-web`                            | object   | {}                 | Configuration specific to the Gemini Web client.                                                                                                                                          |
 | `gemini-web.context`                    | boolean  | true               | Enables conversation context reuse for continuous dialogue.                                                                                                                               |
 | `gemini-web.code-mode`                  | boolean  | false              | Enables code mode for optimized responses in coding-related tasks.                                                                                                                        |
@@ -319,6 +332,12 @@ auth-dir: "~/.cli-proxy-api"
 # Enable debug logging
 debug: false

+# When true, write application logs to rotating files instead of stdout
+logging-to-file: true
+
+# When false, disable in-memory usage statistics aggregation
+usage-statistics-enabled: true
+
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""

@@ -336,15 +355,6 @@ gemini-web:
  code-mode: false # Enable code mode
  max-chars-per-request: 1000000 # Max characters per request

-# Request authentication providers
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # API keys for official Generative Language API
 generative-language-api-key:
  - "AIzaSy...01"
@@ -356,20 +366,28 @@ generative-language-api-key:
 codex-api-key:
  - api-key: "sk-atSM..."
    base-url: "https://www.example.com" # use the custom codex API endpoint
-  
+    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+
 # Claude API keys
 claude-api-key:
  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
  - api-key: "sk-atSM..."
    base-url: "https://www.example.com" # use the custom claude API endpoint
+    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override

 # OpenAI compatibility providers
 openai-compatibility:
  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
-    api-keys: # The API keys for the provider. Add multiple keys if needed. Omit if unauthenticated access is allowed.
-      - "sk-or-v1-...b780"
-      - "sk-or-v1-...b781"
+    # New format with per-key proxy support (recommended):
+    api-key-entries:
+      - api-key: "sk-or-v1-...b780"
+        proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+      - api-key: "sk-or-v1-...b781" # without proxy-url
+    # Legacy format (still supported, but cannot specify proxy per key):
+    # api-keys:
+    #   - "sk-or-v1-...b780"
+    #   - "sk-or-v1-...b781"
    models: # The models supported by the provider.
      - name: "moonshotai/kimi-k2:free" # The actual model name.
        alias: "kimi-k2" # The alias used in the API.
@@ -381,10 +399,26 @@ Configure upstream OpenAI-compatible providers (e.g., OpenRouter) via `openai-co

 - name: provider identifier used internally
 - base-url: provider base URL
- api-keys: optional list of API keys (omit if provider allows unauthenticated requests)
+- api-key-entries: list of API key entries with optional per-key proxy configuration (recommended)
+- api-keys: (deprecated) simple list of API keys without proxy support
 - models: list of mappings from upstream model `name` to local `alias`

-Example:
+Example with per-key proxy support:
+
+```yaml
+openai-compatibility:
+  - name: "openrouter"
+    base-url: "https://openrouter.ai/api/v1"
+    api-key-entries:
+      - api-key: "sk-or-v1-...b780"
+        proxy-url: "socks5://proxy.example.com:1080"
+      - api-key: "sk-or-v1-...b781"
+    models:
+      - name: "moonshotai/kimi-k2:free"
+        alias: "kimi-k2"
+```
+
+Legacy format (still supported):

 ```yaml
 openai-compatibility:
@@ -626,8 +660,11 @@ see [MANAGEMENT_API.md](MANAGEMENT_API.md)

 ## SDK Docs

- Usage: `docs/sdk-usage.md` (中文: `docs/sdk-usage_CN.md`)
- Advanced (executors & translators): `docs/sdk-advanced.md` (中文: `docs/sdk-advanced_CN.md`)
+- Usage: [docs/sdk-usage.md](docs/sdk-usage.md)
+- Advanced (executors & translators): [docs/sdk-advanced.md](docs/sdk-advanced.md)
+- Access: [docs/sdk-access.md](docs/sdk-access.md)
+- Watcher: [docs/sdk-watcher.md](docs/sdk-watcher.md)
+- Custom Provider Example: `examples/custom-provider`

 ## Contributing

--- a/README_CN.md
+++ b/README_CN.md
@@ -75,6 +75,16 @@

 ## 使用方法

+### 图形客户端与官方 WebUI
+
+#### [EasyCLI](https://github.com/router-for-me/EasyCLI)
+
+CLIProxyAPI 的跨平台桌面图形客户端。
+
+#### [Cli-Proxy-API-Management-Center](https://github.com/router-for-me/Cli-Proxy-API-Management-Center)
+
+CLIProxyAPI 的基于 Web 的管理中心。
+
 ### 身份验证

 您可以分别为 Gemini、OpenAI 和 Claude 进行身份验证，三者可同时存在于同一个 `auth-dir` 中并参与负载均衡。
@@ -254,6 +264,7 @@ console.log(await claudeResponse.json());
 - claude-opus-4-1-20250805
 - claude-opus-4-20250514
 - claude-sonnet-4-20250514
+- claude-sonnet-4-5-20250929
 - claude-3-7-sonnet-20250219
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
@@ -282,26 +293,28 @@ console.log(await claudeResponse.json());
 | `quota-exceeded.switch-project`         | boolean  | true               | 当配额超限时，是否自动切换到另一个项目。                                                |
 | `quota-exceeded.switch-preview-model`   | boolean  | true               | 当配额超限时，是否自动切换到预览模型。                                                 |
 | `debug`                                 | boolean  | false              | 启用调试模式以获取详细日志。                                                      |
-| `auth`                                  | object   | {}                 | 请求鉴权配置。                                                                  |
-| `auth.providers`                        | object[] | []                 | 鉴权提供方列表，内置 `config-api-key` 支持内联密钥。                             |
-| `auth.providers.*.name`                 | string   | ""                 | 提供方实例名称。                                                                |
-| `auth.providers.*.type`                 | string   | ""                 | 提供方实现标识（例如 `config-api-key`）。                                       |
-| `auth.providers.*.api-keys`             | string[] | []                 | `config-api-key` 提供方使用的内联密钥。                                          |
+| `logging-to-file`                       | boolean  | true               | 是否将应用日志写入滚动文件；设为 false 时输出到 stdout/stderr。                           |
+| `usage-statistics-enabled`              | boolean  | true               | 是否启用内存中的使用统计；设为 false 时直接丢弃所有统计数据。                               |
 | `api-keys`                              | string[] | []                 | 兼容旧配置的简写，会自动同步到默认 `config-api-key` 提供方。                     |
 | `generative-language-api-key`           | string[] | []                 | 生成式语言API密钥列表。                                                       |
-| `codex-api-key`                         | object   | {}                 | Codex API密钥列表。                                                      |
-| `codex-api-key.api-key`                 | string   | ""                 | Codex API密钥。                                                        |
-| `codex-api-key.base-url`                | string   | ""                 | 自定义的Codex API端点                                                     |
-| `claude-api-key`                        | object   | {}                 | Claude API密钥列表。                                                     |
-| `claude-api-key.api-key`                | string   | ""                 | Claude API密钥。                                                       |
-| `claude-api-key.base-url`               | string   | ""                 | 自定义的Claude API端点，如果您使用第三方的API端点。                                    |
-| `openai-compatibility`                  | object[] | []                 | 上游OpenAI兼容提供商的配置（名称、基础URL、API密钥、模型）。                                |
-| `openai-compatibility.*.name`           | string   | ""                 | 提供商的名称。它将被用于用户代理（User Agent）和其他地方。                                  |
-| `openai-compatibility.*.base-url`       | string   | ""                 | 提供商的基础URL。                                                          |
-| `openai-compatibility.*.api-keys`       | string[] | []                 | 提供商的API密钥。如果需要，可以添加多个密钥。如果允许未经身份验证的访问，则可以省略。                        |
-| `openai-compatibility.*.models`         | object[] | []                 | 实际的模型名称。                                                            |
-| `openai-compatibility.*.models.*.name`  | string   | ""                 | 提供商支持的模型。                                                           |
-| `openai-compatibility.*.models.*.alias` | string   | ""                 | 在API中使用的别名。                                                         |
+| `codex-api-key`                                       | object   | {}                 | Codex API密钥列表。                                                      |
+| `codex-api-key.api-key`                               | string   | ""                 | Codex API密钥。                                                        |
+| `codex-api-key.base-url`                              | string   | ""                 | 自定义的Codex API端点                                                     |
+| `codex-api-key.proxy-url`                             | string   | ""                 | 针对该API密钥的代理URL。会覆盖全局proxy-url设置。支持socks5/http/https协议。                 |
+| `claude-api-key`                                      | object   | {}                 | Claude API密钥列表。                                                     |
+| `claude-api-key.api-key`                              | string   | ""                 | Claude API密钥。                                                       |
+| `claude-api-key.base-url`                             | string   | ""                 | 自定义的Claude API端点，如果您使用第三方的API端点。                                    |
+| `claude-api-key.proxy-url`                            | string   | ""                 | 针对该API密钥的代理URL。会覆盖全局proxy-url设置。支持socks5/http/https协议。                 |
+| `openai-compatibility`                                | object[] | []                 | 上游OpenAI兼容提供商的配置（名称、基础URL、API密钥、模型）。                                |
+| `openai-compatibility.*.name`                         | string   | ""                 | 提供商的名称。它将被用于用户代理（User Agent）和其他地方。                                  |
+| `openai-compatibility.*.base-url`                     | string   | ""                 | 提供商的基础URL。                                                          |
+| `openai-compatibility.*.api-keys`                     | string[] | []                 | (已弃用) 提供商的API密钥。建议改用api-key-entries以获得每密钥代理支持。                       |
+| `openai-compatibility.*.api-key-entries`              | object[] | []                 | API密钥条目，支持可选的每密钥代理配置。优先于api-keys。                                   |
+| `openai-compatibility.*.api-key-entries.*.api-key`    | string   | ""                 | 该条目的API密钥。                                                          |
+| `openai-compatibility.*.api-key-entries.*.proxy-url`  | string   | ""                 | 针对该API密钥的代理URL。会覆盖全局proxy-url设置。支持socks5/http/https协议。                 |
+| `openai-compatibility.*.models`                       | object[] | []                 | 实际的模型名称。                                                            |
+| `openai-compatibility.*.models.*.name`                | string   | ""                 | 提供商支持的模型。                                                           |
+| `openai-compatibility.*.models.*.alias`               | string   | ""                 | 在API中使用的别名。                                                         |
 | `gemini-web`                            | object   | {}                 | Gemini Web 客户端的特定配置。                                                 |
 | `gemini-web.context`                    | boolean  | true               | 是否启用会话上下文重用，以实现连续对话。                                        |
 | `gemini-web.code-mode`                  | boolean  | false              | 是否启用代码模式，优化代码相关任务的响应。                                      |
@@ -330,6 +343,12 @@ auth-dir: "~/.cli-proxy-api"
 # 启用调试日志
 debug: false

+# 为 true 时将应用日志写入滚动文件而不是 stdout
+logging-to-file: true
+
+# 为 false 时禁用内存中的使用统计并直接丢弃所有数据
+usage-statistics-enabled: true
+
 # 代理URL。支持socks5/http/https协议。例如：socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""

@@ -348,15 +367,6 @@ gemini-web:
  code-mode: false # 启用代码模式
  max-chars-per-request: 1000000 # 单次请求最大字符数

-# 请求鉴权提供方
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # AIStduio Gemini API 的 API 密钥
 generative-language-api-key:
  - "AIzaSy...01"
@@ -368,20 +378,28 @@ generative-language-api-key:
 codex-api-key:
  - api-key: "sk-atSM..."
    base-url: "https://www.example.com" # 第三方 Codex API 中转服务端点
+    proxy-url: "socks5://proxy.example.com:1080" # 可选:针对该密钥的代理设置

 # Claude API 密钥
 claude-api-key:
-  - api-key: "sk-atSM..." # 如果使用官方 Claude API，无需设置 base-url
+  - api-key: "sk-atSM..." # 如果使用官方 Claude API,无需设置 base-url
  - api-key: "sk-atSM..."
    base-url: "https://www.example.com" # 第三方 Claude API 中转服务端点
+    proxy-url: "socks5://proxy.example.com:1080" # 可选:针对该密钥的代理设置

 # OpenAI 兼容提供商
 openai-compatibility:
  - name: "openrouter" # 提供商的名称；它将被用于用户代理和其它地方。
    base-url: "https://openrouter.ai/api/v1" # 提供商的基础URL。
-    api-keys: # 提供商的API密钥。如果需要，可以添加多个密钥。如果允许未经身份验证的访问，则可以省略。
-      - "sk-or-v1-...b780"
-      - "sk-or-v1-...b781"
+    # 新格式：支持每密钥代理配置(推荐):
+    api-key-entries:
+      - api-key: "sk-or-v1-...b780"
+        proxy-url: "socks5://proxy.example.com:1080" # 可选:针对该密钥的代理设置
+      - api-key: "sk-or-v1-...b781" # 不进行额外代理设置
+    # 旧格式(仍支持，但无法为每个密钥指定代理):
+    # api-keys:
+    #   - "sk-or-v1-...b780"
+    #   - "sk-or-v1-...b781"
    models: # 提供商支持的模型。
      - name: "moonshotai/kimi-k2:free" # 实际的模型名称。
        alias: "kimi-k2" # 在API中使用的别名。
@@ -393,10 +411,26 @@ openai-compatibility:

 - name：内部识别名
 - base-url：提供商基础地址
- api-keys：可选，多密钥轮询（若提供商支持无鉴权可省略）
+- api-key-entries：API密钥条目列表，支持可选的每密钥代理配置（推荐）
+- api-keys：(已弃用) 简单的API密钥列表，不支持代理配置
 - models：将上游模型 `name` 映射为本地可用 `alias`

-示例：
+支持每密钥代理配置的示例：
+
+```yaml
+openai-compatibility:
+  - name: "openrouter"
+    base-url: "https://openrouter.ai/api/v1"
+    api-key-entries:
+      - api-key: "sk-or-v1-...b780"
+        proxy-url: "socks5://proxy.example.com:1080"
+      - api-key: "sk-or-v1-...b781"
+    models:
+      - name: "moonshotai/kimi-k2:free"
+        alias: "kimi-k2"
+```
+
+旧格式（仍支持）：

 ```yaml
 openai-compatibility:
@@ -635,8 +669,10 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya

 ## SDK 文档

- 使用文档：`docs/sdk-usage_CN.md`（English: `docs/sdk-usage.md`）
- 高级（执行器与翻译器）：`docs/sdk-advanced_CN.md`（English: `docs/sdk-advanced.md`）
+- 使用文档：[docs/sdk-usage_CN.md](docs/sdk-usage_CN.md)
+- 高级（执行器与翻译器）：[docs/sdk-advanced_CN.md](docs/sdk-advanced_CN.md)
+- 认证: [docs/sdk-access_CN.md](docs/sdk-access_CN.md)
+- 凭据加载/更新: [docs/sdk-watcher_CN.md](docs/sdk-watcher_CN.md)
 - 自定义 Provider 示例：`examples/custom-provider`

 ## 贡献
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -4,106 +4,31 @@
 package main

 import (
-	"bytes"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
-	"strings"

-	"github.com/gin-gonic/gin"
+	configaccess "github.com/router-for-me/CLIProxyAPI/v6/internal/access/config_access"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/cmd"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/translator"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	log "github.com/sirupsen/logrus"
-	"gopkg.in/natefinch/lumberjack.v2"
 )

 var (
-	Version        = "dev"
-	Commit         = "none"
-	BuildDate      = "unknown"
-	logWriter      *lumberjack.Logger
-	ginInfoWriter  *io.PipeWriter
-	ginErrorWriter *io.PipeWriter
+	Version   = "dev"
+	Commit    = "none"
+	BuildDate = "unknown"
 )

-// LogFormatter defines a custom log format for logrus.
-// This formatter adds timestamp, log level, and source location information
-// to each log entry for better debugging and monitoring.
-type LogFormatter struct {
-}
-
-// Format renders a single log entry with custom formatting.
-// It includes timestamp, log level, source file and line number, and the log message.
-func (m *LogFormatter) Format(entry *log.Entry) ([]byte, error) {
-	var b *bytes.Buffer
-	if entry.Buffer != nil {
-		b = entry.Buffer
-	} else {
-		b = &bytes.Buffer{}
-	}
-
-	timestamp := entry.Time.Format("2006-01-02 15:04:05")
-	var newLog string
-	// Ensure message doesn't carry trailing newlines; formatter appends one.
-	msg := strings.TrimRight(entry.Message, "\r\n")
-	// Customize the log format to include timestamp, level, caller file/line, and message.
-	newLog = fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, msg)
-
-	b.WriteString(newLog)
-	return b.Bytes(), nil
-}
-
-// init initializes the logger configuration.
-// It sets up the custom log formatter, enables caller reporting,
-// and configures the log output destination.
+// init initializes the shared logger setup.
 func init() {
-	logDir := "logs"
-	if err := os.MkdirAll(logDir, 0755); err != nil {
-		fmt.Fprintf(os.Stderr, "failed to create log directory: %v\n", err)
-		os.Exit(1)
-	}
-
-	logWriter = &lumberjack.Logger{
-		Filename:   filepath.Join(logDir, "main.log"),
-		MaxSize:    10,
-		MaxBackups: 0,
-		MaxAge:     0,
-		Compress:   false,
-	}
-
-	log.SetOutput(logWriter)
-	// Enable reporting the caller function's file and line number.
-	log.SetReportCaller(true)
-	// Set the custom log formatter.
-	log.SetFormatter(&LogFormatter{})
-
-	ginInfoWriter = log.StandardLogger().Writer()
-	gin.DefaultWriter = ginInfoWriter
-	ginErrorWriter = log.StandardLogger().WriterLevel(log.ErrorLevel)
-	gin.DefaultErrorWriter = ginErrorWriter
-	gin.DebugPrintFunc = func(format string, values ...interface{}) {
-		// Trim trailing newlines from Gin's formatted messages to avoid blank lines.
-		// Gin's debug prints usually include a trailing "\n"; our formatter also appends one.
-		// Removing it here ensures a single newline per entry.
-		format = strings.TrimRight(format, "\r\n")
-		log.StandardLogger().Infof(format, values...)
-	}
-	log.RegisterExitHandler(func() {
-		if logWriter != nil {
-			_ = logWriter.Close()
-		}
-		if ginInfoWriter != nil {
-			_ = ginInfoWriter.Close()
-		}
-		if ginErrorWriter != nil {
-			_ = ginErrorWriter.Close()
-		}
-	})
+	logging.SetupBaseLogger()
 }

 // main is the entry point of the application.
@@ -111,7 +36,6 @@ func init() {
 // service based on the provided flags (login, codex-login, or server mode).
 func main() {
 	fmt.Printf("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s\n", Version, Commit, BuildDate)
-	log.Infof("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s", Version, Commit, BuildDate)

 	// Command-line flags to control the application's behavior.
 	var login bool
@@ -122,6 +46,7 @@ func main() {
 	var noBrowser bool
 	var projectID string
 	var configPath string
+	var password string

 	// Define command-line flags for different operation modes.
 	flag.BoolVar(&login, "login", false, "Login Google Account")
@@ -132,6 +57,34 @@ func main() {
 	flag.BoolVar(&noBrowser, "no-browser", false, "Don't open browser automatically for OAuth")
 	flag.StringVar(&projectID, "project_id", "", "Project ID (Gemini only, not required)")
 	flag.StringVar(&configPath, "config", "", "Configure File Path")
+	flag.StringVar(&password, "password", "", "")
+
+	flag.CommandLine.Usage = func() {
+		out := flag.CommandLine.Output()
+		_, _ = fmt.Fprintf(out, "Usage of %s\n", os.Args[0])
+		flag.CommandLine.VisitAll(func(f *flag.Flag) {
+			if f.Name == "password" {
+				return
+			}
+			s := fmt.Sprintf("  -%s", f.Name)
+			name, unquoteUsage := flag.UnquoteUsage(f)
+			if name != "" {
+				s += " " + name
+			}
+			if len(s) <= 4 {
+				s += "	"
+			} else {
+				s += "\n    "
+			}
+			if unquoteUsage != "" {
+				s += unquoteUsage
+			}
+			if f.DefValue != "" && f.DefValue != "false" && f.DefValue != "0" {
+				s += fmt.Sprintf(" (default %s)", f.DefValue)
+			}
+			_, _ = fmt.Fprint(out, s+"\n")
+		})
+	}

 	// Parse the command-line flags.
 	flag.Parse()
@@ -159,26 +112,21 @@ func main() {
 	if err != nil {
 		log.Fatalf("failed to load config: %v", err)
 	}
+	usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
+
+	if err = logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
+		log.Fatalf("failed to configure log output: %v", err)
+	}
+
+	log.Infof("CLIProxyAPI Version: %s, Commit: %s, BuiltAt: %s", Version, Commit, BuildDate)

 	// Set the log level based on the configuration.
 	util.SetLogLevel(cfg)

-	// Expand the tilde (~) in the auth directory path to the user's home directory.
-	if strings.HasPrefix(cfg.AuthDir, "~") {
-		home, errUserHomeDir := os.UserHomeDir()
-		if errUserHomeDir != nil {
-			log.Fatalf("failed to get home directory: %v", errUserHomeDir)
-		}
-		// Reconstruct the path by replacing the tilde with the user's home directory.
-		remainder := strings.TrimPrefix(cfg.AuthDir, "~")
-		remainder = strings.TrimLeft(remainder, "/\\")
-		if remainder == "" {
-			cfg.AuthDir = home
-		} else {
-			// Normalize any slash style in the remainder so Windows paths keep nested directories.
-			normalized := strings.ReplaceAll(remainder, "\\", "/")
-			cfg.AuthDir = filepath.Join(home, filepath.FromSlash(normalized))
-		}
+	if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir); errResolveAuthDir != nil {
+		log.Fatalf("failed to resolve auth directory: %v", errResolveAuthDir)
+	} else {
+		cfg.AuthDir = resolvedAuthDir
 	}

 	// Create login options to be used in authentication flows.
@@ -189,6 +137,9 @@ func main() {
 	// Register the shared token store once so all components use the same persistence backend.
 	sdkAuth.RegisterTokenStore(sdkAuth.NewFileTokenStore())

+	// Register built-in access providers before constructing services.
+	configaccess.Register()
+
 	// Handle different command modes based on the provided flags.

 	if login {
@@ -206,6 +157,6 @@ func main() {
 		cmd.DoGeminiWebAuth(cfg)
 	} else {
 		// Start the main proxy service
-		cmd.StartService(cfg, configFilePath)
+		cmd.StartService(cfg, configFilePath, password)
 	}
 }
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -15,9 +15,20 @@ remote-management:
 # Authentication directory (supports ~ for home directory)
 auth-dir: "~/.cli-proxy-api"

+# API keys for authentication
+api-keys:
+  - "your-api-key-1"
+  - "your-api-key-2"
+
 # Enable debug logging
 debug: false

+# When true, write application logs to rotating files instead of stdout
+logging-to-file: false
+
+# When false, disable in-memory usage statistics aggregation
+usage-statistics-enabled: false
+
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""

@@ -29,58 +40,57 @@ quota-exceeded:
  switch-project: true # Whether to automatically switch to another project when a quota is exceeded
  switch-preview-model: true # Whether to automatically switch to a preview model when a quota is exceeded

-# Request authentication providers
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # API keys for official Generative Language API
-generative-language-api-key:
-  - "AIzaSy...01"
-  - "AIzaSy...02"
-  - "AIzaSy...03"
-  - "AIzaSy...04"
+#generative-language-api-key:
+#  - "AIzaSy...01"
+#  - "AIzaSy...02"
+#  - "AIzaSy...03"
+#  - "AIzaSy...04"

 # Codex API keys
-codex-api-key:
-  - api-key: "sk-atSM..."
-    base-url: "https://www.example.com" # use the custom codex API endpoint
+#codex-api-key:
+#  - api-key: "sk-atSM..."
+#    base-url: "https://www.example.com" # use the custom codex API endpoint
+#    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override

 # Claude API keys
-claude-api-key:
-  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
-  - api-key: "sk-atSM..."
-    base-url: "https://www.example.com" # use the custom claude API endpoint
+#claude-api-key:
+#  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
+#  - api-key: "sk-atSM..."
+#    base-url: "https://www.example.com" # use the custom claude API endpoint
+#    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override

 # OpenAI compatibility providers
-openai-compatibility:
-  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
-    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
-    api-keys: # The API keys for the provider. Add multiple keys if needed. Omit if unauthenticated access is allowed.
-      - "sk-or-v1-...b780"
-      - "sk-or-v1-...b781"
-    models: # The models supported by the provider.
-      - name: "moonshotai/kimi-k2:free" # The actual model name.
-        alias: "kimi-k2" # The alias used in the API.
+#openai-compatibility:
+#  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
+#    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
+#    # New format with per-key proxy support (recommended):
+#    api-key-entries:
+#      - api-key: "sk-or-v1-...b780"
+#        proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+#      - api-key: "sk-or-v1-...b781" # without proxy-url
+#    # Legacy format (still supported, but cannot specify proxy per key):
+#    # api-keys:
+#    #   - "sk-or-v1-...b780"
+#    #   - "sk-or-v1-...b781"
+#    models: # The models supported by the provider.
+#      - name: "moonshotai/kimi-k2:free" # The actual model name.
+#        alias: "kimi-k2" # The alias used in the API.

 # Gemini Web settings
-gemini-web:
-    # Conversation reuse: set to true to enable (default), false to disable.
-    context: true
-    # Maximum characters per single request to Gemini Web. Requests exceeding this
-    # size split into chunks. Only the last chunk carries files and yields the final answer.
-    max-chars-per-request: 1000000
-    # Disable the short continuation hint appended to intermediate chunks
-    # when splitting long prompts. Default is false (hint enabled by default).
-    disable-continuation-hint: false
-    # Code mode:
-    #   - true: enable XML wrapping hint and attach the coding-partner Gem.
-    #           Thought merging (<think> into visible content) applies to STREAMING only;
-    #           non-stream responses keep reasoning/thought parts separate for clients
-    #           that expect explicit reasoning fields.
-    #   - false: disable XML hint and keep <think> separate
-    code-mode: false
+#gemini-web:
+#    # Conversation reuse: set to true to enable (default), false to disable.
+#    context: true
+#    # Maximum characters per single request to Gemini Web. Requests exceeding this
+#    # size split into chunks. Only the last chunk carries files and yields the final answer.
+#    max-chars-per-request: 1000000
+#    # Disable the short continuation hint appended to intermediate chunks
+#    # when splitting long prompts. Default is false (hint enabled by default).
+#    disable-continuation-hint: false
+#    # Code mode:
+#    #   - true: enable XML wrapping hint and attach the coding-partner Gem.
+#    #           Thought merging (<think> into visible content) applies to STREAMING only;
+#    #           non-stream responses keep reasoning/thought parts separate for clients
+#    #           that expect explicit reasoning fields.
+#    #   - false: disable XML hint and keep <think> separate
+#    code-mode: false
--- a/docs/sdk-access.md
+++ b/docs/sdk-access.md
@@ -0,0 +1,176 @@
+# @sdk/access SDK Reference
+
+The `github.com/router-for-me/CLIProxyAPI/v6/sdk/access` package centralizes inbound request authentication for the proxy. It offers a lightweight manager that chains credential providers, so servers can reuse the same access control logic inside or outside the CLI runtime.
+
+## Importing
+
+```go
+import (
+    sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+    "github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+```
+
+Add the module with `go get github.com/router-for-me/CLIProxyAPI/v6/sdk/access`.
+
+## Manager Lifecycle
+
+```go
+manager := sdkaccess.NewManager()
+providers, err := sdkaccess.BuildProviders(cfg)
+if err != nil {
+    return err
+}
+manager.SetProviders(providers)
+```
+
+* `NewManager` constructs an empty manager.
+* `SetProviders` replaces the provider slice using a defensive copy.
+* `Providers` retrieves a snapshot that can be iterated safely from other goroutines.
+* `BuildProviders` translates `config.Config` access declarations into runnable providers. When the config omits explicit providers but defines inline API keys, the helper auto-installs the built-in `config-api-key` provider.
+
+## Authenticating Requests
+
+```go
+result, err := manager.Authenticate(ctx, req)
+switch {
+case err == nil:
+    // Authentication succeeded; result describes the provider and principal.
+case errors.Is(err, sdkaccess.ErrNoCredentials):
+    // No recognizable credentials were supplied.
+case errors.Is(err, sdkaccess.ErrInvalidCredential):
+    // Supplied credentials were present but rejected.
+default:
+    // Transport-level failure was returned by a provider.
+}
+```
+
+`Manager.Authenticate` walks the configured providers in order. It returns on the first success, skips providers that surface `ErrNotHandled`, and tracks whether any provider reported `ErrNoCredentials` or `ErrInvalidCredential` for downstream error reporting.
+
+If the manager itself is `nil` or no providers are registered, the call returns `nil, nil`, allowing callers to treat access control as disabled without branching on errors.
+
+Each `Result` includes the provider identifier, the resolved principal, and optional metadata (for example, which header carried the credential).
+
+## Configuration Layout
+
+The manager expects access providers under the `auth.providers` key inside `config.yaml`:
+
+```yaml
+auth:
+  providers:
+    - name: inline-api
+      type: config-api-key
+      api-keys:
+        - sk-test-123
+        - sk-prod-456
+```
+
+Fields map directly to `config.AccessProvider`: `name` labels the provider, `type` selects the registered factory, `sdk` can name an external module, `api-keys` seeds inline credentials, and `config` passes provider-specific options.
+
+### Loading providers from external SDK modules
+
+To consume a provider shipped in another Go module, point the `sdk` field at the module path and import it for its registration side effect:
+
+```yaml
+auth:
+  providers:
+    - name: partner-auth
+      type: partner-token
+      sdk: github.com/acme/xplatform/sdk/access/providers/partner
+      config:
+        region: us-west-2
+        audience: cli-proxy
+```
+
+```go
+import (
+    _ "github.com/acme/xplatform/sdk/access/providers/partner" // registers partner-token
+    sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+)
+```
+
+The blank identifier import ensures `init` runs so `sdkaccess.RegisterProvider` executes before `BuildProviders` is called.
+
+## Built-in Providers
+
+The SDK ships with one provider out of the box:
+
+- `config-api-key`: Validates API keys declared inline or under top-level `api-keys`. It accepts the key from `Authorization: Bearer`, `X-Goog-Api-Key`, `X-Api-Key`, or the `?key=` query string and reports `ErrInvalidCredential` when no match is found.
+
+Additional providers can be delivered by third-party packages. When a provider package is imported, it registers itself with `sdkaccess.RegisterProvider`.
+
+### Metadata and auditing
+
+`Result.Metadata` carries provider-specific context. The built-in `config-api-key` provider, for example, stores the credential source (`authorization`, `x-goog-api-key`, `x-api-key`, or `query-key`). Populate this map in custom providers to enrich logs and downstream auditing.
+
+## Writing Custom Providers
+
+```go
+type customProvider struct{}
+
+func (p *customProvider) Identifier() string { return "my-provider" }
+
+func (p *customProvider) Authenticate(ctx context.Context, r *http.Request) (*sdkaccess.Result, error) {
+    token := r.Header.Get("X-Custom")
+    if token == "" {
+        return nil, sdkaccess.ErrNoCredentials
+    }
+    if token != "expected" {
+        return nil, sdkaccess.ErrInvalidCredential
+    }
+    return &sdkaccess.Result{
+        Provider:  p.Identifier(),
+        Principal: "service-user",
+        Metadata:  map[string]string{"source": "x-custom"},
+    }, nil
+}
+
+func init() {
+    sdkaccess.RegisterProvider("custom", func(cfg *config.AccessProvider, root *config.Config) (sdkaccess.Provider, error) {
+        return &customProvider{}, nil
+    })
+}
+```
+
+A provider must implement `Identifier()` and `Authenticate()`. To expose it to configuration, call `RegisterProvider` inside `init`. Provider factories receive the specific `AccessProvider` block plus the full root configuration for contextual needs.
+
+## Error Semantics
+
+- `ErrNoCredentials`: no credentials were present or recognized by any provider.
+- `ErrInvalidCredential`: at least one provider processed the credentials but rejected them.
+- `ErrNotHandled`: instructs the manager to fall through to the next provider without affecting aggregate error reporting.
+
+Return custom errors to surface transport failures; they propagate immediately to the caller instead of being masked.
+
+## Integration with cliproxy Service
+
+`sdk/cliproxy` wires `@sdk/access` automatically when you build a CLI service via `cliproxy.NewBuilder`. Supplying a preconfigured manager allows you to extend or override the default providers:
+
+```go
+coreCfg, _ := config.LoadConfig("config.yaml")
+providers, _ := sdkaccess.BuildProviders(coreCfg)
+manager := sdkaccess.NewManager()
+manager.SetProviders(providers)
+
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(coreCfg).
+  WithAccessManager(manager).
+  Build()
+```
+
+The service reuses the manager for every inbound request, ensuring consistent authentication across embedded deployments and the canonical CLI binary.
+
+### Hot reloading providers
+
+When configuration changes, rebuild providers and swap them into the manager:
+
+```go
+providers, err := sdkaccess.BuildProviders(newCfg)
+if err != nil {
+    log.Errorf("reload auth providers failed: %v", err)
+    return
+}
+accessManager.SetProviders(providers)
+```
+
+This mirrors the behaviour in `cliproxy.Service.refreshAccessProviders` and `api.Server.applyAccessConfig`, enabling runtime updates without restarting the process.
--- a/docs/sdk-access_CN.md
+++ b/docs/sdk-access_CN.md
@@ -0,0 +1,176 @@
+# @sdk/access 开发指引
+
+`github.com/router-for-me/CLIProxyAPI/v6/sdk/access` 包负责代理的入站访问认证。它提供一个轻量的管理器，用于按顺序链接多种凭证校验实现，让服务器在 CLI 运行时内外都能复用相同的访问控制逻辑。
+
+## 引用方式
+
+```go
+import (
+    sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+    "github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+```
+
+通过 `go get github.com/router-for-me/CLIProxyAPI/v6/sdk/access` 添加依赖。
+
+## 管理器生命周期
+
+```go
+manager := sdkaccess.NewManager()
+providers, err := sdkaccess.BuildProviders(cfg)
+if err != nil {
+    return err
+}
+manager.SetProviders(providers)
+```
+
+- `NewManager` 创建空管理器。
+- `SetProviders` 替换提供者切片并做防御性拷贝。
+- `Providers` 返回适合并发读取的快照。
+- `BuildProviders` 将 `config.Config` 中的访问配置转换成可运行的提供者。当配置没有显式声明但包含顶层 `api-keys` 时，会自动挂载内建的 `config-api-key` 提供者。
+
+## 认证请求
+
+```go
+result, err := manager.Authenticate(ctx, req)
+switch {
+case err == nil:
+    // Authentication succeeded; result carries provider and principal.
+case errors.Is(err, sdkaccess.ErrNoCredentials):
+    // No recognizable credentials were supplied.
+case errors.Is(err, sdkaccess.ErrInvalidCredential):
+    // Credentials were present but rejected.
+default:
+    // Provider surfaced a transport-level failure.
+}
+```
+
+`Manager.Authenticate` 按配置顺序遍历提供者。遇到成功立即返回，`ErrNotHandled` 会继续尝试下一个；若发现 `ErrNoCredentials` 或 `ErrInvalidCredential`，会在遍历结束后汇总给调用方。
+
+若管理器本身为 `nil` 或尚未注册提供者，调用会返回 `nil, nil`，让调用方无需针对错误做额外分支即可关闭访问控制。
+
+`Result` 提供认证提供者标识、解析出的主体以及可选元数据（例如凭证来源）。
+
+## 配置结构
+
+在 `config.yaml` 的 `auth.providers` 下定义访问提供者：
+
+```yaml
+auth:
+  providers:
+    - name: inline-api
+      type: config-api-key
+      api-keys:
+        - sk-test-123
+        - sk-prod-456
+```
+
+条目映射到 `config.AccessProvider`：`name` 指定实例名，`type` 选择注册的工厂，`sdk` 可引用第三方模块，`api-keys` 提供内联凭证，`config` 用于传递特定选项。
+
+### 引入外部 SDK 提供者
+
+若要消费其它 Go 模块输出的访问提供者，可在配置里填写 `sdk` 字段并在代码中引入该包，利用其 `init` 注册过程：
+
+```yaml
+auth:
+  providers:
+    - name: partner-auth
+      type: partner-token
+      sdk: github.com/acme/xplatform/sdk/access/providers/partner
+      config:
+        region: us-west-2
+        audience: cli-proxy
+```
+
+```go
+import (
+    _ "github.com/acme/xplatform/sdk/access/providers/partner" // registers partner-token
+    sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+)
+```
+
+通过空白标识符导入即可确保 `init` 调用，先于 `BuildProviders` 完成 `sdkaccess.RegisterProvider`。
+
+## 内建提供者
+
+当前 SDK 默认内置：
+
+- `config-api-key`：校验配置中的 API Key。它从 `Authorization: Bearer`、`X-Goog-Api-Key`、`X-Api-Key` 以及查询参数 `?key=` 提取凭证，不匹配时抛出 `ErrInvalidCredential`。
+
+导入第三方包即可通过 `sdkaccess.RegisterProvider` 注册更多类型。
+
+### 元数据与审计
+
+`Result.Metadata` 用于携带提供者特定的上下文信息。内建的 `config-api-key` 会记录凭证来源（`authorization`、`x-goog-api-key`、`x-api-key` 或 `query-key`）。自定义提供者同样可以填充该 Map，以便丰富日志与审计场景。
+
+## 编写自定义提供者
+
+```go
+type customProvider struct{}
+
+func (p *customProvider) Identifier() string { return "my-provider" }
+
+func (p *customProvider) Authenticate(ctx context.Context, r *http.Request) (*sdkaccess.Result, error) {
+    token := r.Header.Get("X-Custom")
+    if token == "" {
+        return nil, sdkaccess.ErrNoCredentials
+    }
+    if token != "expected" {
+        return nil, sdkaccess.ErrInvalidCredential
+    }
+    return &sdkaccess.Result{
+        Provider:  p.Identifier(),
+        Principal: "service-user",
+        Metadata:  map[string]string{"source": "x-custom"},
+    }, nil
+}
+
+func init() {
+    sdkaccess.RegisterProvider("custom", func(cfg *config.AccessProvider, root *config.Config) (sdkaccess.Provider, error) {
+        return &customProvider{}, nil
+    })
+}
+```
+
+自定义提供者需要实现 `Identifier()` 与 `Authenticate()`。在 `init` 中调用 `RegisterProvider` 暴露给配置层，工厂函数既能读取当前条目，也能访问完整根配置。
+
+## 错误语义
+
+- `ErrNoCredentials`：任何提供者都未识别到凭证。
+- `ErrInvalidCredential`：至少一个提供者处理了凭证但判定无效。
+- `ErrNotHandled`：告诉管理器跳到下一个提供者，不影响最终错误统计。
+
+自定义错误（例如网络异常）会马上冒泡返回。
+
+## 与 cliproxy 集成
+
+使用 `sdk/cliproxy` 构建服务时会自动接入 `@sdk/access`。如果需要扩展内置行为，可传入自定义管理器：
+
+```go
+coreCfg, _ := config.LoadConfig("config.yaml")
+providers, _ := sdkaccess.BuildProviders(coreCfg)
+manager := sdkaccess.NewManager()
+manager.SetProviders(providers)
+
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(coreCfg).
+  WithAccessManager(manager).
+  Build()
+```
+
+服务会复用该管理器处理每一个入站请求，实现与 CLI 二进制一致的访问控制体验。
+
+### 动态热更新提供者
+
+当配置发生变化时，可以重新构建提供者并替换当前列表：
+
+```go
+providers, err := sdkaccess.BuildProviders(newCfg)
+if err != nil {
+    log.Errorf("reload auth providers failed: %v", err)
+    return
+}
+accessManager.SetProviders(providers)
+```
+
+这一流程与 `cliproxy.Service.refreshAccessProviders` 和 `api.Server.applyAccessConfig` 保持一致，避免为更新访问策略而重启进程。
--- a/docs/sdk-advanced.md
+++ b/docs/sdk-advanced.md
@@ -0,0 +1,138 @@
+# SDK Advanced: Executors & Translators
+
+This guide explains how to extend the embedded proxy with custom providers and schemas using the SDK. You will:
+- Implement a provider executor that talks to your upstream API
+- Register request/response translators for schema conversion
+- Register models so they appear in `/v1/models`
+
+The examples use Go 1.24+ and the v6 module path.
+
+## Concepts
+
+- Provider executor: a runtime component implementing `auth.ProviderExecutor` that performs outbound calls for a given provider key (e.g., `gemini`, `claude`, `codex`). Executors can also implement `RequestPreparer` to inject credentials on raw HTTP requests.
+- Translator registry: schema conversion functions routed by `sdk/translator`. The built‑in handlers translate between OpenAI/Gemini/Claude/Codex formats; you can register new ones.
+- Model registry: publishes the list of available models per client/provider to power `/v1/models` and routing hints.
+
+## 1) Implement a Provider Executor
+
+Create a type that satisfies `auth.ProviderExecutor`.
+
+```go
+package myprov
+
+import (
+  "context"
+  "net/http"
+
+  coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+  clipexec "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+)
+
+type Executor struct{}
+
+func (Executor) Identifier() string { return "myprov" }
+
+// Optional: mutate outbound HTTP requests with credentials
+func (Executor) PrepareRequest(req *http.Request, a *coreauth.Auth) error {
+  // Example: req.Header.Set("Authorization", "Bearer "+a.APIKey)
+  return nil
+}
+
+func (Executor) Execute(ctx context.Context, a *coreauth.Auth, req clipexec.Request, opts clipexec.Options) (clipexec.Response, error) {
+  // Build HTTP request based on req.Payload (already translated into provider format)
+  // Use per‑auth transport if provided: transport := a.RoundTripper // via RoundTripperProvider
+  // Perform call and return provider JSON payload
+  return clipexec.Response{Payload: []byte(`{"ok":true}`)}, nil
+}
+
+func (Executor) ExecuteStream(ctx context.Context, a *coreauth.Auth, req clipexec.Request, opts clipexec.Options) (<-chan clipexec.StreamChunk, error) {
+  ch := make(chan clipexec.StreamChunk, 1)
+  go func() { defer close(ch); ch <- clipexec.StreamChunk{Payload: []byte("data: {\"done\":true}\n\n")} }()
+  return ch, nil
+}
+
+func (Executor) Refresh(ctx context.Context, a *coreauth.Auth) (*coreauth.Auth, error) {
+  // Optionally refresh tokens and return updated auth
+  return a, nil
+}
+```
+
+Register the executor with the core manager before starting the service:
+
+```go
+core := coreauth.NewManager(coreauth.NewFileStore(cfg.AuthDir), nil, nil)
+core.RegisterExecutor(myprov.Executor{})
+svc, _ := cliproxy.NewBuilder().WithConfig(cfg).WithConfigPath(cfgPath).WithCoreAuthManager(core).Build()
+```
+
+If your auth entries use provider `"myprov"`, the manager routes requests to your executor.
+
+## 2) Register Translators
+
+The handlers accept OpenAI/Gemini/Claude/Codex inputs. To support a new provider format, register translation functions in `sdk/translator`’s default registry.
+
+Direction matters:
+- Request: register from inbound schema to provider schema
+- Response: register from provider schema back to inbound schema
+
+Example: Convert OpenAI Chat → MyProv Chat and back.
+
+```go
+package myprov
+
+import (
+  "context"
+  sdktr "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
+)
+
+const (
+  FOpenAI = sdktr.Format("openai.chat")
+  FMyProv = sdktr.Format("myprov.chat")
+)
+
+func init() {
+  sdktr.Register(FOpenAI, FMyProv,
+    // Request transform (model, rawJSON, stream)
+    func(model string, raw []byte, stream bool) []byte { return convertOpenAIToMyProv(model, raw, stream) },
+    // Response transform (stream & non‑stream)
+    sdktr.ResponseTransform{
+      Stream: func(ctx context.Context, model string, originalReq, translatedReq, raw []byte, param *any) []string {
+        return convertStreamMyProvToOpenAI(model, originalReq, translatedReq, raw)
+      },
+      NonStream: func(ctx context.Context, model string, originalReq, translatedReq, raw []byte, param *any) string {
+        return convertMyProvToOpenAI(model, originalReq, translatedReq, raw)
+      },
+    },
+  )
+}
+```
+
+When the OpenAI handler receives a request that should route to `myprov`, the pipeline uses the registered transforms automatically.
+
+## 3) Register Models
+
+Expose models under `/v1/models` by registering them in the global model registry using the auth ID (client ID) and provider name.
+
+```go
+models := []*cliproxy.ModelInfo{
+  { ID: "myprov-pro-1", Object: "model", Type: "myprov", DisplayName: "MyProv Pro 1" },
+}
+cliproxy.GlobalModelRegistry().RegisterClient(authID, "myprov", models)
+```
+
+The embedded server calls this automatically for built‑in providers; for custom providers, register during startup (e.g., after loading auths) or upon auth registration hooks.
+
+## Credentials & Transports
+
+- Use `Manager.SetRoundTripperProvider` to inject per‑auth `*http.Transport` (e.g., proxy):
+  ```go
+  core.SetRoundTripperProvider(myProvider) // returns transport per auth
+  ```
+- For raw HTTP flows, implement `PrepareRequest` and/or call `Manager.InjectCredentials(req, authID)` to set headers.
+
+## Testing Tips
+
+- Enable request logging: Management API GET/PUT `/v0/management/request-log`
+- Toggle debug logs: Management API GET/PUT `/v0/management/debug`
+- Hot reload changes in `config.yaml` and `auths/` are picked up automatically by the watcher
+
--- a/docs/sdk-advanced_CN.md
+++ b/docs/sdk-advanced_CN.md
@@ -0,0 +1,131 @@
+# SDK 高级指南：执行器与翻译器
+
+本文介绍如何使用 SDK 扩展内嵌代理：
+- 实现自定义 Provider 执行器以调用你的上游 API
+- 注册请求/响应翻译器进行协议转换
+- 注册模型以出现在 `/v1/models`
+
+示例基于 Go 1.24+ 与 v6 模块路径。
+
+## 概念
+
+- Provider 执行器：实现 `auth.ProviderExecutor` 的运行时组件，负责某个 provider key（如 `gemini`、`claude`、`codex`）的真正出站调用。若实现 `RequestPreparer` 接口，可在原始 HTTP 请求上注入凭据。
+- 翻译器注册表：由 `sdk/translator` 驱动的协议转换函数。内置了 OpenAI/Gemini/Claude/Codex 的互转；你也可以注册新的格式转换。
+- 模型注册表：对外发布可用模型列表，供 `/v1/models` 与路由参考。
+
+## 1) 实现 Provider 执行器
+
+创建类型满足 `auth.ProviderExecutor` 接口。
+
+```go
+package myprov
+
+import (
+    "context"
+    "net/http"
+
+    coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+    clipexec "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+)
+
+type Executor struct{}
+
+func (Executor) Identifier() string { return "myprov" }
+
+// 可选：在原始 HTTP 请求上注入凭据
+func (Executor) PrepareRequest(req *http.Request, a *coreauth.Auth) error {
+    // 例如：req.Header.Set("Authorization", "Bearer "+a.Attributes["api_key"]) 
+    return nil
+}
+
+func (Executor) Execute(ctx context.Context, a *coreauth.Auth, req clipexec.Request, opts clipexec.Options) (clipexec.Response, error) {
+    // 基于 req.Payload 构造上游请求，返回上游 JSON 负载
+    return clipexec.Response{Payload: []byte(`{"ok":true}`)}, nil
+}
+
+func (Executor) ExecuteStream(ctx context.Context, a *coreauth.Auth, req clipexec.Request, opts clipexec.Options) (<-chan clipexec.StreamChunk, error) {
+    ch := make(chan clipexec.StreamChunk, 1)
+    go func() { defer close(ch); ch <- clipexec.StreamChunk{Payload: []byte("data: {\\"done\\":true}\\n\\n")} }()
+    return ch, nil
+}
+
+func (Executor) Refresh(ctx context.Context, a *coreauth.Auth) (*coreauth.Auth, error) { return a, nil }
+```
+
+在启动服务前将执行器注册到核心管理器：
+
+```go
+core := coreauth.NewManager(coreauth.NewFileStore(cfg.AuthDir), nil, nil)
+core.RegisterExecutor(myprov.Executor{})
+svc, _ := cliproxy.NewBuilder().WithConfig(cfg).WithConfigPath(cfgPath).WithCoreAuthManager(core).Build()
+```
+
+当凭据的 `Provider` 为 `"myprov"` 时，管理器会将请求路由到你的执行器。
+
+## 2) 注册翻译器
+
+内置处理器接受 OpenAI/Gemini/Claude/Codex 的入站格式。要支持新的 provider 协议，需要在 `sdk/translator` 的默认注册表中注册转换函数。
+
+方向很重要：
+- 请求：从“入站格式”转换为“provider 格式”
+- 响应：从“provider 格式”转换回“入站格式”
+
+示例：OpenAI Chat → MyProv Chat 及其反向。
+
+```go
+package myprov
+
+import (
+  "context"
+  sdktr "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
+)
+
+const (
+  FOpenAI = sdktr.Format("openai.chat")
+  FMyProv = sdktr.Format("myprov.chat")
+)
+
+func init() {
+  sdktr.Register(FOpenAI, FMyProv,
+    func(model string, raw []byte, stream bool) []byte { return convertOpenAIToMyProv(model, raw, stream) },
+    sdktr.ResponseTransform{
+      Stream: func(ctx context.Context, model string, originalReq, translatedReq, raw []byte, param *any) []string {
+        return convertStreamMyProvToOpenAI(model, originalReq, translatedReq, raw)
+      },
+      NonStream: func(ctx context.Context, model string, originalReq, translatedReq, raw []byte, param *any) string {
+        return convertMyProvToOpenAI(model, originalReq, translatedReq, raw)
+      },
+    },
+  )
+}
+```
+
+当 OpenAI 处理器接到需要路由到 `myprov` 的请求时，流水线会自动应用已注册的转换。
+
+## 3) 注册模型
+
+通过全局模型注册表将模型暴露到 `/v1/models`：
+
+```go
+models := []*cliproxy.ModelInfo{
+  { ID: "myprov-pro-1", Object: "model", Type: "myprov", DisplayName: "MyProv Pro 1" },
+}
+cliproxy.GlobalModelRegistry().RegisterClient(authID, "myprov", models)
+```
+
+内置 Provider 会自动注册；自定义 Provider 建议在启动时（例如加载到 Auth 后）或在 Auth 注册钩子中调用。
+
+## 凭据与传输
+
+- 使用 `Manager.SetRoundTripperProvider` 注入按账户的 `*http.Transport`（例如代理）：
+  ```go
+  core.SetRoundTripperProvider(myProvider) // 按账户返回 transport
+  ```
+- 对于原始 HTTP 请求，若实现了 `PrepareRequest`，或通过 `Manager.InjectCredentials(req, authID)` 进行头部注入。
+
+## 测试建议
+
+- 启用请求日志：管理 API GET/PUT `/v0/management/request-log`
+- 切换调试日志：管理 API GET/PUT `/v0/management/debug`
+- 热更新：`config.yaml` 与 `auths/` 变化会自动被侦测并应用
+
--- a/docs/sdk-usage.md
+++ b/docs/sdk-usage.md
@@ -0,0 +1,163 @@
+# CLI Proxy SDK Guide
+
+The `sdk/cliproxy` module exposes the proxy as a reusable Go library so external programs can embed the routing, authentication, hot‑reload, and translation layers without depending on the CLI binary.
+
+## Install & Import
+
+```bash
+go get github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy
+```
+
+```go
+import (
+    "context"
+    "errors"
+    "time"
+
+    "github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+    "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy"
+)
+```
+
+Note the `/v6` module path.
+
+## Minimal Embed
+
+```go
+cfg, err := config.LoadConfig("config.yaml")
+if err != nil { panic(err) }
+
+svc, err := cliproxy.NewBuilder().
+    WithConfig(cfg).
+    WithConfigPath("config.yaml"). // absolute or working-dir relative
+    Build()
+if err != nil { panic(err) }
+
+ctx, cancel := context.WithCancel(context.Background())
+defer cancel()
+
+if err := svc.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
+    panic(err)
+}
+```
+
+The service manages config/auth watching, background token refresh, and graceful shutdown. Cancel the context to stop it.
+
+## Server Options (middleware, routes, logs)
+
+The server accepts options via `WithServerOptions`:
+
+```go
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(cfg).
+  WithConfigPath("config.yaml").
+  WithServerOptions(
+    // Add global middleware
+    cliproxy.WithMiddleware(func(c *gin.Context) { c.Header("X-Embed", "1"); c.Next() }),
+    // Tweak gin engine early (CORS, trusted proxies, etc.)
+    cliproxy.WithEngineConfigurator(func(e *gin.Engine) { e.ForwardedByClientIP = true }),
+    // Add your own routes after defaults
+    cliproxy.WithRouterConfigurator(func(e *gin.Engine, _ *handlers.BaseAPIHandler, _ *config.Config) {
+      e.GET("/healthz", func(c *gin.Context) { c.String(200, "ok") })
+    }),
+    // Override request log writer/dir
+    cliproxy.WithRequestLoggerFactory(func(cfg *config.Config, cfgPath string) logging.RequestLogger {
+      return logging.NewFileRequestLogger(true, "logs", filepath.Dir(cfgPath))
+    }),
+  ).
+  Build()
+```
+
+These options mirror the internals used by the CLI server.
+
+## Management API (when embedded)
+
+- Management endpoints are mounted only when `remote-management.secret-key` is set in `config.yaml`.
+- Remote access additionally requires `remote-management.allow-remote: true`.
+- See MANAGEMENT_API.md for endpoints. Your embedded server exposes them under `/v0/management` on the configured port.
+
+## Using the Core Auth Manager
+
+The service uses a core `auth.Manager` for selection, execution, and auto‑refresh. When embedding, you can provide your own manager to customize transports or hooks:
+
+```go
+core := coreauth.NewManager(coreauth.NewFileStore(cfg.AuthDir), nil, nil)
+core.SetRoundTripperProvider(myRTProvider) // per‑auth *http.Transport
+
+svc, _ := cliproxy.NewBuilder().
+    WithConfig(cfg).
+    WithConfigPath("config.yaml").
+    WithCoreAuthManager(core).
+    Build()
+```
+
+Implement a custom per‑auth transport:
+
+```go
+type myRTProvider struct{}
+func (myRTProvider) RoundTripperFor(a *coreauth.Auth) http.RoundTripper {
+    if a == nil || a.ProxyURL == "" { return nil }
+    u, _ := url.Parse(a.ProxyURL)
+    return &http.Transport{ Proxy: http.ProxyURL(u) }
+}
+```
+
+Programmatic execution is available on the manager:
+
+```go
+// Non‑streaming
+resp, err := core.Execute(ctx, []string{"gemini"}, req, opts)
+
+// Streaming
+chunks, err := core.ExecuteStream(ctx, []string{"gemini"}, req, opts)
+for ch := range chunks { /* ... */ }
+```
+
+Note: Built‑in provider executors are wired automatically when you run the `Service`. If you want to use `Manager` stand‑alone without the HTTP server, you must register your own executors that implement `auth.ProviderExecutor`.
+
+## Custom Client Sources
+
+Replace the default loaders if your creds live outside the local filesystem:
+
+```go
+type memoryTokenProvider struct{}
+func (p *memoryTokenProvider) Load(ctx context.Context, cfg *config.Config) (*cliproxy.TokenClientResult, error) {
+    // Populate from memory/remote store and return counts
+    return &cliproxy.TokenClientResult{}, nil
+}
+
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(cfg).
+  WithConfigPath("config.yaml").
+  WithTokenClientProvider(&memoryTokenProvider{}).
+  WithAPIKeyClientProvider(cliproxy.NewAPIKeyClientProvider()).
+  Build()
+```
+
+## Hooks
+
+Observe lifecycle without patching internals:
+
+```go
+hooks := cliproxy.Hooks{
+  OnBeforeStart: func(cfg *config.Config) { log.Infof("starting on :%d", cfg.Port) },
+  OnAfterStart:  func(s *cliproxy.Service) { log.Info("ready") },
+}
+svc, _ := cliproxy.NewBuilder().WithConfig(cfg).WithConfigPath("config.yaml").WithHooks(hooks).Build()
+```
+
+## Shutdown
+
+`Run` defers `Shutdown`, so cancelling the parent context is enough. To stop manually:
+
+```go
+ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+defer cancel()
+_ = svc.Shutdown(ctx)
+```
+
+## Notes
+
+- Hot reload: changes to `config.yaml` and `auths/` are picked up automatically.
+- Request logging can be toggled at runtime via the Management API.
+- Gemini Web features (`gemini-web.*`) are honored in the embedded server.
--- a/docs/sdk-usage_CN.md
+++ b/docs/sdk-usage_CN.md
@@ -0,0 +1,164 @@
+# CLI Proxy SDK 使用指南
+
+`sdk/cliproxy` 模块将代理能力以 Go 库的形式对外暴露，方便在其它服务中内嵌路由、鉴权、热更新与翻译层，而无需依赖可执行的 CLI 程序。
+
+## 安装与导入
+
+```bash
+go get github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy
+```
+
+```go
+import (
+    "context"
+    "errors"
+    "time"
+
+    "github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+    "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy"
+)
+```
+
+注意模块路径包含 `/v6`。
+
+## 最小可用示例
+
+```go
+cfg, err := config.LoadConfig("config.yaml")
+if err != nil { panic(err) }
+
+svc, err := cliproxy.NewBuilder().
+    WithConfig(cfg).
+    WithConfigPath("config.yaml"). // 绝对路径或工作目录相对路径
+    Build()
+if err != nil { panic(err) }
+
+ctx, cancel := context.WithCancel(context.Background())
+defer cancel()
+
+if err := svc.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
+    panic(err)
+}
+```
+
+服务内部会管理配置与认证文件的监听、后台令牌刷新与优雅关闭。取消上下文即可停止服务。
+
+## 服务器可选项（中间件、路由、日志）
+
+通过 `WithServerOptions` 自定义：
+
+```go
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(cfg).
+  WithConfigPath("config.yaml").
+  WithServerOptions(
+    // 追加全局中间件
+    cliproxy.WithMiddleware(func(c *gin.Context) { c.Header("X-Embed", "1"); c.Next() }),
+    // 提前调整 gin 引擎（如 CORS、trusted proxies）
+    cliproxy.WithEngineConfigurator(func(e *gin.Engine) { e.ForwardedByClientIP = true }),
+    // 在默认路由之后追加自定义路由
+    cliproxy.WithRouterConfigurator(func(e *gin.Engine, _ *handlers.BaseAPIHandler, _ *config.Config) {
+      e.GET("/healthz", func(c *gin.Context) { c.String(200, "ok") })
+    }),
+    // 覆盖请求日志的创建（启用/目录）
+    cliproxy.WithRequestLoggerFactory(func(cfg *config.Config, cfgPath string) logging.RequestLogger {
+      return logging.NewFileRequestLogger(true, "logs", filepath.Dir(cfgPath))
+    }),
+  ).
+  Build()
+```
+
+这些选项与 CLI 服务器内部用法保持一致。
+
+## 管理 API（内嵌时）
+
+- 仅当 `config.yaml` 中设置了 `remote-management.secret-key` 时才会挂载管理端点。
+- 远程访问还需要 `remote-management.allow-remote: true`。
+- 具体端点见 MANAGEMENT_API_CN.md。内嵌服务器会在配置端口下暴露 `/v0/management`。
+
+## 使用核心鉴权管理器
+
+服务内部使用核心 `auth.Manager` 负责选择、执行、自动刷新。内嵌时可自定义其传输或钩子：
+
+```go
+core := coreauth.NewManager(coreauth.NewFileStore(cfg.AuthDir), nil, nil)
+core.SetRoundTripperProvider(myRTProvider) // 按账户返回 *http.Transport
+
+svc, _ := cliproxy.NewBuilder().
+    WithConfig(cfg).
+    WithConfigPath("config.yaml").
+    WithCoreAuthManager(core).
+    Build()
+```
+
+实现每个账户的自定义传输：
+
+```go
+type myRTProvider struct{}
+func (myRTProvider) RoundTripperFor(a *coreauth.Auth) http.RoundTripper {
+    if a == nil || a.ProxyURL == "" { return nil }
+    u, _ := url.Parse(a.ProxyURL)
+    return &http.Transport{ Proxy: http.ProxyURL(u) }
+}
+```
+
+管理器提供编程式执行接口：
+
+```go
+// 非流式
+resp, err := core.Execute(ctx, []string{"gemini"}, req, opts)
+
+// 流式
+chunks, err := core.ExecuteStream(ctx, []string{"gemini"}, req, opts)
+for ch := range chunks { /* ... */ }
+```
+
+说明：运行 `Service` 时会自动注册内置的提供商执行器；若仅单独使用 `Manager` 而不启动 HTTP 服务器，则需要自行实现并注册满足 `auth.ProviderExecutor` 的执行器。
+
+## 自定义凭据来源
+
+当凭据不在本地文件系统时，替换默认加载器：
+
+```go
+type memoryTokenProvider struct{}
+func (p *memoryTokenProvider) Load(ctx context.Context, cfg *config.Config) (*cliproxy.TokenClientResult, error) {
+    // 从内存/远端加载并返回数量统计
+    return &cliproxy.TokenClientResult{}, nil
+}
+
+svc, _ := cliproxy.NewBuilder().
+  WithConfig(cfg).
+  WithConfigPath("config.yaml").
+  WithTokenClientProvider(&memoryTokenProvider{}).
+  WithAPIKeyClientProvider(cliproxy.NewAPIKeyClientProvider()).
+  Build()
+```
+
+## 启动钩子
+
+无需修改内部代码即可观察生命周期：
+
+```go
+hooks := cliproxy.Hooks{
+  OnBeforeStart: func(cfg *config.Config) { log.Infof("starting on :%d", cfg.Port) },
+  OnAfterStart:  func(s *cliproxy.Service) { log.Info("ready") },
+}
+svc, _ := cliproxy.NewBuilder().WithConfig(cfg).WithConfigPath("config.yaml").WithHooks(hooks).Build()
+```
+
+## 关闭
+
+`Run` 内部会延迟调用 `Shutdown`，因此只需取消父上下文即可。若需手动停止：
+
+```go
+ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+defer cancel()
+_ = svc.Shutdown(ctx)
+```
+
+## 说明
+
+- 热更新：`config.yaml` 与 `auths/` 变化会被自动侦测并应用。
+- 请求日志可通过管理 API 在运行时开关。
+- `gemini-web.*` 相关配置在内嵌服务器中会被遵循。
+
--- a/docs/sdk-watcher.md
+++ b/docs/sdk-watcher.md
@@ -0,0 +1,32 @@
+# SDK Watcher Integration
+
+The SDK service exposes a watcher integration that surfaces granular auth updates without forcing a full reload. This document explains the queue contract, how the service consumes updates, and how high-frequency change bursts are handled.
+
+## Update Queue Contract
+
+- `watcher.AuthUpdate` represents a single credential change. `Action` may be `add`, `modify`, or `delete`, and `ID` carries the credential identifier. For `add`/`modify` the `Auth` payload contains a fully populated clone of the credential; `delete` may omit `Auth`.
+- `WatcherWrapper.SetAuthUpdateQueue(chan<- watcher.AuthUpdate)` wires the queue produced by the SDK service into the watcher. The queue must be created before the watcher starts.
+- The service builds the queue via `ensureAuthUpdateQueue`, using a buffered channel (`capacity=256`) and a dedicated consumer goroutine (`consumeAuthUpdates`). The consumer drains bursts by looping through the backlog before reacquiring the select loop.
+
+## Watcher Behaviour
+
+- `internal/watcher/watcher.go` keeps a shadow snapshot of auth state (`currentAuths`). Each filesystem or configuration event triggers a recomputation and a diff against the previous snapshot to produce minimal `AuthUpdate` entries that mirror adds, edits, and removals.
+- Updates are coalesced per credential identifier. If multiple changes occur before dispatch (e.g., write followed by delete), only the final action is sent downstream.
+- The watcher runs an internal dispatch loop that buffers pending updates in memory and forwards them asynchronously to the queue. Producers never block on channel capacity; they just enqueue into the in-memory buffer and signal the dispatcher. Dispatch cancellation happens when the watcher stops, guaranteeing goroutines exit cleanly.
+
+## High-Frequency Change Handling
+
+- The dispatch loop and service consumer run independently, preventing filesystem watchers from blocking even when many updates arrive at once.
+- Back-pressure is absorbed in two places:
+  - The dispatch buffer (map + order slice) coalesces repeated updates for the same credential until the consumer catches up.
+  - The service channel capacity (256) combined with the consumer drain loop ensures several bursts can be processed without oscillation.
+- If the queue is saturated for an extended period, updates continue to be merged, so the latest state is eventually applied without replaying redundant intermediate states.
+
+## Usage Checklist
+
+1. Instantiate the SDK service (builder or manual construction).
+2. Call `ensureAuthUpdateQueue` before starting the watcher to allocate the shared channel.
+3. When the `WatcherWrapper` is created, call `SetAuthUpdateQueue` with the service queue, then start the watcher.
+4. Provide a reload callback that handles configuration updates; auth deltas will arrive via the queue and are applied by the service automatically through `handleAuthUpdate`.
+
+Following this flow keeps auth changes responsive while avoiding full reloads for every edit.
--- a/docs/sdk-watcher_CN.md
+++ b/docs/sdk-watcher_CN.md
@@ -0,0 +1,32 @@
+# SDK Watcher集成说明
+
+本文档介绍SDK服务与文件监控器之间的增量更新队列，包括接口契约、高频变更下的处理策略以及接入步骤。
+
+## 更新队列契约
+
+- `watcher.AuthUpdate`描述单条凭据变更，`Action`可能为`add`、`modify`或`delete`，`ID`是凭据标识。对于`add`/`modify`会携带完整的`Auth`克隆，`delete`可以省略`Auth`。
+- `WatcherWrapper.SetAuthUpdateQueue(chan<- watcher.AuthUpdate)`用于将服务侧创建的队列注入watcher，必须在watcher启动前完成。
+- 服务通过`ensureAuthUpdateQueue`创建容量为256的缓冲通道，并在`consumeAuthUpdates`中使用专职goroutine消费；消费侧会主动“抽干”积压事件，降低切换开销。
+
+## Watcher行为
+
+- `internal/watcher/watcher.go`维护`currentAuths`快照，文件或配置事件触发后会重建快照并与旧快照对比，生成最小化的`AuthUpdate`列表。
+- 以凭据ID为维度对更新进行合并，同一凭据在短时间内的多次变更只会保留最新状态（例如先写后删只会下发`delete`）。
+- watcher内部运行异步分发循环：生产者只向内存缓冲追加事件并唤醒分发协程，即使通道暂时写满也不会阻塞文件事件线程。watcher停止时会取消分发循环，确保协程正常退出。
+
+## 高频变更处理
+
+- 分发循环与服务消费协程相互独立，因此即便短时间内出现大量变更也不会阻塞watcher事件处理。
+- 背压通过两级缓冲吸收：
+  - 分发缓冲（map + 顺序切片）会合并同一凭据的重复事件，直到消费者完成处理。
+  - 服务端通道的256容量加上消费侧的“抽干”逻辑，可平稳处理多个突发批次。
+- 当通道长时间处于高压状态时，缓冲仍持续合并事件，从而在消费者恢复后一次性应用最新状态，避免重复处理无意义的中间状态。
+
+## 接入步骤
+
+1. 实例化SDK Service（构建器或手工创建）。
+2. 在启动watcher之前调用`ensureAuthUpdateQueue`创建共享通道。
+3. watcher通过工厂函数创建后立刻调用`SetAuthUpdateQueue`注入通道，然后再启动watcher。
+4. Reload回调专注于配置更新；认证增量会通过队列送达，并由`handleAuthUpdate`自动应用。
+
+遵循上述流程即可在避免全量重载的同时保持凭据变更的实时性。
--- a/examples/custom-provider/main.go
+++ b/examples/custom-provider/main.go
@@ -160,11 +160,7 @@ func main() {
 	if dirSetter, ok := tokenStore.(interface{ SetBaseDir(string) }); ok {
 		dirSetter.SetBaseDir(cfg.AuthDir)
 	}
-	store, ok := tokenStore.(coreauth.Store)
-	if !ok {
-		panic("token store does not implement coreauth.Store")
-	}
-	core := coreauth.NewManager(store, nil, nil)
+	core := coreauth.NewManager(tokenStore, nil, nil)
 	core.RegisterExecutor(MyExecutor{})

 	hooks := cliproxy.Hooks{
--- a/sdk/access/providers/configapikey/provider.go
+++ b/sdk/access/providers/configapikey/provider.go
@@ -1,27 +1,33 @@
-package configapikey
+package configaccess

 import (
 	"context"
 	"net/http"
 	"strings"
+	"sync"

-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 )

+var registerOnce sync.Once
+
+// Register ensures the config-access provider is available to the access manager.
+func Register() {
+	registerOnce.Do(func() {
+		sdkaccess.RegisterProvider(sdkconfig.AccessProviderTypeConfigAPIKey, newProvider)
+	})
+}
+
 type provider struct {
 	name string
 	keys map[string]struct{}
 }

-func init() {
-	sdkaccess.RegisterProvider(config.AccessProviderTypeConfigAPIKey, newProvider)
-}
-
-func newProvider(cfg *config.AccessProvider, _ *config.Config) (sdkaccess.Provider, error) {
+func newProvider(cfg *sdkconfig.AccessProvider, _ *sdkconfig.SDKConfig) (sdkaccess.Provider, error) {
 	name := cfg.Name
 	if name == "" {
-		name = config.DefaultAccessProviderName
+		name = sdkconfig.DefaultAccessProviderName
 	}
 	keys := make(map[string]struct{}, len(cfg.APIKeys))
 	for _, key := range cfg.APIKeys {
@@ -35,7 +41,7 @@ func newProvider(cfg *config.AccessProvider, _ *config.Config) (sdkaccess.Provid

 func (p *provider) Identifier() string {
 	if p == nil || p.name == "" {
-		return config.DefaultAccessProviderName
+		return sdkconfig.DefaultAccessProviderName
 	}
 	return p.name
 }
--- a/internal/access/reconcile.go
+++ b/internal/access/reconcile.go
@@ -0,0 +1,269 @@
+package access
+
+import (
+	"fmt"
+	"reflect"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	sdkConfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
+	log "github.com/sirupsen/logrus"
+)
+
+// ReconcileProviders builds the desired provider list by reusing existing providers when possible
+// and creating or removing providers only when their configuration changed. It returns the final
+// ordered provider slice along with the identifiers of providers that were added, updated, or
+// removed compared to the previous configuration.
+func ReconcileProviders(oldCfg, newCfg *config.Config, existing []sdkaccess.Provider) (result []sdkaccess.Provider, added, updated, removed []string, err error) {
+	if newCfg == nil {
+		return nil, nil, nil, nil, nil
+	}
+
+	existingMap := make(map[string]sdkaccess.Provider, len(existing))
+	for _, provider := range existing {
+		if provider == nil {
+			continue
+		}
+		existingMap[provider.Identifier()] = provider
+	}
+
+	oldCfgMap := accessProviderMap(oldCfg)
+	newEntries := collectProviderEntries(newCfg)
+
+	result = make([]sdkaccess.Provider, 0, len(newEntries))
+	finalIDs := make(map[string]struct{}, len(newEntries))
+
+	isInlineProvider := func(id string) bool {
+		return strings.EqualFold(id, sdkConfig.DefaultAccessProviderName)
+	}
+	appendChange := func(list *[]string, id string) {
+		if isInlineProvider(id) {
+			return
+		}
+		*list = append(*list, id)
+	}
+
+	for _, providerCfg := range newEntries {
+		key := providerIdentifier(providerCfg)
+		if key == "" {
+			continue
+		}
+
+		if oldCfgProvider, ok := oldCfgMap[key]; ok {
+			isAliased := oldCfgProvider == providerCfg
+			if !isAliased && providerConfigEqual(oldCfgProvider, providerCfg) {
+				if existingProvider, okExisting := existingMap[key]; okExisting {
+					result = append(result, existingProvider)
+					finalIDs[key] = struct{}{}
+					continue
+				}
+			}
+		}
+
+		provider, buildErr := sdkaccess.BuildProvider(providerCfg, &newCfg.SDKConfig)
+		if buildErr != nil {
+			return nil, nil, nil, nil, buildErr
+		}
+		if _, ok := oldCfgMap[key]; ok {
+			if _, existed := existingMap[key]; existed {
+				appendChange(&updated, key)
+			} else {
+				appendChange(&added, key)
+			}
+		} else {
+			appendChange(&added, key)
+		}
+		result = append(result, provider)
+		finalIDs[key] = struct{}{}
+	}
+
+	if len(result) == 0 {
+		if inline := sdkConfig.MakeInlineAPIKeyProvider(newCfg.APIKeys); inline != nil {
+			key := providerIdentifier(inline)
+			if key != "" {
+				if oldCfgProvider, ok := oldCfgMap[key]; ok {
+					if providerConfigEqual(oldCfgProvider, inline) {
+						if existingProvider, okExisting := existingMap[key]; okExisting {
+							result = append(result, existingProvider)
+							finalIDs[key] = struct{}{}
+							goto inlineDone
+						}
+					}
+				}
+				provider, buildErr := sdkaccess.BuildProvider(inline, &newCfg.SDKConfig)
+				if buildErr != nil {
+					return nil, nil, nil, nil, buildErr
+				}
+				if _, existed := existingMap[key]; existed {
+					appendChange(&updated, key)
+				} else if _, hadOld := oldCfgMap[key]; hadOld {
+					appendChange(&updated, key)
+				} else {
+					appendChange(&added, key)
+				}
+				result = append(result, provider)
+				finalIDs[key] = struct{}{}
+			}
+		}
+	inlineDone:
+	}
+
+	removedSet := make(map[string]struct{})
+	for id := range existingMap {
+		if _, ok := finalIDs[id]; !ok {
+			if isInlineProvider(id) {
+				continue
+			}
+			removedSet[id] = struct{}{}
+		}
+	}
+
+	removed = make([]string, 0, len(removedSet))
+	for id := range removedSet {
+		removed = append(removed, id)
+	}
+
+	sort.Strings(added)
+	sort.Strings(updated)
+	sort.Strings(removed)
+
+	return result, added, updated, removed, nil
+}
+
+// ApplyAccessProviders reconciles the configured access providers against the
+// currently registered providers and updates the manager. It logs a concise
+// summary of the detected changes and returns whether any provider changed.
+func ApplyAccessProviders(manager *sdkaccess.Manager, oldCfg, newCfg *config.Config) (bool, error) {
+	if manager == nil || newCfg == nil {
+		return false, nil
+	}
+
+	existing := manager.Providers()
+	providers, added, updated, removed, err := ReconcileProviders(oldCfg, newCfg, existing)
+	if err != nil {
+		log.Errorf("failed to reconcile request auth providers: %v", err)
+		return false, fmt.Errorf("reconciling access providers: %w", err)
+	}
+
+	manager.SetProviders(providers)
+
+	if len(added)+len(updated)+len(removed) > 0 {
+		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
+		log.Debugf("auth providers changes details - added=%v updated=%v removed=%v", added, updated, removed)
+		return true, nil
+	}
+
+	log.Debug("auth providers unchanged after config update")
+	return false, nil
+}
+
+func accessProviderMap(cfg *config.Config) map[string]*sdkConfig.AccessProvider {
+	result := make(map[string]*sdkConfig.AccessProvider)
+	if cfg == nil {
+		return result
+	}
+	for i := range cfg.Access.Providers {
+		providerCfg := &cfg.Access.Providers[i]
+		if providerCfg.Type == "" {
+			continue
+		}
+		key := providerIdentifier(providerCfg)
+		if key == "" {
+			continue
+		}
+		result[key] = providerCfg
+	}
+	if len(result) == 0 && len(cfg.APIKeys) > 0 {
+		if provider := sdkConfig.MakeInlineAPIKeyProvider(cfg.APIKeys); provider != nil {
+			if key := providerIdentifier(provider); key != "" {
+				result[key] = provider
+			}
+		}
+	}
+	return result
+}
+
+func collectProviderEntries(cfg *config.Config) []*sdkConfig.AccessProvider {
+	entries := make([]*sdkConfig.AccessProvider, 0, len(cfg.Access.Providers))
+	for i := range cfg.Access.Providers {
+		providerCfg := &cfg.Access.Providers[i]
+		if providerCfg.Type == "" {
+			continue
+		}
+		if key := providerIdentifier(providerCfg); key != "" {
+			entries = append(entries, providerCfg)
+		}
+	}
+	if len(entries) == 0 && len(cfg.APIKeys) > 0 {
+		if inline := sdkConfig.MakeInlineAPIKeyProvider(cfg.APIKeys); inline != nil {
+			entries = append(entries, inline)
+		}
+	}
+	return entries
+}
+
+func providerIdentifier(provider *sdkConfig.AccessProvider) string {
+	if provider == nil {
+		return ""
+	}
+	if name := strings.TrimSpace(provider.Name); name != "" {
+		return name
+	}
+	typ := strings.TrimSpace(provider.Type)
+	if typ == "" {
+		return ""
+	}
+	if strings.EqualFold(typ, sdkConfig.AccessProviderTypeConfigAPIKey) {
+		return sdkConfig.DefaultAccessProviderName
+	}
+	return typ
+}
+
+func providerConfigEqual(a, b *sdkConfig.AccessProvider) bool {
+	if a == nil || b == nil {
+		return a == nil && b == nil
+	}
+	if !strings.EqualFold(strings.TrimSpace(a.Type), strings.TrimSpace(b.Type)) {
+		return false
+	}
+	if strings.TrimSpace(a.SDK) != strings.TrimSpace(b.SDK) {
+		return false
+	}
+	if !stringSetEqual(a.APIKeys, b.APIKeys) {
+		return false
+	}
+	if len(a.Config) != len(b.Config) {
+		return false
+	}
+	if len(a.Config) > 0 && !reflect.DeepEqual(a.Config, b.Config) {
+		return false
+	}
+	return true
+}
+
+func stringSetEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	seen := make(map[string]int, len(a))
+	for _, val := range a {
+		seen[val]++
+	}
+	for _, val := range b {
+		count := seen[val]
+		if count == 0 {
+			return false
+		}
+		if count == 1 {
+			delete(seen, val)
+		} else {
+			seen[val] = count - 1
+		}
+	}
+	return len(seen) == 0
+}
--- a/internal/api/handlers/management/auth_files.go
+++ b/internal/api/handlers/management/auth_files.go
@@ -344,7 +344,7 @@ func (h *Handler) disableAuth(ctx context.Context, id string) {
 	}
 }

-func (h *Handler) saveTokenRecord(ctx context.Context, record *sdkAuth.TokenRecord) (string, error) {
+func (h *Handler) saveTokenRecord(ctx context.Context, record *coreauth.Auth) (string, error) {
 	if record == nil {
 		return "", fmt.Errorf("token record is nil")
 	}
@@ -353,13 +353,18 @@ func (h *Handler) saveTokenRecord(ctx context.Context, record *sdkAuth.TokenReco
 		store = sdkAuth.GetTokenStore()
 		h.tokenStore = store
 	}
-	return store.Save(ctx, h.cfg, record)
+	if h.cfg != nil {
+		if dirSetter, ok := store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(h.cfg.AuthDir)
+		}
+	}
+	return store.Save(ctx, record)
 }

 func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 	ctx := context.Background()

-	log.Info("Initializing Claude authentication...")
+	fmt.Println("Initializing Claude authentication...")

 	// Generate PKCE codes
 	pkceCodes, err := claude.GeneratePKCECodes()
@@ -407,7 +412,7 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 			}
 		}

-		log.Info("Waiting for authentication callback...")
+		fmt.Println("Waiting for authentication callback...")
 		// Wait up to 5 minutes
 		resultMap, errWait := waitForFile(waitFile, 5*time.Minute)
 		if errWait != nil {
@@ -449,7 +454,7 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 		}
 		bodyJSON, _ := json.Marshal(bodyMap)

-		httpClient := util.SetProxy(h.cfg, &http.Client{})
+		httpClient := util.SetProxy(&h.cfg.SDKConfig, &http.Client{})
 		req, _ := http.NewRequestWithContext(ctx, "POST", "https://console.anthropic.com/v1/oauth/token", strings.NewReader(string(bodyJSON)))
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("Accept", "application/json")
@@ -496,11 +501,12 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {

 		// Create token storage
 		tokenStorage := anthropicAuth.CreateTokenStorage(bundle)
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("claude-%s.json", tokenStorage.Email),
 			Provider: "claude",
 			FileName: fmt.Sprintf("claude-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{"email": tokenStorage.Email},
+			Metadata: map[string]any{"email": tokenStorage.Email},
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {
@@ -509,11 +515,11 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 			return
 		}

-		log.Infof("Authentication successful! Token saved to %s", savedPath)
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
 		if bundle.APIKey != "" {
-			log.Info("API key obtained and saved")
+			fmt.Println("API key obtained and saved")
 		}
-		log.Info("You can now use Claude services through this CLI")
+		fmt.Println("You can now use Claude services through this CLI")
 		delete(oauthStatus, state)
 	}()

@@ -527,7 +533,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	// Optional project ID from query
 	projectID := c.Query("project_id")

-	log.Info("Initializing Google authentication...")
+	fmt.Println("Initializing Google authentication...")

 	// OAuth2 configuration (mirrors internal/auth/gemini)
 	conf := &oauth2.Config{
@@ -549,7 +555,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	go func() {
 		// Wait for callback file written by server route
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-gemini-%s.oauth", state))
-		log.Info("Waiting for authentication callback...")
+		fmt.Println("Waiting for authentication callback...")
 		deadline := time.Now().Add(5 * time.Minute)
 		var authCode string
 		for {
@@ -618,9 +624,9 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {

 		email := gjson.GetBytes(bodyBytes, "email").String()
 		if email != "" {
-			log.Infof("Authenticated user email: %s", email)
+			fmt.Printf("Authenticated user email: %s\n", email)
 		} else {
-			log.Info("Failed to get user email from token")
+			fmt.Println("Failed to get user email from token")
 			oauthStatus[state] = "Failed to get user email from token"
 		}

@@ -657,13 +663,14 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 			oauthStatus[state] = "Failed to get authenticated client"
 			return
 		}
-		log.Info("Authentication successful.")
+		fmt.Println("Authentication successful.")

-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("gemini-%s.json", ts.Email),
 			Provider: "gemini",
 			FileName: fmt.Sprintf("gemini-%s.json", ts.Email),
 			Storage:  &ts,
-			Metadata: map[string]string{
+			Metadata: map[string]any{
 				"email":      ts.Email,
 				"project_id": ts.ProjectID,
 			},
@@ -676,7 +683,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 		}

 		delete(oauthStatus, state)
-		log.Infof("You can now use Gemini CLI services through this CLI; token saved to %s", savedPath)
+		fmt.Printf("You can now use Gemini CLI services through this CLI; token saved to %s\n", savedPath)
 	}()

 	oauthStatus[state] = ""
@@ -689,6 +696,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	var payload struct {
 		Secure1PSID   string `json:"secure_1psid"`
 		Secure1PSIDTS string `json:"secure_1psidts"`
+		Label         string `json:"label"`
 	}
 	if err := c.ShouldBindJSON(&payload); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid body"})
@@ -696,6 +704,7 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	}
 	payload.Secure1PSID = strings.TrimSpace(payload.Secure1PSID)
 	payload.Secure1PSIDTS = strings.TrimSpace(payload.Secure1PSIDTS)
+	payload.Label = strings.TrimSpace(payload.Label)
 	if payload.Secure1PSID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psid is required"})
 		return
@@ -704,6 +713,10 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "secure_1psidts is required"})
 		return
 	}
+	if payload.Label == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "label is required"})
+		return
+	}

 	sha := sha256.New()
 	sha.Write([]byte(payload.Secure1PSID))
@@ -713,9 +726,13 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	tokenStorage := &geminiAuth.GeminiWebTokenStorage{
 		Secure1PSID:   payload.Secure1PSID,
 		Secure1PSIDTS: payload.Secure1PSIDTS,
+		Label:         payload.Label,
 	}
+	// Provide a stable label (gemini-web-<hash>) for logging and identification
+	tokenStorage.Label = strings.TrimSuffix(fileName, ".json")

-	record := &sdkAuth.TokenRecord{
+	record := &coreauth.Auth{
+		ID:       fileName,
 		Provider: "gemini-web",
 		FileName: fileName,
 		Storage:  tokenStorage,
@@ -728,14 +745,14 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 		return
 	}

-	log.Infof("Successfully saved Gemini Web token to: %s", savedPath)
+	fmt.Printf("Successfully saved Gemini Web token to: %s\n", savedPath)
 	c.JSON(http.StatusOK, gin.H{"status": "ok", "file": filepath.Base(savedPath)})
 }

 func (h *Handler) RequestCodexToken(c *gin.Context) {
 	ctx := context.Background()

-	log.Info("Initializing Codex authentication...")
+	fmt.Println("Initializing Codex authentication...")

 	// Generate PKCE codes
 	pkceCodes, err := codex.GeneratePKCECodes()
@@ -809,7 +826,7 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 			"redirect_uri":  {"http://localhost:1455/auth/callback"},
 			"code_verifier": {pkceCodes.CodeVerifier},
 		}
-		httpClient := util.SetProxy(h.cfg, &http.Client{})
+		httpClient := util.SetProxy(&h.cfg.SDKConfig, &http.Client{})
 		req, _ := http.NewRequestWithContext(ctx, "POST", "https://auth.openai.com/oauth/token", strings.NewReader(form.Encode()))
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 		req.Header.Set("Accept", "application/json")
@@ -860,11 +877,12 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {

 		// Create token storage and persist
 		tokenStorage := openaiAuth.CreateTokenStorage(bundle)
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("codex-%s.json", tokenStorage.Email),
 			Provider: "codex",
 			FileName: fmt.Sprintf("codex-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{
+			Metadata: map[string]any{
 				"email":      tokenStorage.Email,
 				"account_id": tokenStorage.AccountID,
 			},
@@ -875,11 +893,11 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 			log.Fatalf("Failed to save authentication tokens: %v", errSave)
 			return
 		}
-		log.Infof("Authentication successful! Token saved to %s", savedPath)
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
 		if bundle.APIKey != "" {
-			log.Info("API key obtained and saved")
+			fmt.Println("API key obtained and saved")
 		}
-		log.Info("You can now use Codex services through this CLI")
+		fmt.Println("You can now use Codex services through this CLI")
 		delete(oauthStatus, state)
 	}()

@@ -890,7 +908,7 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 func (h *Handler) RequestQwenToken(c *gin.Context) {
 	ctx := context.Background()

-	log.Info("Initializing Qwen authentication...")
+	fmt.Println("Initializing Qwen authentication...")

 	state := fmt.Sprintf("gem-%d", time.Now().UnixNano())
 	// Initialize Qwen auth service
@@ -905,7 +923,7 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 	authURL := deviceFlow.VerificationURIComplete

 	go func() {
-		log.Info("Waiting for authentication...")
+		fmt.Println("Waiting for authentication...")
 		tokenData, errPollForToken := qwenAuth.PollForToken(deviceFlow.DeviceCode, deviceFlow.CodeVerifier)
 		if errPollForToken != nil {
 			oauthStatus[state] = "Authentication failed"
@@ -917,11 +935,12 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 		tokenStorage := qwenAuth.CreateTokenStorage(tokenData)

 		tokenStorage.Email = fmt.Sprintf("qwen-%d", time.Now().UnixMilli())
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("qwen-%s.json", tokenStorage.Email),
 			Provider: "qwen",
 			FileName: fmt.Sprintf("qwen-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{"email": tokenStorage.Email},
+			Metadata: map[string]any{"email": tokenStorage.Email},
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {
@@ -930,8 +949,8 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 			return
 		}

-		log.Infof("Authentication successful! Token saved to %s", savedPath)
-		log.Info("You can now use Qwen services through this CLI")
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+		fmt.Println("You can now use Qwen services through this CLI")
 		delete(oauthStatus, state)
 	}()

--- a/internal/api/handlers/management/config_basic.go
+++ b/internal/api/handlers/management/config_basic.go
@@ -12,6 +12,22 @@ func (h *Handler) GetConfig(c *gin.Context) {
 func (h *Handler) GetDebug(c *gin.Context) { c.JSON(200, gin.H{"debug": h.cfg.Debug}) }
 func (h *Handler) PutDebug(c *gin.Context) { h.updateBoolField(c, func(v bool) { h.cfg.Debug = v }) }

+// UsageStatisticsEnabled
+func (h *Handler) GetUsageStatisticsEnabled(c *gin.Context) {
+	c.JSON(200, gin.H{"usage-statistics-enabled": h.cfg.UsageStatisticsEnabled})
+}
+func (h *Handler) PutUsageStatisticsEnabled(c *gin.Context) {
+	h.updateBoolField(c, func(v bool) { h.cfg.UsageStatisticsEnabled = v })
+}
+
+// UsageStatisticsEnabled
+func (h *Handler) GetLoggingToFile(c *gin.Context) {
+	c.JSON(200, gin.H{"logging-to-file": h.cfg.LoggingToFile})
+}
+func (h *Handler) PutLoggingToFile(c *gin.Context) {
+	h.updateBoolField(c, func(v bool) { h.cfg.LoggingToFile = v })
+}
+
 // Request log
 func (h *Handler) GetRequestLog(c *gin.Context) { c.JSON(200, gin.H{"request-log": h.cfg.RequestLog}) }
 func (h *Handler) PutRequestLog(c *gin.Context) {
--- a/internal/api/handlers/management/config_lists.go
+++ b/internal/api/handlers/management/config_lists.go
@@ -3,6 +3,7 @@ package management
 import (
 	"encoding/json"
 	"fmt"
+	"strings"

 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
@@ -106,13 +107,16 @@ func (h *Handler) deleteFromStringList(c *gin.Context, target *[]string, after f
 // api-keys
 func (h *Handler) GetAPIKeys(c *gin.Context) { c.JSON(200, gin.H{"api-keys": h.cfg.APIKeys}) }
 func (h *Handler) PutAPIKeys(c *gin.Context) {
-	h.putStringList(c, func(v []string) { config.SyncInlineAPIKeys(h.cfg, v) }, nil)
+	h.putStringList(c, func(v []string) {
+		h.cfg.APIKeys = append([]string(nil), v...)
+		h.cfg.Access.Providers = nil
+	}, nil)
 }
 func (h *Handler) PatchAPIKeys(c *gin.Context) {
-	h.patchStringList(c, &h.cfg.APIKeys, func() { config.SyncInlineAPIKeys(h.cfg, h.cfg.APIKeys) })
+	h.patchStringList(c, &h.cfg.APIKeys, func() { h.cfg.Access.Providers = nil })
 }
 func (h *Handler) DeleteAPIKeys(c *gin.Context) {
-	h.deleteFromStringList(c, &h.cfg.APIKeys, func() { config.SyncInlineAPIKeys(h.cfg, h.cfg.APIKeys) })
+	h.deleteFromStringList(c, &h.cfg.APIKeys, func() { h.cfg.Access.Providers = nil })
 }

 // generative-language-api-key
@@ -201,7 +205,7 @@ func (h *Handler) DeleteClaudeKey(c *gin.Context) {

 // openai-compatibility: []OpenAICompatibility
 func (h *Handler) GetOpenAICompat(c *gin.Context) {
-	c.JSON(200, gin.H{"openai-compatibility": h.cfg.OpenAICompatibility})
+	c.JSON(200, gin.H{"openai-compatibility": normalizedOpenAICompatibilityEntries(h.cfg.OpenAICompatibility)})
 }
 func (h *Handler) PutOpenAICompat(c *gin.Context) {
 	data, err := c.GetRawData()
@@ -220,6 +224,9 @@ func (h *Handler) PutOpenAICompat(c *gin.Context) {
 		}
 		arr = obj.Items
 	}
+	for i := range arr {
+		normalizeOpenAICompatibilityEntry(&arr[i])
+	}
 	h.cfg.OpenAICompatibility = arr
 	h.persist(c)
 }
@@ -233,6 +240,7 @@ func (h *Handler) PatchOpenAICompat(c *gin.Context) {
 		c.JSON(400, gin.H{"error": "invalid body"})
 		return
 	}
+	normalizeOpenAICompatibilityEntry(body.Value)
 	if body.Index != nil && *body.Index >= 0 && *body.Index < len(h.cfg.OpenAICompatibility) {
 		h.cfg.OpenAICompatibility[*body.Index] = *body.Value
 		h.persist(c)
@@ -346,3 +354,51 @@ func (h *Handler) DeleteCodexKey(c *gin.Context) {
 	}
 	c.JSON(400, gin.H{"error": "missing api-key or index"})
 }
+
+func normalizeOpenAICompatibilityEntry(entry *config.OpenAICompatibility) {
+	if entry == nil {
+		return
+	}
+	existing := make(map[string]struct{}, len(entry.APIKeyEntries))
+	for i := range entry.APIKeyEntries {
+		trimmed := strings.TrimSpace(entry.APIKeyEntries[i].APIKey)
+		entry.APIKeyEntries[i].APIKey = trimmed
+		if trimmed != "" {
+			existing[trimmed] = struct{}{}
+		}
+	}
+	if len(entry.APIKeys) == 0 {
+		return
+	}
+	for _, legacyKey := range entry.APIKeys {
+		trimmed := strings.TrimSpace(legacyKey)
+		if trimmed == "" {
+			continue
+		}
+		if _, ok := existing[trimmed]; ok {
+			continue
+		}
+		entry.APIKeyEntries = append(entry.APIKeyEntries, config.OpenAICompatibilityAPIKey{APIKey: trimmed})
+		existing[trimmed] = struct{}{}
+	}
+	entry.APIKeys = nil
+}
+
+func normalizedOpenAICompatibilityEntries(entries []config.OpenAICompatibility) []config.OpenAICompatibility {
+	if len(entries) == 0 {
+		return nil
+	}
+	out := make([]config.OpenAICompatibility, len(entries))
+	for i := range entries {
+		copyEntry := entries[i]
+		if len(copyEntry.APIKeyEntries) > 0 {
+			copyEntry.APIKeyEntries = append([]config.OpenAICompatibilityAPIKey(nil), copyEntry.APIKeyEntries...)
+		}
+		if len(copyEntry.APIKeys) > 0 {
+			copyEntry.APIKeys = append([]string(nil), copyEntry.APIKeys...)
+		}
+		normalizeOpenAICompatibilityEntry(&copyEntry)
+		out[i] = copyEntry
+	}
+	return out
+}
--- a/internal/api/handlers/management/handler.go
+++ b/internal/api/handlers/management/handler.go
@@ -3,6 +3,7 @@
 package management

 import (
+	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"strings"
@@ -32,7 +33,9 @@ type Handler struct {
 	failedAttempts map[string]*attemptInfo // keyed by client IP
 	authManager    *coreauth.Manager
 	usageStats     *usage.RequestStatistics
-	tokenStore     sdkAuth.TokenStore
+	tokenStore     coreauth.Store
+
+	localPassword string
 }

 // NewHandler creates a new management handler instance.
@@ -56,6 +59,9 @@ func (h *Handler) SetAuthManager(manager *coreauth.Manager) { h.authManager = ma
 // SetUsageStatistics allows replacing the usage statistics reference.
 func (h *Handler) SetUsageStatistics(stats *usage.RequestStatistics) { h.usageStats = stats }

+// SetLocalPassword configures the runtime-local password accepted for localhost requests.
+func (h *Handler) SetLocalPassword(password string) { h.localPassword = password }
+
 // Middleware enforces access control for management endpoints.
 // All requests (local and remote) require a valid management key.
 // Additionally, remote access requires allow-remote-management=true.
@@ -65,10 +71,10 @@ func (h *Handler) Middleware() gin.HandlerFunc {

 	return func(c *gin.Context) {
 		clientIP := c.ClientIP()
+		localClient := clientIP == "127.0.0.1" || clientIP == "::1"

-		// For remote IPs, enforce allow-remote-management and ban checks
-		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
-			// Check if IP is currently blocked
+		fail := func() {}
+		if !localClient {
 			h.attemptsMu.Lock()
 			ai := h.failedAttempts[clientIP]
 			if ai != nil {
@@ -86,11 +92,25 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 			}
 			h.attemptsMu.Unlock()

-			allowRemote := h.cfg.RemoteManagement.AllowRemote
-			if !allowRemote {
+			if !h.cfg.RemoteManagement.AllowRemote {
 				c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "remote management disabled"})
 				return
 			}
+
+			fail = func() {
+				h.attemptsMu.Lock()
+				aip := h.failedAttempts[clientIP]
+				if aip == nil {
+					aip = &attemptInfo{}
+					h.failedAttempts[clientIP] = aip
+				}
+				aip.count++
+				if aip.count >= maxFailures {
+					aip.blockedUntil = time.Now().Add(banDuration)
+					aip.count = 0
+				}
+				h.attemptsMu.Unlock()
+			}
 		}
 		secret := h.cfg.RemoteManagement.SecretKey
 		if secret == "" {
@@ -112,36 +132,32 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 			provided = c.GetHeader("X-Management-Key")
 		}

-		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
-			// For remote IPs, enforce key and track failures
-			fail := func() {
-				h.attemptsMu.Lock()
-				ai := h.failedAttempts[clientIP]
-				if ai == nil {
-					ai = &attemptInfo{}
-					h.failedAttempts[clientIP] = ai
-				}
-				ai.count++
-				if ai.count >= maxFailures {
-					ai.blockedUntil = time.Now().Add(banDuration)
-					ai.count = 0
-				}
-				h.attemptsMu.Unlock()
-			}
-
-			if provided == "" {
+		if provided == "" {
+			if !localClient {
 				fail()
-				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
-				return
 			}
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
+			return
+		}

-			if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+		if localClient {
+			if lp := h.localPassword; lp != "" {
+				if subtle.ConstantTimeCompare([]byte(provided), []byte(lp)) == 1 {
+					c.Next()
+					return
+				}
+			}
+		}
+
+		if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+			if !localClient {
 				fail()
-				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
-				return
 			}
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
+			return
+		}

-			// Success: reset failed count for this IP
+		if !localClient {
 			h.attemptsMu.Lock()
 			if ai := h.failedAttempts[clientIP]; ai != nil {
 				ai.count = 0
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -6,24 +6,28 @@ package api

 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
+	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/claude"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/gemini"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/access"
 	managementHandlers "github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/management"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/openai"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/middleware"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/claude"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/gemini"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/openai"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )
@@ -33,6 +37,10 @@ type serverOptionConfig struct {
 	engineConfigurator   func(*gin.Engine)
 	routerConfigurator   func(*gin.Engine, *handlers.BaseAPIHandler, *config.Config)
 	requestLoggerFactory func(*config.Config, string) logging.RequestLogger
+	localPassword        string
+	keepAliveEnabled     bool
+	keepAliveTimeout     time.Duration
+	keepAliveOnTimeout   func()
 }

 // ServerOption customises HTTP server construction.
@@ -63,6 +71,25 @@ func WithRouterConfigurator(fn func(*gin.Engine, *handlers.BaseAPIHandler, *conf
 	}
 }

+// WithLocalManagementPassword stores a runtime-only management password accepted for localhost requests.
+func WithLocalManagementPassword(password string) ServerOption {
+	return func(cfg *serverOptionConfig) {
+		cfg.localPassword = password
+	}
+}
+
+// WithKeepAliveEndpoint enables a keep-alive endpoint with the provided timeout and callback.
+func WithKeepAliveEndpoint(timeout time.Duration, onTimeout func()) ServerOption {
+	return func(cfg *serverOptionConfig) {
+		if timeout <= 0 || onTimeout == nil {
+			return
+		}
+		cfg.keepAliveEnabled = true
+		cfg.keepAliveTimeout = timeout
+		cfg.keepAliveOnTimeout = onTimeout
+	}
+}
+
 // WithRequestLoggerFactory customises request logger creation.
 func WithRequestLoggerFactory(factory func(*config.Config, string) logging.RequestLogger) ServerOption {
 	return func(cfg *serverOptionConfig) {
@@ -97,6 +124,14 @@ type Server struct {

 	// management handler
 	mgmt *managementHandlers.Handler
+
+	localPassword string
+
+	keepAliveEnabled   bool
+	keepAliveTimeout   time.Duration
+	keepAliveOnTimeout func()
+	keepAliveHeartbeat chan struct{}
+	keepAliveStop      chan struct{}
 }

 // NewServer creates and initializes a new API server instance.
@@ -153,16 +188,20 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 	// Create server instance
 	s := &Server{
 		engine:         engine,
-		handlers:       handlers.NewBaseAPIHandlers(cfg, authManager),
+		handlers:       handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager),
 		cfg:            cfg,
 		accessManager:  accessManager,
 		requestLogger:  requestLogger,
 		loggerToggle:   toggle,
 		configFilePath: configFilePath,
 	}
-	s.applyAccessConfig(cfg)
+	s.applyAccessConfig(nil, cfg)
 	// Initialize management handler
 	s.mgmt = managementHandlers.NewHandler(cfg, configFilePath, authManager)
+	if optionState.localPassword != "" {
+		s.mgmt.SetLocalPassword(optionState.localPassword)
+	}
+	s.localPassword = optionState.localPassword

 	// Setup routes
 	s.setupRoutes()
@@ -170,6 +209,10 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		optionState.routerConfigurator(engine, s.handlers, cfg)
 	}

+	if optionState.keepAliveEnabled {
+		s.enableKeepAlive(optionState.keepAliveTimeout, optionState.keepAliveOnTimeout)
+	}
+
 	// Create HTTP server
 	s.server = &http.Server{
 		Addr:    fmt.Sprintf(":%d", cfg.Port),
@@ -276,6 +319,14 @@ func (s *Server) setupRoutes() {
 			mgmt.PUT("/debug", s.mgmt.PutDebug)
 			mgmt.PATCH("/debug", s.mgmt.PutDebug)

+			mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
+			mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
+			mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
+
+			mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
+			mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+			mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+
 			mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
 			mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
 			mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
@@ -337,6 +388,84 @@ func (s *Server) setupRoutes() {
 	}
 }

+func (s *Server) enableKeepAlive(timeout time.Duration, onTimeout func()) {
+	if timeout <= 0 || onTimeout == nil {
+		return
+	}
+
+	s.keepAliveEnabled = true
+	s.keepAliveTimeout = timeout
+	s.keepAliveOnTimeout = onTimeout
+	s.keepAliveHeartbeat = make(chan struct{}, 1)
+	s.keepAliveStop = make(chan struct{}, 1)
+
+	s.engine.GET("/keep-alive", s.handleKeepAlive)
+
+	go s.watchKeepAlive()
+}
+
+func (s *Server) handleKeepAlive(c *gin.Context) {
+	if s.localPassword != "" {
+		provided := strings.TrimSpace(c.GetHeader("Authorization"))
+		if provided != "" {
+			parts := strings.SplitN(provided, " ", 2)
+			if len(parts) == 2 && strings.EqualFold(parts[0], "bearer") {
+				provided = parts[1]
+			}
+		}
+		if provided == "" {
+			provided = strings.TrimSpace(c.GetHeader("X-Local-Password"))
+		}
+		if subtle.ConstantTimeCompare([]byte(provided), []byte(s.localPassword)) != 1 {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid password"})
+			return
+		}
+	}
+
+	s.signalKeepAlive()
+	c.JSON(http.StatusOK, gin.H{"status": "ok"})
+}
+
+func (s *Server) signalKeepAlive() {
+	if !s.keepAliveEnabled {
+		return
+	}
+	select {
+	case s.keepAliveHeartbeat <- struct{}{}:
+	default:
+	}
+}
+
+func (s *Server) watchKeepAlive() {
+	if !s.keepAliveEnabled {
+		return
+	}
+
+	timer := time.NewTimer(s.keepAliveTimeout)
+	defer timer.Stop()
+
+	for {
+		select {
+		case <-timer.C:
+			log.Warnf("keep-alive endpoint idle for %s, shutting down", s.keepAliveTimeout)
+			if s.keepAliveOnTimeout != nil {
+				s.keepAliveOnTimeout()
+			}
+			return
+		case <-s.keepAliveHeartbeat:
+			if !timer.Stop() {
+				select {
+				case <-timer.C:
+				default:
+				}
+			}
+			timer.Reset(s.keepAliveTimeout)
+		case <-s.keepAliveStop:
+			return
+		}
+	}
+}
+
 // unifiedModelsHandler creates a unified handler for the /v1/models endpoint
 // that routes to different handlers based on the User-Agent header.
 // If User-Agent starts with "claude-cli", it routes to Claude handler,
@@ -383,6 +512,13 @@ func (s *Server) Start() error {
 func (s *Server) Stop(ctx context.Context) error {
 	log.Debug("Stopping API server...")

+	if s.keepAliveEnabled {
+		select {
+		case s.keepAliveStop <- struct{}{}:
+		default:
+		}
+	}
+
 	// Shutdown the HTTP server.
 	if err := s.server.Shutdown(ctx); err != nil {
 		return fmt.Errorf("failed to shutdown HTTP server: %v", err)
@@ -412,16 +548,13 @@ func corsMiddleware() gin.HandlerFunc {
 	}
 }

-func (s *Server) applyAccessConfig(cfg *config.Config) {
-	if s == nil || s.accessManager == nil {
+func (s *Server) applyAccessConfig(oldCfg, newCfg *config.Config) {
+	if s == nil || s.accessManager == nil || newCfg == nil {
 		return
 	}
-	providers, err := sdkaccess.BuildProviders(cfg)
-	if err != nil {
-		log.Errorf("failed to update request auth providers: %v", err)
+	if _, err := access.ApplyAccessProviders(s.accessManager, oldCfg, newCfg); err != nil {
 		return
 	}
-	s.accessManager.SetProviders(providers)
 }

 // UpdateClients updates the server's client list and configuration.
@@ -431,29 +564,60 @@ func (s *Server) applyAccessConfig(cfg *config.Config) {
 //   - clients: The new slice of AI service clients
 //   - cfg: The new application configuration
 func (s *Server) UpdateClients(cfg *config.Config) {
+	oldCfg := s.cfg
+
 	// Update request logger enabled state if it has changed
-	if s.requestLogger != nil && s.cfg.RequestLog != cfg.RequestLog {
+	previousRequestLog := false
+	if oldCfg != nil {
+		previousRequestLog = oldCfg.RequestLog
+	}
+	if s.requestLogger != nil && (oldCfg == nil || previousRequestLog != cfg.RequestLog) {
 		if s.loggerToggle != nil {
 			s.loggerToggle(cfg.RequestLog)
 		} else if toggler, ok := s.requestLogger.(interface{ SetEnabled(bool) }); ok {
 			toggler.SetEnabled(cfg.RequestLog)
 		}
-		log.Debugf("request logging updated from %t to %t", s.cfg.RequestLog, cfg.RequestLog)
+		if oldCfg != nil {
+			log.Debugf("request logging updated from %t to %t", previousRequestLog, cfg.RequestLog)
+		} else {
+			log.Debugf("request logging toggled to %t", cfg.RequestLog)
+		}
+	}
+
+	if oldCfg != nil && oldCfg.LoggingToFile != cfg.LoggingToFile {
+		if err := logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
+			log.Errorf("failed to reconfigure log output: %v", err)
+		} else {
+			log.Debugf("logging_to_file updated from %t to %t", oldCfg.LoggingToFile, cfg.LoggingToFile)
+		}
+	}
+
+	if oldCfg == nil || oldCfg.UsageStatisticsEnabled != cfg.UsageStatisticsEnabled {
+		usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
+		if oldCfg != nil {
+			log.Debugf("usage_statistics_enabled updated from %t to %t", oldCfg.UsageStatisticsEnabled, cfg.UsageStatisticsEnabled)
+		} else {
+			log.Debugf("usage_statistics_enabled toggled to %t", cfg.UsageStatisticsEnabled)
+		}
 	}

 	// Update log level dynamically when debug flag changes
-	if s.cfg.Debug != cfg.Debug {
+	if oldCfg == nil || oldCfg.Debug != cfg.Debug {
 		util.SetLogLevel(cfg)
-		log.Debugf("debug mode updated from %t to %t", s.cfg.Debug, cfg.Debug)
+		if oldCfg != nil {
+			log.Debugf("debug mode updated from %t to %t", oldCfg.Debug, cfg.Debug)
+		} else {
+			log.Debugf("debug mode toggled to %t", cfg.Debug)
+		}
 	}

+	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
-	s.handlers.UpdateClients(cfg)
+	s.handlers.UpdateClients(&cfg.SDKConfig)
 	if s.mgmt != nil {
 		s.mgmt.SetConfig(cfg)
 		s.mgmt.SetAuthManager(s.handlers.AuthManager)
 	}
-	s.applyAccessConfig(cfg)

 	// Count client sources from configuration and auth directory
 	authFiles := util.CountAuthFiles(cfg.AuthDir)
@@ -462,11 +626,16 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 	codexAPIKeyCount := len(cfg.CodexKey)
 	openAICompatCount := 0
 	for i := range cfg.OpenAICompatibility {
-		openAICompatCount += len(cfg.OpenAICompatibility[i].APIKeys)
+		entry := cfg.OpenAICompatibility[i]
+		if len(entry.APIKeyEntries) > 0 {
+			openAICompatCount += len(entry.APIKeyEntries)
+			continue
+		}
+		openAICompatCount += len(entry.APIKeys)
 	}

 	total := authFiles + glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
-	log.Infof("server clients and configuration updated: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
+	fmt.Printf("server clients and configuration updated: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)\n",
 		total,
 		authFiles,
 		glAPIKeyCount,
--- a/internal/auth/claude/anthropic_auth.go
+++ b/internal/auth/claude/anthropic_auth.go
@@ -59,7 +59,7 @@ type ClaudeAuth struct {
 //   - *ClaudeAuth: A new Claude authentication service instance
 func NewClaudeAuth(cfg *config.Config) *ClaudeAuth {
 	return &ClaudeAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }

--- a/internal/auth/codex/openai_auth.go
+++ b/internal/auth/codex/openai_auth.go
@@ -37,7 +37,7 @@ type CodexAuth struct {
 // It initializes an HTTP client with proxy settings from the provided configuration.
 func NewCodexAuth(cfg *config.Config) *CodexAuth {
 	return &CodexAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }

--- a/internal/auth/gemini/gemini-web_token.go
+++ b/internal/auth/gemini/gemini-web_token.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
@@ -20,12 +21,25 @@ type GeminiWebTokenStorage struct {
 	Secure1PSIDTS string `json:"secure_1psidts"`
 	Type          string `json:"type"`
 	LastRefresh   string `json:"last_refresh,omitempty"`
+	// Label is a stable account identifier used for logging, e.g. "gemini-web-<hash>".
+	// It is derived from the auth file name when not explicitly set.
+	Label string `json:"label,omitempty"`
 }

 // SaveTokenToFile serializes the Gemini Web token storage to a JSON file.
 func (ts *GeminiWebTokenStorage) SaveTokenToFile(authFilePath string) error {
 	misc.LogSavingCredentials(authFilePath)
 	ts.Type = "gemini-web"
+	// Auto-derive a stable label from the file name if missing.
+	if ts.Label == "" {
+		base := filepath.Base(authFilePath)
+		if strings.HasSuffix(strings.ToLower(base), ".json") {
+			base = strings.TrimSuffix(base, filepath.Ext(base))
+		}
+		if base != "" {
+			ts.Label = base
+		}
+	}
 	if ts.LastRefresh == "" {
 		ts.LastRefresh = time.Now().Format(time.RFC3339)
 	}
--- a/internal/auth/gemini/gemini_auth.go
+++ b/internal/auth/gemini/gemini_auth.go
@@ -107,7 +107,7 @@ func (g *GeminiAuth) GetAuthenticatedClient(ctx context.Context, ts *GeminiToken

 	// If no token is found in storage, initiate the web-based OAuth flow.
 	if ts.Token == nil {
-		log.Info("Could not load token from file, starting OAuth flow.")
+		fmt.Printf("Could not load token from file, starting OAuth flow.\n")
 		token, err = g.getTokenFromWeb(ctx, conf, noBrowser...)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get token from web: %w", err)
@@ -169,9 +169,9 @@ func (g *GeminiAuth) createTokenStorage(ctx context.Context, config *oauth2.Conf

 	emailResult := gjson.GetBytes(bodyBytes, "email")
 	if emailResult.Exists() && emailResult.Type == gjson.String {
-		log.Infof("Authenticated user email: %s", emailResult.String())
+		fmt.Printf("Authenticated user email: %s\n", emailResult.String())
 	} else {
-		log.Info("Failed to get user email from token")
+		fmt.Println("Failed to get user email from token")
 	}

 	var ifToken map[string]any
@@ -246,19 +246,19 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 	authURL := config.AuthCodeURL("state-token", oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))

 	if len(noBrowser) == 1 && !noBrowser[0] {
-		log.Info("Opening browser for authentication...")
+		fmt.Println("Opening browser for authentication...")

 		// Check if browser is available
 		if !browser.IsAvailable() {
 			log.Warn("No browser available on this system")
 			util.PrintSSHTunnelInstructions(8085)
-			log.Infof("Please manually open this URL in your browser:\n\n%s\n", authURL)
+			fmt.Printf("Please manually open this URL in your browser:\n\n%s\n", authURL)
 		} else {
 			if err := browser.OpenURL(authURL); err != nil {
 				authErr := codex.NewAuthenticationError(codex.ErrBrowserOpenFailed, err)
 				log.Warn(codex.GetUserFriendlyMessage(authErr))
 				util.PrintSSHTunnelInstructions(8085)
-				log.Infof("Please manually open this URL in your browser:\n\n%s\n", authURL)
+				fmt.Printf("Please manually open this URL in your browser:\n\n%s\n", authURL)

 				// Log platform info for debugging
 				platformInfo := browser.GetPlatformInfo()
@@ -269,10 +269,10 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(8085)
-		log.Infof("Please open this URL in your browser:\n\n%s\n", authURL)
+		fmt.Printf("Please open this URL in your browser:\n\n%s\n", authURL)
 	}

-	log.Info("Waiting for authentication callback...")
+	fmt.Println("Waiting for authentication callback...")

 	// Wait for the authorization code or an error.
 	var authCode string
@@ -296,6 +296,6 @@ func (g *GeminiAuth) getTokenFromWeb(ctx context.Context, config *oauth2.Config,
 		return nil, fmt.Errorf("failed to exchange token: %w", err)
 	}

-	log.Info("Authentication successful.")
+	fmt.Println("Authentication successful.")
 	return token, nil
 }
--- a/internal/auth/qwen/qwen_auth.go
+++ b/internal/auth/qwen/qwen_auth.go
@@ -85,7 +85,7 @@ type QwenAuth struct {
 // NewQwenAuth creates a new QwenAuth instance with a proxy-configured HTTP client.
 func NewQwenAuth(cfg *config.Config) *QwenAuth {
 	return &QwenAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }

@@ -260,7 +260,7 @@ func (qa *QwenAuth) PollForToken(deviceCode, codeVerifier string) (*QwenTokenDat
 					switch errorType {
 					case "authorization_pending":
 						// User has not yet approved the authorization request. Continue polling.
-						log.Infof("Polling attempt %d/%d...\n", attempt+1, maxAttempts)
+						fmt.Printf("Polling attempt %d/%d...\n\n", attempt+1, maxAttempts)
 						time.Sleep(pollInterval)
 						continue
 					case "slow_down":
@@ -269,7 +269,7 @@ func (qa *QwenAuth) PollForToken(deviceCode, codeVerifier string) (*QwenTokenDat
 						if pollInterval > 10*time.Second {
 							pollInterval = 10 * time.Second
 						}
-						log.Infof("Server requested to slow down, increasing poll interval to %v\n", pollInterval)
+						fmt.Printf("Server requested to slow down, increasing poll interval to %v\n\n", pollInterval)
 						time.Sleep(pollInterval)
 						continue
 					case "expired_token":
--- a/internal/browser/browser.go
+++ b/internal/browser/browser.go
@@ -21,7 +21,7 @@ import (
 // Returns:
 //   - An error if the URL cannot be opened, otherwise nil.
 func OpenURL(url string) error {
-	log.Infof("Attempting to open URL in browser: %s", url)
+	fmt.Printf("Attempting to open URL in browser: %s\n", url)

 	// Try using the open-golang library first
 	err := open.Run(url)
--- a/internal/cmd/gemini-web_auth.go
+++ b/internal/cmd/gemini-web_auth.go
@@ -6,42 +6,147 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
+	"runtime"
 	"strings"
+	"time"

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
-	log "github.com/sirupsen/logrus"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

+// banner prints a simple ASCII banner for clarity without ANSI colors.
+func banner(title string) {
+	line := strings.Repeat("=", len(title)+8)
+	fmt.Println(line)
+	fmt.Println("=== " + title + " ===")
+	fmt.Println(line)
+}
+
 // DoGeminiWebAuth handles the process of creating a Gemini Web token file.
-// It prompts the user for their cookie values and saves them to a JSON file.
+// New flow:
+//  1. Prompt user to paste the full cookie string.
+//  2. Extract __Secure-1PSID and __Secure-1PSIDTS from the cookie string.
+//  3. Call https://accounts.google.com/ListAccounts with the cookie to obtain email.
+//  4. Save auth file with the same structure, and set Label to the email.
 func DoGeminiWebAuth(cfg *config.Config) {
+	var secure1psid, secure1psidts, email string
+
 	reader := bufio.NewReader(os.Stdin)
+	isMacOS := strings.HasPrefix(runtime.GOOS, "darwin")
+	cookieProvided := false
+	banner("Gemini Web Cookie Sign-in")
+	if !isMacOS {
+		// NOTE: Provide extra guidance for macOS users or anyone unsure about retrieving cookies.
+		fmt.Println("--- Cookie Input ---")
+		fmt.Println(">> Paste your full Google Cookie and press Enter")
+		fmt.Println("Tip: If you are on macOS, or don't know how to get the cookie, just press Enter and follow the prompts.")
+		fmt.Print("Cookie: ")
+		rawCookie, _ := reader.ReadString('\n')
+		rawCookie = strings.TrimSpace(rawCookie)
+		if rawCookie == "" {
+			// Skip cookie-based parsing; fall back to manual field prompts.
+			fmt.Println("==> No cookie provided. Proceeding with manual input.")
+		} else {
+			cookieProvided = true
+			// Parse K=V cookie pairs separated by ';'
+			cookieMap := make(map[string]string)
+			parts := strings.Split(rawCookie, ";")
+			for _, p := range parts {
+				p = strings.TrimSpace(p)
+				if p == "" {
+					continue
+				}
+				if eq := strings.Index(p, "="); eq > 0 {
+					k := strings.TrimSpace(p[:eq])
+					v := strings.TrimSpace(p[eq+1:])
+					if k != "" {
+						cookieMap[k] = v
+					}
+				}
+			}
+			secure1psid = strings.TrimSpace(cookieMap["__Secure-1PSID"])
+			secure1psidts = strings.TrimSpace(cookieMap["__Secure-1PSIDTS"])

-	fmt.Print("Enter your __Secure-1PSID cookie value: ")
-	secure1psid, _ := reader.ReadString('\n')
-	secure1psid = strings.TrimSpace(secure1psid)
+			// Build HTTP client with proxy settings respected.
+			httpClient := &http.Client{Timeout: 15 * time.Second}
+			httpClient = util.SetProxy(&cfg.SDKConfig, httpClient)

+			// Request ListAccounts to extract email as label (use POST per upstream behavior).
+			req, err := http.NewRequest(http.MethodPost, "https://accounts.google.com/ListAccounts", nil)
+			if err != nil {
+				fmt.Println("!! Failed to create request:", err)
+			} else {
+				req.Header.Set("Cookie", rawCookie)
+				req.Header.Set("Accept", "application/json, text/plain, */*")
+				req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36")
+				req.Header.Set("Origin", "https://accounts.google.com")
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8")
+
+				resp, errDo := httpClient.Do(req)
+				if errDo != nil {
+					fmt.Println("!! Request to ListAccounts failed:", err)
+				} else {
+					defer func() { _ = resp.Body.Close() }()
+					if resp.StatusCode != http.StatusOK {
+						fmt.Printf("!! ListAccounts returned status code: %d\n", resp.StatusCode)
+					} else {
+						var payload []any
+						if err = json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+							fmt.Println("!! Failed to parse ListAccounts response:", err)
+						} else {
+							// Expected structure like: ["gaia.l.a.r", [["gaia.l.a",1,"Name","email@example.com", ... ]]]
+							if len(payload) >= 2 {
+								if accounts, ok := payload[1].([]any); ok && len(accounts) >= 1 {
+									if first, ok1 := accounts[0].([]any); ok1 && len(first) >= 4 {
+										if em, ok2 := first[3].(string); ok2 {
+											email = strings.TrimSpace(em)
+										}
+									}
+								}
+							}
+							if email == "" {
+								fmt.Println("!! Failed to parse email from ListAccounts response")
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// Fallback: prompt user to input missing values
 	if secure1psid == "" {
-		log.Fatal("The __Secure-1PSID value cannot be empty.")
-		return
+		if cookieProvided && !isMacOS {
+			fmt.Println("!! Cookie missing __Secure-1PSID.")
+		}
+		fmt.Print("Enter __Secure-1PSID: ")
+		v, _ := reader.ReadString('\n')
+		secure1psid = strings.TrimSpace(v)
 	}
-
-	fmt.Print("Enter your __Secure-1PSIDTS cookie value: ")
-	secure1psidts, _ := reader.ReadString('\n')
-	secure1psidts = strings.TrimSpace(secure1psidts)
-
 	if secure1psidts == "" {
-		fmt.Println("The __Secure-1PSIDTS value cannot be empty.")
+		if cookieProvided && !isMacOS {
+			fmt.Println("!! Cookie missing __Secure-1PSIDTS.")
+		}
+		fmt.Print("Enter __Secure-1PSIDTS: ")
+		v, _ := reader.ReadString('\n')
+		secure1psidts = strings.TrimSpace(v)
+	}
+	if secure1psid == "" || secure1psidts == "" {
+		// Use print instead of logger to avoid log redirection.
+		fmt.Println("!! __Secure-1PSID and __Secure-1PSIDTS cannot be empty")
 		return
 	}
-
-	tokenStorage := &gemini.GeminiWebTokenStorage{
-		Secure1PSID:   secure1psid,
-		Secure1PSIDTS: secure1psidts,
+	if isMacOS {
+		fmt.Print("Enter your account email: ")
+		v, _ := reader.ReadString('\n')
+		email = strings.TrimSpace(v)
 	}

 	// Generate a filename based on the SHA256 hash of the PSID
@@ -49,17 +154,44 @@ func DoGeminiWebAuth(cfg *config.Config) {
 	hasher.Write([]byte(secure1psid))
 	hash := hex.EncodeToString(hasher.Sum(nil))
 	fileName := fmt.Sprintf("gemini-web-%s.json", hash[:16])
-	record := &sdkAuth.TokenRecord{
+
+	// Decide label: prefer email; fallback prompt then file name without .json
+	defaultLabel := strings.TrimSuffix(fileName, ".json")
+	label := email
+	if label == "" {
+		fmt.Print(fmt.Sprintf("Enter label for this auth (default: %s): ", defaultLabel))
+		v, _ := reader.ReadString('\n')
+		v = strings.TrimSpace(v)
+		if v != "" {
+			label = v
+		} else {
+			label = defaultLabel
+		}
+	}
+
+	tokenStorage := &gemini.GeminiWebTokenStorage{
+		Secure1PSID:   secure1psid,
+		Secure1PSIDTS: secure1psidts,
+		Label:         label,
+	}
+	record := &coreauth.Auth{
+		ID:       fileName,
 		Provider: "gemini-web",
 		FileName: fileName,
 		Storage:  tokenStorage,
 	}
 	store := sdkAuth.GetTokenStore()
-	savedPath, err := store.Save(context.Background(), cfg, record)
+	if cfg != nil {
+		if dirSetter, ok := store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(cfg.AuthDir)
+		}
+	}
+	savedPath, err := store.Save(context.Background(), record)
 	if err != nil {
-		fmt.Printf("Failed to save Gemini Web token to file: %v\n", err)
+		fmt.Println("!! Failed to save Gemini Web token to file:", err)
 		return
 	}

-	fmt.Printf("Successfully saved Gemini Web token to: %s\n", savedPath)
+	fmt.Println("==> Successfully saved Gemini Web token!")
+	fmt.Println("==> Saved to:", savedPath)
 }
--- a/internal/cmd/login.go
+++ b/internal/cmd/login.go
@@ -4,18 +4,45 @@
 package cmd

 import (
+	"bufio"
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+	"time"

+	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
+	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
+	"github.com/tidwall/gjson"
 )

+const (
+	geminiCLIEndpoint       = "https://cloudcode-pa.googleapis.com"
+	geminiCLIVersion        = "v1internal"
+	geminiCLIUserAgent      = "google-api-nodejs-client/9.15.1"
+	geminiCLIApiClient      = "gl-node/22.17.0"
+	geminiCLIClientMetadata = "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI"
+)
+
+type projectSelectionRequiredError struct{}
+
+func (e *projectSelectionRequiredError) Error() string {
+	return "gemini cli: project selection required"
+}
+
 // DoLogin handles Google Gemini authentication using the shared authentication manager.
-// It initiates the OAuth flow for Google Gemini services and saves the authentication
-// tokens to the configured auth directory.
+// It initiates the OAuth flow for Google Gemini services, performs the legacy CLI user setup,
+// and saves the authentication tokens to the configured auth directory.
 //
 // Parameters:
 //   - cfg: The application configuration
@@ -26,44 +53,435 @@ func DoLogin(cfg *config.Config, projectID string, options *LoginOptions) {
 		options = &LoginOptions{}
 	}

-	manager := newAuthManager()
+	ctx := context.Background()

-	metadata := map[string]string{}
-	if projectID != "" {
-		metadata["project_id"] = projectID
-	}
-
-	authOpts := &sdkAuth.LoginOptions{
+	loginOpts := &sdkAuth.LoginOptions{
 		NoBrowser: options.NoBrowser,
-		ProjectID: projectID,
-		Metadata:  metadata,
+		ProjectID: strings.TrimSpace(projectID),
+		Metadata:  map[string]string{},
 		Prompt:    options.Prompt,
 	}

-	_, savedPath, err := manager.Login(context.Background(), "gemini", cfg, authOpts)
-	if err != nil {
-		var selectionErr *sdkAuth.ProjectSelectionError
-		if errors.As(err, &selectionErr) {
-			fmt.Println(selectionErr.Error())
-			projects := selectionErr.ProjectsDisplay()
-			if len(projects) > 0 {
-				fmt.Println("========================================================================")
-				for _, p := range projects {
-					fmt.Printf("Project ID: %s\n", p.ProjectID)
-					fmt.Printf("Project Name: %s\n", p.Name)
-					fmt.Println("------------------------------------------------------------------------")
-				}
-				fmt.Println("Please rerun the login command with --project_id <project_id>.")
-			}
+	authenticator := sdkAuth.NewGeminiAuthenticator()
+	record, errLogin := authenticator.Login(ctx, cfg, loginOpts)
+	if errLogin != nil {
+		log.Fatalf("Gemini authentication failed: %v", errLogin)
+		return
+	}
+
+	storage, okStorage := record.Storage.(*gemini.GeminiTokenStorage)
+	if !okStorage || storage == nil {
+		log.Fatal("Gemini authentication failed: unsupported token storage")
+		return
+	}
+
+	geminiAuth := gemini.NewGeminiAuth()
+	httpClient, errClient := geminiAuth.GetAuthenticatedClient(ctx, storage, cfg, options.NoBrowser)
+	if errClient != nil {
+		log.Fatalf("Gemini authentication failed: %v", errClient)
+		return
+	}
+
+	log.Info("Authentication successful.")
+
+	projects, errProjects := fetchGCPProjects(ctx, httpClient)
+	if errProjects != nil {
+		log.Fatalf("Failed to get project list: %v", errProjects)
+		return
+	}
+
+	promptFn := options.Prompt
+	if promptFn == nil {
+		promptFn = defaultProjectPrompt()
+	}
+
+	selectedProjectID := promptForProjectSelection(projects, strings.TrimSpace(projectID), promptFn)
+	if strings.TrimSpace(selectedProjectID) == "" {
+		log.Fatal("No project selected; aborting login.")
+		return
+	}
+
+	if errSetup := performGeminiCLISetup(ctx, httpClient, storage, selectedProjectID); errSetup != nil {
+		var projectErr *projectSelectionRequiredError
+		if errors.As(errSetup, &projectErr) {
+			log.Error("Failed to start user onboarding: A project ID is required.")
+			showProjectSelectionHelp(storage.Email, projects)
 			return
 		}
-		log.Fatalf("Gemini authentication failed: %v", err)
+		log.Fatalf("Failed to complete user setup: %v", errSetup)
+		return
+	}
+
+	storage.Auto = false
+
+	if !storage.Auto && !storage.Checked {
+		isChecked, errCheck := checkCloudAPIIsEnabled(ctx, httpClient, storage.ProjectID)
+		if errCheck != nil {
+			log.Fatalf("Failed to check if Cloud AI API is enabled: %v", errCheck)
+			return
+		}
+		storage.Checked = isChecked
+		if !isChecked {
+			log.Fatal("Failed to check if Cloud AI API is enabled. If you encounter an error message, please create an issue.")
+			return
+		}
+	}
+
+	updateAuthRecord(record, storage)
+
+	store := sdkAuth.GetTokenStore()
+	if setter, okSetter := store.(interface{ SetBaseDir(string) }); okSetter && cfg != nil {
+		setter.SetBaseDir(cfg.AuthDir)
+	}
+
+	savedPath, errSave := store.Save(ctx, record)
+	if errSave != nil {
+		log.Fatalf("Failed to save token to file: %v", errSave)
 		return
 	}

 	if savedPath != "" {
-		log.Infof("Authentication saved to %s", savedPath)
+		fmt.Printf("Authentication saved to %s\n", savedPath)
 	}

-	log.Info("Gemini authentication successful!")
+	fmt.Println("Gemini authentication successful!")
+}
+
+func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage *gemini.GeminiTokenStorage, requestedProject string) error {
+	metadata := map[string]string{
+		"ideType":    "IDE_UNSPECIFIED",
+		"platform":   "PLATFORM_UNSPECIFIED",
+		"pluginType": "GEMINI",
+	}
+
+	loadReqBody := map[string]any{
+		"metadata": metadata,
+	}
+	if requestedProject != "" {
+		loadReqBody["cloudaicompanionProject"] = requestedProject
+	}
+
+	var loadResp map[string]any
+	if errLoad := callGeminiCLI(ctx, httpClient, "loadCodeAssist", loadReqBody, &loadResp); errLoad != nil {
+		return fmt.Errorf("load code assist: %w", errLoad)
+	}
+
+	tierID := "legacy-tier"
+	if tiers, okTiers := loadResp["allowedTiers"].([]any); okTiers {
+		for _, rawTier := range tiers {
+			tier, okTier := rawTier.(map[string]any)
+			if !okTier {
+				continue
+			}
+			if isDefault, okDefault := tier["isDefault"].(bool); okDefault && isDefault {
+				if id, okID := tier["id"].(string); okID && strings.TrimSpace(id) != "" {
+					tierID = strings.TrimSpace(id)
+					break
+				}
+			}
+		}
+	}
+
+	projectID := strings.TrimSpace(requestedProject)
+	if projectID == "" {
+		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
+			projectID = strings.TrimSpace(id)
+		}
+	}
+	if projectID == "" {
+		return &projectSelectionRequiredError{}
+	}
+
+	onboardReqBody := map[string]any{
+		"tierId":                  tierID,
+		"metadata":                metadata,
+		"cloudaicompanionProject": projectID,
+	}
+
+	// Store the requested project as a fallback in case the response omits it.
+	storage.ProjectID = projectID
+
+	for {
+		var onboardResp map[string]any
+		if errOnboard := callGeminiCLI(ctx, httpClient, "onboardUser", onboardReqBody, &onboardResp); errOnboard != nil {
+			return fmt.Errorf("onboard user: %w", errOnboard)
+		}
+
+		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
+				if project, okProject := resp["cloudaicompanionProject"].(map[string]any); okProject {
+					if id, okID := project["id"].(string); okID && strings.TrimSpace(id) != "" {
+						storage.ProjectID = strings.TrimSpace(id)
+					}
+				}
+			}
+			storage.ProjectID = strings.TrimSpace(storage.ProjectID)
+			if storage.ProjectID == "" {
+				storage.ProjectID = projectID
+			}
+			if storage.ProjectID == "" {
+				return fmt.Errorf("onboard user completed without project id")
+			}
+			log.Infof("Onboarding complete. Using Project ID: %s", storage.ProjectID)
+			return nil
+		}
+
+		log.Println("Onboarding in progress, waiting 5 seconds...")
+		time.Sleep(5 * time.Second)
+	}
+}
+
+func callGeminiCLI(ctx context.Context, httpClient *http.Client, endpoint string, body any, result any) error {
+	url := fmt.Sprintf("%s/%s:%s", geminiCLIEndpoint, geminiCLIVersion, endpoint)
+	if strings.HasPrefix(endpoint, "operations/") {
+		url = fmt.Sprintf("%s/%s", geminiCLIEndpoint, endpoint)
+	}
+
+	var reader io.Reader
+	if body != nil {
+		rawBody, errMarshal := json.Marshal(body)
+		if errMarshal != nil {
+			return fmt.Errorf("marshal request body: %w", errMarshal)
+		}
+		reader = bytes.NewReader(rawBody)
+	}
+
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodPost, url, reader)
+	if errRequest != nil {
+		return fmt.Errorf("create request: %w", errRequest)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", geminiCLIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", geminiCLIApiClient)
+	req.Header.Set("Client-Metadata", geminiCLIClientMetadata)
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return fmt.Errorf("execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("api request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	if result == nil {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		return nil
+	}
+
+	if errDecode := json.NewDecoder(resp.Body).Decode(result); errDecode != nil {
+		return fmt.Errorf("decode response body: %w", errDecode)
+	}
+
+	return nil
+}
+
+func fetchGCPProjects(ctx context.Context, httpClient *http.Client) ([]interfaces.GCPProjectProjects, error) {
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudresourcemanager.googleapis.com/v1/projects", nil)
+	if errRequest != nil {
+		return nil, fmt.Errorf("could not create project list request: %w", errRequest)
+	}
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return nil, fmt.Errorf("failed to execute project list request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("project list request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	var projects interfaces.GCPProject
+	if errDecode := json.NewDecoder(resp.Body).Decode(&projects); errDecode != nil {
+		return nil, fmt.Errorf("failed to unmarshal project list: %w", errDecode)
+	}
+
+	return projects.Projects, nil
+}
+
+// promptForProjectSelection prints available projects and returns the chosen project ID.
+func promptForProjectSelection(projects []interfaces.GCPProjectProjects, presetID string, promptFn func(string) (string, error)) string {
+	trimmedPreset := strings.TrimSpace(presetID)
+	if len(projects) == 0 {
+		if trimmedPreset != "" {
+			return trimmedPreset
+		}
+		fmt.Println("No Google Cloud projects are available for selection.")
+		return ""
+	}
+
+	fmt.Println("Available Google Cloud projects:")
+	defaultIndex := 0
+	for idx, project := range projects {
+		fmt.Printf("[%d] %s (%s)\n", idx+1, project.ProjectID, project.Name)
+		if trimmedPreset != "" && project.ProjectID == trimmedPreset {
+			defaultIndex = idx
+		}
+	}
+
+	defaultID := projects[defaultIndex].ProjectID
+
+	if trimmedPreset != "" {
+		for _, project := range projects {
+			if project.ProjectID == trimmedPreset {
+				return trimmedPreset
+			}
+		}
+		log.Warnf("Provided project ID %s not found in available projects; please choose from the list.", trimmedPreset)
+	}
+
+	for {
+		promptMsg := fmt.Sprintf("Enter project ID [%s]: ", defaultID)
+		answer, errPrompt := promptFn(promptMsg)
+		if errPrompt != nil {
+			log.Errorf("Project selection prompt failed: %v", errPrompt)
+			return defaultID
+		}
+		answer = strings.TrimSpace(answer)
+		if answer == "" {
+			return defaultID
+		}
+
+		for _, project := range projects {
+			if project.ProjectID == answer {
+				return project.ProjectID
+			}
+		}
+
+		if idx, errAtoi := strconv.Atoi(answer); errAtoi == nil {
+			if idx >= 1 && idx <= len(projects) {
+				return projects[idx-1].ProjectID
+			}
+		}
+
+		fmt.Println("Invalid selection, enter a project ID or a number from the list.")
+	}
+}
+
+func defaultProjectPrompt() func(string) (string, error) {
+	reader := bufio.NewReader(os.Stdin)
+	return func(prompt string) (string, error) {
+		fmt.Print(prompt)
+		line, errRead := reader.ReadString('\n')
+		if errRead != nil {
+			if errors.Is(errRead, io.EOF) {
+				return strings.TrimSpace(line), nil
+			}
+			return "", errRead
+		}
+		return strings.TrimSpace(line), nil
+	}
+}
+
+func showProjectSelectionHelp(email string, projects []interfaces.GCPProjectProjects) {
+	if email != "" {
+		log.Infof("Your account %s needs to specify a project ID.", email)
+	} else {
+		log.Info("You need to specify a project ID.")
+	}
+
+	if len(projects) > 0 {
+		fmt.Println("========================================================================")
+		for _, p := range projects {
+			fmt.Printf("Project ID: %s\n", p.ProjectID)
+			fmt.Printf("Project Name: %s\n", p.Name)
+			fmt.Println("------------------------------------------------------------------------")
+		}
+	} else {
+		fmt.Println("No active projects were returned for this account.")
+	}
+
+	fmt.Printf("Please run this command to login again with a specific project:\n\n%s --login --project_id <project_id>\n", os.Args[0])
+}
+
+func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
+	serviceUsageURL := "https://serviceusage.googleapis.com"
+	requiredServices := []string{
+		"geminicloudassist.googleapis.com", // Gemini Cloud Assist API
+		"cloudaicompanion.googleapis.com",  // Gemini for Google Cloud API
+	}
+	for _, service := range requiredServices {
+		checkUrl := fmt.Sprintf("%s/v1/projects/%s/services/%s", serviceUsageURL, projectID, service)
+		req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, checkUrl, nil)
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo := httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		if resp.StatusCode == http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			if gjson.GetBytes(bodyBytes, "state").String() == "ENABLED" {
+				_ = resp.Body.Close()
+				continue
+			}
+		}
+		_ = resp.Body.Close()
+
+		enableUrl := fmt.Sprintf("%s/v1/projects/%s/services/%s:enable", serviceUsageURL, projectID, service)
+		req, errRequest = http.NewRequestWithContext(ctx, http.MethodPost, enableUrl, strings.NewReader("{}"))
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo = httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		errMessage := string(bodyBytes)
+		errMessageResult := gjson.GetBytes(bodyBytes, "error.message")
+		if errMessageResult.Exists() {
+			errMessage = errMessageResult.String()
+		}
+		if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusCreated {
+			_ = resp.Body.Close()
+			continue
+		} else if resp.StatusCode == http.StatusBadRequest {
+			_ = resp.Body.Close()
+			if strings.Contains(strings.ToLower(errMessage), "already enabled") {
+				continue
+			}
+		}
+		return false, fmt.Errorf("project activation required: %s", errMessage)
+	}
+	return true, nil
+}
+
+func updateAuthRecord(record *cliproxyauth.Auth, storage *gemini.GeminiTokenStorage) {
+	if record == nil || storage == nil {
+		return
+	}
+
+	finalName := fmt.Sprintf("%s-%s.json", storage.Email, storage.ProjectID)
+
+	if record.Metadata == nil {
+		record.Metadata = make(map[string]any)
+	}
+	record.Metadata["email"] = storage.Email
+	record.Metadata["project_id"] = storage.ProjectID
+	record.Metadata["auto"] = storage.Auto
+	record.Metadata["checked"] = storage.Checked
+
+	record.ID = finalName
+	record.FileName = finalName
+	record.Storage = storage
 }
--- a/internal/cmd/run.go
+++ b/internal/cmd/run.go
@@ -8,7 +8,9 @@ import (
 	"errors"
 	"os/signal"
 	"syscall"
+	"time"

+	"github.com/router-for-me/CLIProxyAPI/v6/internal/api"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy"
 	log "github.com/sirupsen/logrus"
@@ -21,19 +23,32 @@ import (
 // Parameters:
 //   - cfg: The application configuration
 //   - configPath: The path to the configuration file
-func StartService(cfg *config.Config, configPath string) {
-	service, err := cliproxy.NewBuilder().
+//   - localPassword: Optional password accepted for local management requests
+func StartService(cfg *config.Config, configPath string, localPassword string) {
+	builder := cliproxy.NewBuilder().
 		WithConfig(cfg).
 		WithConfigPath(configPath).
-		Build()
+		WithLocalManagementPassword(localPassword)
+
+	ctxSignal, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	runCtx := ctxSignal
+	if localPassword != "" {
+		var keepAliveCancel context.CancelFunc
+		runCtx, keepAliveCancel = context.WithCancel(ctxSignal)
+		builder = builder.WithServerOptions(api.WithKeepAliveEndpoint(10*time.Second, func() {
+			log.Warn("keep-alive endpoint idle for 10s, shutting down")
+			keepAliveCancel()
+		}))
+	}
+
+	service, err := builder.Build()
 	if err != nil {
 		log.Fatalf("failed to build proxy service: %v", err)
 	}

-	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
-	err = service.Run(ctx)
+	err = service.Run(runCtx)
 	if err != nil && !errors.Is(err, context.Canceled) {
 		log.Fatalf("proxy service exited with error: %v", err)
 	}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -8,12 +8,14 @@ import (
 	"fmt"
 	"os"

+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	"golang.org/x/crypto/bcrypt"
 	"gopkg.in/yaml.v3"
 )

 // Config represents the application's configuration, loaded from a YAML file.
 type Config struct {
+	config.SDKConfig `yaml:",inline"`
 	// Port is the network port on which the API server will listen.
 	Port int `yaml:"port" json:"-"`

@@ -23,14 +25,11 @@ type Config struct {
 	// Debug enables or disables debug-level logging and other debug features.
 	Debug bool `yaml:"debug" json:"debug"`

-	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
-	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
+	// LoggingToFile controls whether application logs are written to rotating files or stdout.
+	LoggingToFile bool `yaml:"logging-to-file" json:"logging-to-file"`

-	// APIKeys is a list of keys for authenticating clients to this proxy server.
-	APIKeys []string `yaml:"api-keys" json:"api-keys"`
-
-	// Access holds request authentication provider configuration.
-	Access AccessConfig `yaml:"auth" json:"auth"`
+	// UsageStatisticsEnabled toggles in-memory usage aggregation; when false, usage data is discarded.
+	UsageStatisticsEnabled bool `yaml:"usage-statistics-enabled" json:"usage-statistics-enabled"`

 	// QuotaExceeded defines the behavior when a quota is exceeded.
 	QuotaExceeded QuotaExceeded `yaml:"quota-exceeded" json:"quota-exceeded"`
@@ -38,9 +37,6 @@ type Config struct {
 	// GlAPIKey is the API key for the generative language API.
 	GlAPIKey []string `yaml:"generative-language-api-key" json:"generative-language-api-key"`

-	// RequestLog enables or disables detailed request logging functionality.
-	RequestLog bool `yaml:"request-log" json:"request-log"`
-
 	// RequestRetry defines the retry times when the request failed.
 	RequestRetry int `yaml:"request-retry" json:"request-retry"`

@@ -60,38 +56,6 @@ type Config struct {
 	GeminiWeb GeminiWebConfig `yaml:"gemini-web" json:"gemini-web"`
 }

-// AccessConfig groups request authentication providers.
-type AccessConfig struct {
-	// Providers lists configured authentication providers.
-	Providers []AccessProvider `yaml:"providers" json:"providers"`
-}
-
-// AccessProvider describes a request authentication provider entry.
-type AccessProvider struct {
-	// Name is the instance identifier for the provider.
-	Name string `yaml:"name" json:"name"`
-
-	// Type selects the provider implementation registered via the SDK.
-	Type string `yaml:"type" json:"type"`
-
-	// SDK optionally names a third-party SDK module providing this provider.
-	SDK string `yaml:"sdk,omitempty" json:"sdk,omitempty"`
-
-	// APIKeys lists inline keys for providers that require them.
-	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
-
-	// Config passes provider-specific options to the implementation.
-	Config map[string]any `yaml:"config,omitempty" json:"config,omitempty"`
-}
-
-const (
-	// AccessProviderTypeConfigAPIKey is the built-in provider validating inline API keys.
-	AccessProviderTypeConfigAPIKey = "config-api-key"
-
-	// DefaultAccessProviderName is applied when no provider name is supplied.
-	DefaultAccessProviderName = "config-inline"
-)
-
 // GeminiWebConfig nests Gemini Web related options under 'gemini-web'.
 type GeminiWebConfig struct {
 	// Context enables JSON-based conversation reuse.
@@ -143,6 +107,9 @@ type ClaudeKey struct {
 	// BaseURL is the base URL for the Claude API endpoint.
 	// If empty, the default Claude API URL will be used.
 	BaseURL string `yaml:"base-url" json:"base-url"`
+
+	// ProxyURL overrides the global proxy setting for this API key if provided.
+	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
 }

 // CodexKey represents the configuration for a Codex API key,
@@ -154,6 +121,9 @@ type CodexKey struct {
 	// BaseURL is the base URL for the Codex API endpoint.
 	// If empty, the default Codex API URL will be used.
 	BaseURL string `yaml:"base-url" json:"base-url"`
+
+	// ProxyURL overrides the global proxy setting for this API key if provided.
+	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
 }

 // OpenAICompatibility represents the configuration for OpenAI API compatibility
@@ -166,12 +136,25 @@ type OpenAICompatibility struct {
 	BaseURL string `yaml:"base-url" json:"base-url"`

 	// APIKeys are the authentication keys for accessing the external API services.
-	APIKeys []string `yaml:"api-keys" json:"api-keys"`
+	// Deprecated: Use APIKeyEntries instead to support per-key proxy configuration.
+	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
+
+	// APIKeyEntries defines API keys with optional per-key proxy configuration.
+	APIKeyEntries []OpenAICompatibilityAPIKey `yaml:"api-key-entries,omitempty" json:"api-key-entries,omitempty"`

 	// Models defines the model configurations including aliases for routing.
 	Models []OpenAICompatibilityModel `yaml:"models" json:"models"`
 }

+// OpenAICompatibilityAPIKey represents an API key configuration with optional proxy setting.
+type OpenAICompatibilityAPIKey struct {
+	// APIKey is the authentication key for accessing the external API services.
+	APIKey string `yaml:"api-key" json:"api-key"`
+
+	// ProxyURL overrides the global proxy setting for this API key if provided.
+	ProxyURL string `yaml:"proxy-url,omitempty" json:"proxy-url,omitempty"`
+}
+
 // OpenAICompatibilityModel represents a model configuration for OpenAI compatibility,
 // including the actual model name and its alias for API routing.
 type OpenAICompatibilityModel struct {
@@ -200,21 +183,23 @@ func LoadConfig(configFile string) (*Config, error) {
 	}

 	// Unmarshal the YAML data into the Config struct.
-	var config Config
+	var cfg Config
 	// Set defaults before unmarshal so that absent keys keep defaults.
-	config.GeminiWeb.Context = true
-	if err = yaml.Unmarshal(data, &config); err != nil {
+	cfg.LoggingToFile = true
+	cfg.UsageStatisticsEnabled = true
+	cfg.GeminiWeb.Context = true
+	if err = yaml.Unmarshal(data, &cfg); err != nil {
 		return nil, fmt.Errorf("failed to parse config file: %w", err)
 	}

 	// Hash remote management key if plaintext is detected (nested)
 	// We consider a value to be already hashed if it looks like a bcrypt hash ($2a$, $2b$, or $2y$ prefix).
-	if config.RemoteManagement.SecretKey != "" && !looksLikeBcrypt(config.RemoteManagement.SecretKey) {
-		hashed, errHash := hashSecret(config.RemoteManagement.SecretKey)
+	if cfg.RemoteManagement.SecretKey != "" && !looksLikeBcrypt(cfg.RemoteManagement.SecretKey) {
+		hashed, errHash := hashSecret(cfg.RemoteManagement.SecretKey)
 		if errHash != nil {
 			return nil, fmt.Errorf("failed to hash remote management key: %w", errHash)
 		}
-		config.RemoteManagement.SecretKey = hashed
+		cfg.RemoteManagement.SecretKey = hashed

 		// Persist the hashed value back to the config file to avoid re-hashing on next startup.
 		// Preserve YAML comments and ordering; update only the nested key.
@@ -222,80 +207,22 @@ func LoadConfig(configFile string) (*Config, error) {
 	}

 	// Sync request authentication providers with inline API keys for backwards compatibility.
-	syncInlineAccessProvider(&config)
+	syncInlineAccessProvider(&cfg)

 	// Return the populated configuration struct.
-	return &config, nil
-}
-
-// SyncInlineAPIKeys updates the inline API key provider and top-level APIKeys field.
-func SyncInlineAPIKeys(cfg *Config, keys []string) {
-	if cfg == nil {
-		return
-	}
-	cloned := append([]string(nil), keys...)
-	cfg.APIKeys = cloned
-	if provider := cfg.ConfigAPIKeyProvider(); provider != nil {
-		if provider.Name == "" {
-			provider.Name = DefaultAccessProviderName
-		}
-		provider.APIKeys = cloned
-		return
-	}
-	cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-		Name:    DefaultAccessProviderName,
-		Type:    AccessProviderTypeConfigAPIKey,
-		APIKeys: cloned,
-	})
-}
-
-// ConfigAPIKeyProvider returns the first inline API key provider if present.
-func (c *Config) ConfigAPIKeyProvider() *AccessProvider {
-	if c == nil {
-		return nil
-	}
-	for i := range c.Access.Providers {
-		if c.Access.Providers[i].Type == AccessProviderTypeConfigAPIKey {
-			if c.Access.Providers[i].Name == "" {
-				c.Access.Providers[i].Name = DefaultAccessProviderName
-			}
-			return &c.Access.Providers[i]
-		}
-	}
-	return nil
+	return &cfg, nil
 }

 func syncInlineAccessProvider(cfg *Config) {
 	if cfg == nil {
 		return
 	}
-	if len(cfg.Access.Providers) == 0 {
-		if len(cfg.APIKeys) == 0 {
-			return
+	if len(cfg.APIKeys) == 0 {
+		if provider := cfg.ConfigAPIKeyProvider(); provider != nil && len(provider.APIKeys) > 0 {
+			cfg.APIKeys = append([]string(nil), provider.APIKeys...)
 		}
-		cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-			Name:    DefaultAccessProviderName,
-			Type:    AccessProviderTypeConfigAPIKey,
-			APIKeys: append([]string(nil), cfg.APIKeys...),
-		})
-		return
 	}
-	provider := cfg.ConfigAPIKeyProvider()
-	if provider == nil {
-		if len(cfg.APIKeys) == 0 {
-			return
-		}
-		cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-			Name:    DefaultAccessProviderName,
-			Type:    AccessProviderTypeConfigAPIKey,
-			APIKeys: append([]string(nil), cfg.APIKeys...),
-		})
-		return
-	}
-	if len(provider.APIKeys) == 0 && len(cfg.APIKeys) > 0 {
-		provider.APIKeys = append([]string(nil), cfg.APIKeys...)
-	}
-	cfg.APIKeys = append([]string(nil), provider.APIKeys...)
+	cfg.Access.Providers = nil
 }

 // looksLikeBcrypt returns true if the provided string appears to be a bcrypt hash.
@@ -316,6 +243,7 @@ func hashSecret(secret string) (string, error) {
 // SaveConfigPreserveComments writes the config back to YAML while preserving existing comments
 // and key ordering by loading the original file into a yaml.Node tree and updating values in-place.
 func SaveConfigPreserveComments(configFile string, cfg *Config) error {
+	persistCfg := sanitizeConfigForPersist(cfg)
 	// Load original YAML as a node tree to preserve comments and ordering.
 	data, err := os.ReadFile(configFile)
 	if err != nil {
@@ -334,7 +262,7 @@ func SaveConfigPreserveComments(configFile string, cfg *Config) error {
 	}

 	// Marshal the current cfg to YAML, then unmarshal to a yaml.Node we can merge from.
-	rendered, err := yaml.Marshal(cfg)
+	rendered, err := yaml.Marshal(persistCfg)
 	if err != nil {
 		return err
 	}
@@ -349,6 +277,9 @@ func SaveConfigPreserveComments(configFile string, cfg *Config) error {
 		return fmt.Errorf("expected generated root mapping node")
 	}

+	// Remove deprecated auth block before merging to avoid persisting it again.
+	removeMapKey(original.Content[0], "auth")
+
 	// Merge generated into original in-place, preserving comments/order of existing nodes.
 	mergeMappingPreserve(original.Content[0], generated.Content[0])

@@ -367,6 +298,16 @@ func SaveConfigPreserveComments(configFile string, cfg *Config) error {
 	return enc.Close()
 }

+func sanitizeConfigForPersist(cfg *Config) *Config {
+	if cfg == nil {
+		return nil
+	}
+	clone := *cfg
+	clone.SDKConfig = cfg.SDKConfig
+	clone.SDKConfig.Access = config.AccessConfig{}
+	return &clone
+}
+
 // SaveConfigPreserveCommentsUpdateNestedScalar updates a nested scalar key path like ["a","b"]
 // while preserving comments and positions.
 func SaveConfigPreserveCommentsUpdateNestedScalar(configFile string, path []string, value string) error {
@@ -569,3 +510,15 @@ func copyNodeShallow(dst, src *yaml.Node) {
 		dst.Content = nil
 	}
 }
+
+func removeMapKey(mapNode *yaml.Node, key string) {
+	if mapNode == nil || mapNode.Kind != yaml.MappingNode || key == "" {
+		return
+	}
+	for i := 0; i+1 < len(mapNode.Content); i += 2 {
+		if mapNode.Content[i] != nil && mapNode.Content[i].Value == key {
+			mapNode.Content = append(mapNode.Content[:i], mapNode.Content[i+2:]...)
+			return
+		}
+	}
+}
--- a/internal/logging/global_logger.go
+++ b/internal/logging/global_logger.go
@@ -0,0 +1,117 @@
+package logging
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/gin-gonic/gin"
+	log "github.com/sirupsen/logrus"
+	"gopkg.in/natefinch/lumberjack.v2"
+)
+
+var (
+	setupOnce      sync.Once
+	writerMu       sync.Mutex
+	logWriter      *lumberjack.Logger
+	ginInfoWriter  *io.PipeWriter
+	ginErrorWriter *io.PipeWriter
+)
+
+// LogFormatter defines a custom log format for logrus.
+// This formatter adds timestamp, level, and source location to each log entry.
+type LogFormatter struct{}
+
+// Format renders a single log entry with custom formatting.
+func (m *LogFormatter) Format(entry *log.Entry) ([]byte, error) {
+	var buffer *bytes.Buffer
+	if entry.Buffer != nil {
+		buffer = entry.Buffer
+	} else {
+		buffer = &bytes.Buffer{}
+	}
+
+	timestamp := entry.Time.Format("2006-01-02 15:04:05")
+	message := strings.TrimRight(entry.Message, "\r\n")
+	formatted := fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, message)
+	buffer.WriteString(formatted)
+
+	return buffer.Bytes(), nil
+}
+
+// SetupBaseLogger configures the shared logrus instance and Gin writers.
+// It is safe to call multiple times; initialization happens only once.
+func SetupBaseLogger() {
+	setupOnce.Do(func() {
+		log.SetOutput(os.Stdout)
+		log.SetReportCaller(true)
+		log.SetFormatter(&LogFormatter{})
+
+		ginInfoWriter = log.StandardLogger().Writer()
+		gin.DefaultWriter = ginInfoWriter
+		ginErrorWriter = log.StandardLogger().WriterLevel(log.ErrorLevel)
+		gin.DefaultErrorWriter = ginErrorWriter
+		gin.DebugPrintFunc = func(format string, values ...interface{}) {
+			format = strings.TrimRight(format, "\r\n")
+			log.StandardLogger().Infof(format, values...)
+		}
+
+		log.RegisterExitHandler(closeLogOutputs)
+	})
+}
+
+// ConfigureLogOutput switches the global log destination between rotating files and stdout.
+func ConfigureLogOutput(loggingToFile bool) error {
+	SetupBaseLogger()
+
+	writerMu.Lock()
+	defer writerMu.Unlock()
+
+	if loggingToFile {
+		const logDir = "logs"
+		if err := os.MkdirAll(logDir, 0o755); err != nil {
+			return fmt.Errorf("logging: failed to create log directory: %w", err)
+		}
+		if logWriter != nil {
+			_ = logWriter.Close()
+		}
+		logWriter = &lumberjack.Logger{
+			Filename:   filepath.Join(logDir, "main.log"),
+			MaxSize:    10,
+			MaxBackups: 0,
+			MaxAge:     0,
+			Compress:   false,
+		}
+		log.SetOutput(logWriter)
+		return nil
+	}
+
+	if logWriter != nil {
+		_ = logWriter.Close()
+		logWriter = nil
+	}
+	log.SetOutput(os.Stdout)
+	return nil
+}
+
+func closeLogOutputs() {
+	writerMu.Lock()
+	defer writerMu.Unlock()
+
+	if logWriter != nil {
+		_ = logWriter.Close()
+		logWriter = nil
+	}
+	if ginInfoWriter != nil {
+		_ = ginInfoWriter.Close()
+		ginInfoWriter = nil
+	}
+	if ginErrorWriter != nil {
+		_ = ginErrorWriter.Close()
+		ginErrorWriter = nil
+	}
+}
--- a/internal/misc/claude_code_instructions.txt
+++ b/internal/misc/claude_code_instructions.txt
--- a/internal/misc/credentials.go
+++ b/internal/misc/credentials.go
@@ -1,13 +1,15 @@
 package misc

 import (
+	"fmt"
 	"path/filepath"
 	"strings"

 	log "github.com/sirupsen/logrus"
 )

-var credentialSeparator = strings.Repeat("-", 70)
+// Separator used to visually group related log lines.
+var credentialSeparator = strings.Repeat("-", 67)

 // LogSavingCredentials emits a consistent log message when persisting auth material.
 func LogSavingCredentials(path string) {
@@ -15,10 +17,10 @@ func LogSavingCredentials(path string) {
 		return
 	}
 	// Use filepath.Clean so logs remain stable even if callers pass redundant separators.
-	log.Infof("Saving credentials to %s", filepath.Clean(path))
+	fmt.Printf("Saving credentials to %s\n", filepath.Clean(path))
 }

 // LogCredentialSeparator adds a visual separator to group auth/key processing logs.
 func LogCredentialSeparator() {
-	log.Info(credentialSeparator)
+	log.Debug(credentialSeparator)
 }
--- a/internal/provider/gemini-web/client.go
+++ b/internal/provider/gemini-web/client.go
@@ -9,8 +9,6 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
-	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -97,8 +95,12 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 	{
 		client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})
 		req, _ := http.NewRequest(http.MethodGet, EndpointGoogle, nil)
-		resp, _ := client.Do(req)
-		if resp != nil {
+		resp, err := client.Do(req)
+		if err != nil {
+			if verbose {
+				log.Debugf("priming google cookies failed: %v", err)
+			}
+		} else if resp != nil {
 			if u, err := url.Parse(EndpointGoogle); err == nil {
 				for _, c := range client.Jar.Cookies(u) {
 					extraCookies[c.Name] = c.Value
@@ -122,19 +124,6 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 		}
 	}

-	cacheDir := "temp"
-	_ = os.MkdirAll(cacheDir, 0o755)
-	if v1, ok1 := baseCookies["__Secure-1PSID"]; ok1 {
-		cacheFile := filepath.Join(cacheDir, ".cached_1psidts_"+v1+".txt")
-		if b, err := os.ReadFile(cacheFile); err == nil {
-			cv := strings.TrimSpace(string(b))
-			if cv != "" {
-				merged := map[string]string{"__Secure-1PSID": v1, "__Secure-1PSIDTS": cv}
-				trySets = append(trySets, merged)
-			}
-		}
-	}
-
 	if len(extraCookies) > 0 {
 		trySets = append(trySets, extraCookies)
 	}
@@ -158,7 +147,7 @@ func getAccessToken(baseCookies map[string]string, proxy string, verbose bool, i
 		if len(matches) >= 2 {
 			token := matches[1]
 			if verbose {
-				log.Infof("Gemini access token acquired.")
+				fmt.Println("Gemini access token acquired.")
 			}
 			return token, mergedCookies, nil
 		}
@@ -172,18 +161,10 @@ func rotate1PSIDTS(cookies map[string]string, proxy string, insecure bool) (stri
 		return "", &AuthError{Msg: "__Secure-1PSID missing"}
 	}

-	tr := &http.Transport{}
-	if proxy != "" {
-		if pu, err := url.Parse(proxy); err == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	client := &http.Client{Transport: tr, Timeout: 60 * time.Second}
+	// Reuse shared HTTP client helper for consistency.
+	client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})

-	req, _ := http.NewRequest(http.MethodPost, EndpointRotateCookies, io.NopCloser(stringsReader("[000,\"-0000000000000000000\"]")))
+	req, _ := http.NewRequest(http.MethodPost, EndpointRotateCookies, strings.NewReader("[000,\"-0000000000000000000\"]"))
 	applyHeaders(req, HeadersRotateCookies)
 	applyCookies(req, cookies)

@@ -207,25 +188,18 @@ func rotate1PSIDTS(cookies map[string]string, proxy string, insecure bool) (stri
 			return c.Value, nil
 		}
 	}
+	// Fallback: check cookie jar in case the Set-Cookie was on a redirect hop
+	if u, err := url.Parse(EndpointRotateCookies); err == nil && client.Jar != nil {
+		for _, c := range client.Jar.Cookies(u) {
+			if c.Name == "__Secure-1PSIDTS" && c.Value != "" {
+				return c.Value, nil
+			}
+		}
+	}
 	return "", nil
 }

-type constReader struct {
-	s string
-	i int
-}
-
-func (r *constReader) Read(p []byte) (int, error) {
-	if r.i >= len(r.s) {
-		return 0, io.EOF
-	}
-	n := copy(p, r.s[r.i:])
-	r.i += n
-	return n, nil
-}
-
-func stringsReader(s string) io.Reader { return &constReader{s: s} }
-
+// MaskToken28 masks a sensitive token for safe logging. Keep middle partially visible.
 func MaskToken28(s string) string {
 	n := len(s)
 	if n == 0 {
@@ -306,7 +280,7 @@ func (c *GeminiClient) Init(timeoutSec float64, verbose bool) error {

 	c.Timeout = time.Duration(timeoutSec * float64(time.Second))
 	if verbose {
-		log.Infof("Gemini client initialized successfully.")
+		fmt.Println("Gemini client initialized successfully.")
 	}
 	return nil
 }
@@ -318,7 +292,7 @@ func (c *GeminiClient) Close(delaySec float64) {
 	c.Running = false
 }

-// ensureRunning mirrors the Python decorator behavior and retries on APIError.
+// ensureRunning mirrors the decorator behavior and retries on APIError.
 func (c *GeminiClient) ensureRunning() error {
 	if c.Running {
 		return nil
@@ -431,21 +405,10 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 	form.Set("f.req", string(outerJSON))

 	req, _ := http.NewRequest(http.MethodPost, EndpointGenerate, strings.NewReader(form.Encode()))
-	// headers
-	for k, v := range HeadersGemini {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
-	for k, v := range model.ModelHeader {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
+	applyHeaders(req, HeadersGemini)
+	applyHeaders(req, model.ModelHeader)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=utf-8")
-	for k, v := range c.Cookies {
-		req.AddCookie(&http.Cookie{Name: k, Value: v})
-	}
+	applyCookies(req, c.Cookies)

 	resp, err := c.httpClient.Do(req)
 	if err != nil {
@@ -456,7 +419,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 	}()

 	if resp.StatusCode == 429 {
-		// Surface 429 as TemporarilyBlocked to match Python behavior
+		// Surface 429 as TemporarilyBlocked to match reference behavior
 		c.Close(0)
 		return empty, &TemporarilyBlocked{GeminiError{Msg: "Too many requests. IP temporarily blocked."}}
 	}
@@ -536,7 +499,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 				}
 			}
 		}
-		// Parse nested error code to align with Python mapping
+		// Parse nested error code to align with error mapping
 		var top []any
 		// Prefer lastTop from fallback scan; otherwise try parts[2]
 		if len(lastTop) > 0 {
@@ -559,7 +522,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 			}
 		}
 		// Debug("Invalid response: control frames only; no body found")
-		// Close the client to force re-initialization on next request (parity with Python client behavior)
+		// Close the client to force re-initialization on next request (parity with reference client behavior)
 		c.Close(0)
 		return empty, &APIError{Msg: "Failed to generate contents. Invalid response data received."}
 	}
@@ -782,7 +745,7 @@ func (c *GeminiClient) generateOnce(prompt string, files []string, model Model,
 }

 // extractErrorCode attempts to navigate the known nested error structure and fetch the integer code.
-// Mirrors Python path: response_json[0][5][2][0][1][0]
+// Mirrors reference path: response_json[0][5][2][0][1][0]
 func extractErrorCode(top []any) (int, bool) {
 	if len(top) == 0 {
 		return 0, false
--- a/internal/provider/gemini-web/conversation/alias.go
+++ b/internal/provider/gemini-web/conversation/alias.go
@@ -0,0 +1,80 @@
+package conversation
+
+import (
+	"strings"
+	"sync"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+)
+
+var (
+	aliasOnce sync.Once
+	aliasMap  map[string]string
+)
+
+// EnsureGeminiWebAliasMap populates the alias map once.
+func EnsureGeminiWebAliasMap() {
+	aliasOnce.Do(func() {
+		aliasMap = make(map[string]string)
+		for _, m := range registry.GetGeminiModels() {
+			if m.ID == "gemini-2.5-flash-lite" {
+				continue
+			}
+			if m.ID == "gemini-2.5-flash" {
+				aliasMap["gemini-2.5-flash-image-preview"] = "gemini-2.5-flash"
+			}
+			alias := AliasFromModelID(m.ID)
+			aliasMap[strings.ToLower(alias)] = strings.ToLower(m.ID)
+		}
+	})
+}
+
+// MapAliasToUnderlying normalizes a model alias to its underlying identifier.
+func MapAliasToUnderlying(name string) string {
+	EnsureGeminiWebAliasMap()
+	n := strings.ToLower(strings.TrimSpace(name))
+	if n == "" {
+		return n
+	}
+	if u, ok := aliasMap[n]; ok {
+		return u
+	}
+	const suffix = "-web"
+	if strings.HasSuffix(n, suffix) {
+		return strings.TrimSuffix(n, suffix)
+	}
+	return n
+}
+
+// AliasFromModelID mirrors the original helper for deriving alias IDs.
+func AliasFromModelID(modelID string) string {
+	return modelID + "-web"
+}
+
+// NormalizeModel returns the canonical identifier used for hashing.
+func NormalizeModel(model string) string {
+	return MapAliasToUnderlying(model)
+}
+
+// GetGeminiWebAliasedModels returns alias metadata for registry exposure.
+func GetGeminiWebAliasedModels() []*registry.ModelInfo {
+	EnsureGeminiWebAliasMap()
+	aliased := make([]*registry.ModelInfo, 0)
+	for _, m := range registry.GetGeminiModels() {
+		if m.ID == "gemini-2.5-flash-lite" {
+			continue
+		} else if m.ID == "gemini-2.5-flash" {
+			cpy := *m
+			cpy.ID = "gemini-2.5-flash-image-preview"
+			cpy.Name = "gemini-2.5-flash-image-preview"
+			cpy.DisplayName = "Nano Banana"
+			cpy.Description = "Gemini 2.5 Flash Preview Image"
+			aliased = append(aliased, &cpy)
+		}
+		cpy := *m
+		cpy.ID = AliasFromModelID(m.ID)
+		cpy.Name = cpy.ID
+		aliased = append(aliased, &cpy)
+	}
+	return aliased
+}
--- a/internal/provider/gemini-web/conversation/hash.go
+++ b/internal/provider/gemini-web/conversation/hash.go
@@ -0,0 +1,74 @@
+package conversation
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"strings"
+)
+
+// Message represents a minimal role-text pair used for hashing and comparison.
+type Message struct {
+	Role string `json:"role"`
+	Text string `json:"text"`
+}
+
+// StoredMessage mirrors the persisted conversation message structure.
+type StoredMessage struct {
+	Role    string `json:"role"`
+	Content string `json:"content"`
+	Name    string `json:"name,omitempty"`
+}
+
+// Sha256Hex computes SHA-256 hex digest for the specified string.
+func Sha256Hex(s string) string {
+	sum := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(sum[:])
+}
+
+// ToStoredMessages converts in-memory messages into the persisted representation.
+func ToStoredMessages(msgs []Message) []StoredMessage {
+	out := make([]StoredMessage, 0, len(msgs))
+	for _, m := range msgs {
+		out = append(out, StoredMessage{Role: m.Role, Content: m.Text})
+	}
+	return out
+}
+
+// StoredToMessages converts stored messages back into the in-memory representation.
+func StoredToMessages(msgs []StoredMessage) []Message {
+	out := make([]Message, 0, len(msgs))
+	for _, m := range msgs {
+		out = append(out, Message{Role: m.Role, Text: m.Content})
+	}
+	return out
+}
+
+// hashMessage normalizes message data and returns a stable digest.
+func hashMessage(m StoredMessage) string {
+	s := fmt.Sprintf(`{"content":%q,"role":%q}`, m.Content, strings.ToLower(m.Role))
+	return Sha256Hex(s)
+}
+
+// HashConversationWithPrefix computes a conversation hash using the provided prefix (client identifier) and model.
+func HashConversationWithPrefix(prefix, model string, msgs []StoredMessage) string {
+	var b strings.Builder
+	b.WriteString(strings.ToLower(strings.TrimSpace(prefix)))
+	b.WriteString("|")
+	b.WriteString(strings.ToLower(strings.TrimSpace(model)))
+	for _, m := range msgs {
+		b.WriteString("|")
+		b.WriteString(hashMessage(m))
+	}
+	return Sha256Hex(b.String())
+}
+
+// HashConversationForAccount keeps compatibility with the per-account hash previously used.
+func HashConversationForAccount(clientID, model string, msgs []StoredMessage) string {
+	return HashConversationWithPrefix(clientID, model, msgs)
+}
+
+// HashConversationGlobal produces a hash suitable for cross-account lookups.
+func HashConversationGlobal(model string, msgs []StoredMessage) string {
+	return HashConversationWithPrefix("global", model, msgs)
+}
--- a/internal/provider/gemini-web/conversation/index.go
+++ b/internal/provider/gemini-web/conversation/index.go
@@ -0,0 +1,280 @@
+package conversation
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	bolt "go.etcd.io/bbolt"
+)
+
+const (
+	bucketMatches    = "matches"
+	defaultIndexFile = "gemini-web-index.bolt"
+)
+
+// MatchRecord stores persisted mapping metadata for a conversation prefix.
+type MatchRecord struct {
+	AccountLabel string   `json:"account_label"`
+	Metadata     []string `json:"metadata,omitempty"`
+	PrefixLen    int      `json:"prefix_len"`
+	UpdatedAt    int64    `json:"updated_at"`
+}
+
+// MatchResult combines a persisted record with the hash that produced it.
+type MatchResult struct {
+	Hash   string
+	Record MatchRecord
+	Model  string
+}
+
+var (
+	indexOnce sync.Once
+	indexDB   *bolt.DB
+	indexErr  error
+)
+
+func openIndex() (*bolt.DB, error) {
+	indexOnce.Do(func() {
+		path := indexPath()
+		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+			indexErr = err
+			return
+		}
+		db, err := bolt.Open(path, 0o600, &bolt.Options{Timeout: 2 * time.Second})
+		if err != nil {
+			indexErr = err
+			return
+		}
+		indexDB = db
+	})
+	return indexDB, indexErr
+}
+
+func indexPath() string {
+	wd, err := os.Getwd()
+	if err != nil || wd == "" {
+		wd = "."
+	}
+	return filepath.Join(wd, "conv", defaultIndexFile)
+}
+
+// StoreMatch persists or updates a conversation hash mapping.
+func StoreMatch(hash string, record MatchRecord) error {
+	if strings.TrimSpace(hash) == "" {
+		return errors.New("gemini-web conversation: empty hash")
+	}
+	db, err := openIndex()
+	if err != nil {
+		return err
+	}
+	record.UpdatedAt = time.Now().UTC().Unix()
+	payload, err := json.Marshal(record)
+	if err != nil {
+		return err
+	}
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket, err := tx.CreateBucketIfNotExists([]byte(bucketMatches))
+		if err != nil {
+			return err
+		}
+		// Namespace by account label to avoid cross-account collisions.
+		label := strings.ToLower(strings.TrimSpace(record.AccountLabel))
+		if label == "" {
+			return errors.New("gemini-web conversation: empty account label")
+		}
+		key := []byte(hash + ":" + label)
+		if err := bucket.Put(key, payload); err != nil {
+			return err
+		}
+		// Best-effort cleanup of legacy single-key format (hash -> MatchRecord).
+		// We do not know its label; leave it for lookup fallback/cleanup elsewhere.
+		return nil
+	})
+}
+
+// LookupMatch retrieves a stored mapping.
+// It prefers namespaced entries (hash:label). If multiple labels exist for the same
+// hash, it returns not found to avoid redirecting to the wrong credential.
+// Falls back to legacy single-key entries if present.
+func LookupMatch(hash string) (MatchRecord, bool, error) {
+	db, err := openIndex()
+	if err != nil {
+		return MatchRecord{}, false, err
+	}
+	var foundOne bool
+	var ambiguous bool
+	var firstLabel string
+	var single MatchRecord
+	err = db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketMatches))
+		if bucket == nil {
+			return nil
+		}
+		// Scan namespaced keys with prefix "hash:"
+		prefix := []byte(hash + ":")
+		c := bucket.Cursor()
+		for k, v := c.Seek(prefix); k != nil && bytes.HasPrefix(k, prefix); k, v = c.Next() {
+			if len(v) == 0 {
+				continue
+			}
+			var rec MatchRecord
+			if err := json.Unmarshal(v, &rec); err != nil {
+				// Ignore malformed; removal is handled elsewhere.
+				continue
+			}
+			if strings.TrimSpace(rec.AccountLabel) == "" || rec.PrefixLen <= 0 {
+				continue
+			}
+			label := strings.ToLower(strings.TrimSpace(rec.AccountLabel))
+			if !foundOne {
+				firstLabel = label
+				single = rec
+				foundOne = true
+				continue
+			}
+			if label != firstLabel {
+				ambiguous = true
+				// Early exit scan; ambiguity detected.
+				return nil
+			}
+		}
+		if foundOne {
+			return nil
+		}
+		// Fallback to legacy single-key format
+		raw := bucket.Get([]byte(hash))
+		if len(raw) == 0 {
+			return nil
+		}
+		return json.Unmarshal(raw, &single)
+	})
+	if err != nil {
+		return MatchRecord{}, false, err
+	}
+	if ambiguous {
+		return MatchRecord{}, false, nil
+	}
+	if strings.TrimSpace(single.AccountLabel) == "" || single.PrefixLen <= 0 {
+		return MatchRecord{}, false, nil
+	}
+	return single, true, nil
+}
+
+// RemoveMatch deletes all mappings for the given hash (all labels and legacy key).
+func RemoveMatch(hash string) error {
+	db, err := openIndex()
+	if err != nil {
+		return err
+	}
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketMatches))
+		if bucket == nil {
+			return nil
+		}
+		// Delete namespaced entries
+		prefix := []byte(hash + ":")
+		c := bucket.Cursor()
+		for k, _ := c.Seek(prefix); k != nil && bytes.HasPrefix(k, prefix); k, _ = c.Next() {
+			if err := bucket.Delete(k); err != nil {
+				return err
+			}
+		}
+		// Delete legacy entry
+		_ = bucket.Delete([]byte(hash))
+		return nil
+	})
+}
+
+// RemoveMatchForLabel deletes the mapping for the given hash and label only.
+func RemoveMatchForLabel(hash, label string) error {
+	label = strings.ToLower(strings.TrimSpace(label))
+	if strings.TrimSpace(hash) == "" || label == "" {
+		return nil
+	}
+	db, err := openIndex()
+	if err != nil {
+		return err
+	}
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketMatches))
+		if bucket == nil {
+			return nil
+		}
+		// Remove namespaced key
+		_ = bucket.Delete([]byte(hash + ":" + label))
+		// If legacy single-key exists and matches label, remove it as well.
+		if raw := bucket.Get([]byte(hash)); len(raw) > 0 {
+			var rec MatchRecord
+			if err := json.Unmarshal(raw, &rec); err == nil {
+				if strings.EqualFold(strings.TrimSpace(rec.AccountLabel), label) {
+					_ = bucket.Delete([]byte(hash))
+				}
+			}
+		}
+		return nil
+	})
+}
+
+// RemoveMatchesByLabel removes all entries associated with the specified label.
+func RemoveMatchesByLabel(label string) error {
+	label = strings.TrimSpace(label)
+	if label == "" {
+		return nil
+	}
+	db, err := openIndex()
+	if err != nil {
+		return err
+	}
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketMatches))
+		if bucket == nil {
+			return nil
+		}
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			if len(v) == 0 {
+				continue
+			}
+			var record MatchRecord
+			if err := json.Unmarshal(v, &record); err != nil {
+				_ = bucket.Delete(k)
+				continue
+			}
+			if strings.EqualFold(strings.TrimSpace(record.AccountLabel), label) {
+				if err := bucket.Delete(k); err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	})
+}
+
+// StoreConversation updates all hashes representing the provided conversation snapshot.
+func StoreConversation(label, model string, msgs []Message, metadata []string) error {
+	label = strings.TrimSpace(label)
+	if label == "" || len(msgs) == 0 {
+		return nil
+	}
+	hashes := BuildStorageHashes(model, msgs)
+	if len(hashes) == 0 {
+		return nil
+	}
+	for _, h := range hashes {
+		rec := MatchRecord{
+			AccountLabel: label,
+			Metadata:     append([]string(nil), metadata...),
+			PrefixLen:    h.PrefixLen,
+		}
+		if err := StoreMatch(h.Hash, rec); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/internal/provider/gemini-web/conversation/lookup.go
+++ b/internal/provider/gemini-web/conversation/lookup.go
@@ -0,0 +1,64 @@
+package conversation
+
+import "strings"
+
+// PrefixHash represents a hash candidate for a specific prefix length.
+type PrefixHash struct {
+	Hash      string
+	PrefixLen int
+}
+
+// BuildLookupHashes generates hash candidates ordered from longest to shortest prefix.
+func BuildLookupHashes(model string, msgs []Message) []PrefixHash {
+	if len(msgs) < 2 {
+		return nil
+	}
+	model = NormalizeModel(model)
+	sanitized := SanitizeAssistantMessages(msgs)
+	result := make([]PrefixHash, 0, len(sanitized))
+	for end := len(sanitized); end >= 2; end-- {
+		tailRole := strings.ToLower(strings.TrimSpace(sanitized[end-1].Role))
+		if tailRole != "assistant" && tailRole != "system" {
+			continue
+		}
+		prefix := sanitized[:end]
+		hash := HashConversationGlobal(model, ToStoredMessages(prefix))
+		result = append(result, PrefixHash{Hash: hash, PrefixLen: end})
+	}
+	return result
+}
+
+// BuildStorageHashes returns hashes representing the full conversation snapshot.
+func BuildStorageHashes(model string, msgs []Message) []PrefixHash {
+	if len(msgs) == 0 {
+		return nil
+	}
+	model = NormalizeModel(model)
+	sanitized := SanitizeAssistantMessages(msgs)
+	if len(sanitized) == 0 {
+		return nil
+	}
+	result := make([]PrefixHash, 0, len(sanitized))
+	seen := make(map[string]struct{}, len(sanitized))
+	for start := 0; start < len(sanitized); start++ {
+		segment := sanitized[start:]
+		if len(segment) < 2 {
+			continue
+		}
+		tailRole := strings.ToLower(strings.TrimSpace(segment[len(segment)-1].Role))
+		if tailRole != "assistant" && tailRole != "system" {
+			continue
+		}
+		hash := HashConversationGlobal(model, ToStoredMessages(segment))
+		if _, exists := seen[hash]; exists {
+			continue
+		}
+		seen[hash] = struct{}{}
+		result = append(result, PrefixHash{Hash: hash, PrefixLen: len(segment)})
+	}
+	if len(result) == 0 {
+		hash := HashConversationGlobal(model, ToStoredMessages(sanitized))
+		return []PrefixHash{{Hash: hash, PrefixLen: len(sanitized)}}
+	}
+	return result
+}
--- a/internal/provider/gemini-web/conversation/metadata.go
+++ b/internal/provider/gemini-web/conversation/metadata.go
@@ -0,0 +1,6 @@
+package conversation
+
+const (
+	MetadataMessagesKey = "gemini_web_messages"
+	MetadataMatchKey    = "gemini_web_match"
+)
--- a/internal/provider/gemini-web/conversation/parse.go
+++ b/internal/provider/gemini-web/conversation/parse.go
@@ -0,0 +1,110 @@
+package conversation
+
+import (
+	"strings"
+
+	"github.com/tidwall/gjson"
+)
+
+// ExtractMessages attempts to build a message list from the inbound request payload.
+func ExtractMessages(handlerType string, raw []byte) []Message {
+	if len(raw) == 0 {
+		return nil
+	}
+	if msgs := extractOpenAIStyle(raw); len(msgs) > 0 {
+		return msgs
+	}
+	if msgs := extractGeminiContents(raw); len(msgs) > 0 {
+		return msgs
+	}
+	return nil
+}
+
+func extractOpenAIStyle(raw []byte) []Message {
+	root := gjson.ParseBytes(raw)
+	messages := root.Get("messages")
+	if !messages.Exists() {
+		return nil
+	}
+	out := make([]Message, 0, 8)
+	messages.ForEach(func(_, entry gjson.Result) bool {
+		role := strings.ToLower(strings.TrimSpace(entry.Get("role").String()))
+		if role == "" {
+			return true
+		}
+		if role == "system" {
+			return true
+		}
+		// Ignore OpenAI tool messages to keep hashing aligned with
+		// persistence (which only keeps text/inlineData for Gemini contents).
+		// This avoids mismatches when a tool response is present: the
+		// storage path drops tool payloads while the lookup path would
+		// otherwise include them, causing sticky selection to fail.
+		if role == "tool" {
+			return true
+		}
+		var contentBuilder strings.Builder
+		content := entry.Get("content")
+		if !content.Exists() {
+			out = append(out, Message{Role: role, Text: ""})
+			return true
+		}
+		switch content.Type {
+		case gjson.String:
+			contentBuilder.WriteString(content.String())
+		case gjson.JSON:
+			if content.IsArray() {
+				content.ForEach(func(_, part gjson.Result) bool {
+					if text := part.Get("text"); text.Exists() {
+						if contentBuilder.Len() > 0 {
+							contentBuilder.WriteString("\n")
+						}
+						contentBuilder.WriteString(text.String())
+					}
+					return true
+				})
+			}
+		}
+		out = append(out, Message{Role: role, Text: contentBuilder.String()})
+		return true
+	})
+	if len(out) == 0 {
+		return nil
+	}
+	return out
+}
+
+func extractGeminiContents(raw []byte) []Message {
+	contents := gjson.GetBytes(raw, "contents")
+	if !contents.Exists() {
+		return nil
+	}
+	out := make([]Message, 0, 8)
+	contents.ForEach(func(_, entry gjson.Result) bool {
+		role := strings.TrimSpace(entry.Get("role").String())
+		if role == "" {
+			role = "user"
+		} else {
+			role = strings.ToLower(role)
+			if role == "model" {
+				role = "assistant"
+			}
+		}
+		var builder strings.Builder
+		entry.Get("parts").ForEach(func(_, part gjson.Result) bool {
+			if text := part.Get("text"); text.Exists() {
+				if builder.Len() > 0 {
+					builder.WriteString("\n")
+				}
+				builder.WriteString(text.String())
+			}
+			return true
+		})
+		out = append(out, Message{Role: role, Text: builder.String()})
+		return true
+	})
+	if len(out) == 0 {
+		return nil
+	}
+	return out
+}
--- a/internal/provider/gemini-web/conversation/sanitize.go
+++ b/internal/provider/gemini-web/conversation/sanitize.go
@@ -0,0 +1,39 @@
+package conversation
+
+import (
+	"regexp"
+	"strings"
+)
+
+var reThink = regexp.MustCompile(`(?is)<think>.*?</think>`)
+
+// RemoveThinkTags strips <think>...</think> blocks and trims whitespace.
+func RemoveThinkTags(s string) string {
+	return strings.TrimSpace(reThink.ReplaceAllString(s, ""))
+}
+
+// SanitizeAssistantMessages removes think tags from assistant messages while leaving others untouched.
+func SanitizeAssistantMessages(msgs []Message) []Message {
+	out := make([]Message, 0, len(msgs))
+	for _, m := range msgs {
+		if strings.EqualFold(strings.TrimSpace(m.Role), "assistant") {
+			out = append(out, Message{Role: m.Role, Text: RemoveThinkTags(m.Text)})
+			continue
+		}
+		out = append(out, m)
+	}
+	return out
+}
+
+// EqualMessages compares two message slices for equality.
+func EqualMessages(a, b []Message) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i].Role != b[i].Role || a[i].Text != b[i].Text {
+			return false
+		}
+	}
+	return true
+}
--- a/internal/provider/gemini-web/media.go
+++ b/internal/provider/gemini-web/media.go
@@ -2,7 +2,6 @@ package geminiwebapi

 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -11,8 +10,6 @@ import (
 	"math"
 	"mime/multipart"
 	"net/http"
-	"net/http/cookiejar"
-	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -55,7 +52,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 			filename = q[0]
 		}
 	}
-	// Regex validation (align with Python: ^(.*\.\w+)) to extract name with extension.
+	// Regex validation (pattern: ^(.*\.\w+)) to extract name with extension.
 	if filename != "" {
 		re := regexp.MustCompile(`^(.*\.\w+)`)
 		if m := re.FindStringSubmatch(filename); len(m) >= 2 {
@@ -69,20 +66,11 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 			}
 		}
 	}
-	// Build client with cookie jar so cookies persist across redirects.
-	tr := &http.Transport{}
-	if i.Proxy != "" {
-		if pu, err := url.Parse(i.Proxy); err == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	jar, _ := cookiejar.New(nil)
-	client := &http.Client{Transport: tr, Timeout: 120 * time.Second, Jar: jar}
+	// Build client using shared helper to keep proxy/TLS behavior consistent.
+	client := newHTTPClient(httpOptions{ProxyURL: i.Proxy, Insecure: insecure, FollowRedirects: true})
+	client.Timeout = 120 * time.Second

-	// Helper to set raw Cookie header using provided cookies (to mirror Python client behavior).
+	// Helper to set raw Cookie header using provided cookies (parity with the reference client behavior).
 	buildCookieHeader := func(m map[string]string) string {
 		if len(m) == 0 {
 			return ""
@@ -148,7 +136,7 @@ func (i Image) Save(path string, filename string, cookies map[string]string, ver
 		return "", err
 	}
 	if verbose {
-		log.Infof("Image saved as %s", dest)
+		fmt.Printf("Image saved as %s\n", dest)
 	}
 	abspath, _ := filepath.Abs(dest)
 	return abspath, nil
@@ -352,23 +340,11 @@ func uploadFile(path string, proxy string, insecure bool) (string, error) {
 	}
 	_ = mw.Close()

-	tr := &http.Transport{}
-	if proxy != "" {
-		if pu, errParse := url.Parse(proxy); errParse == nil {
-			tr.Proxy = http.ProxyURL(pu)
-		}
-	}
-	if insecure {
-		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	client := &http.Client{Transport: tr, Timeout: 300 * time.Second}
+	client := newHTTPClient(httpOptions{ProxyURL: proxy, Insecure: insecure, FollowRedirects: true})
+	client.Timeout = 300 * time.Second

 	req, _ := http.NewRequest(http.MethodPost, EndpointUpload, &buf)
-	for k, v := range HeadersUpload {
-		for _, vv := range v {
-			req.Header.Add(k, vv)
-		}
-	}
+	applyHeaders(req, HeadersUpload)
 	req.Header.Set("Content-Type", mw.FormDataContentType())
 	req.Header.Set("Accept", "*/*")
 	req.Header.Set("Connection", "keep-alive")
--- a/internal/provider/gemini-web/models.go
+++ b/internal/provider/gemini-web/models.go
@@ -4,10 +4,9 @@ import (
 	"fmt"
 	"html"
 	"net/http"
-	"strings"
-	"sync"
 	"time"

+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
 )

@@ -105,76 +104,20 @@ const (
 	ErrorIPTemporarilyBlocked = 1060
 )

-var (
-	GeminiWebAliasOnce sync.Once
-	GeminiWebAliasMap  map[string]string
-)
-
-func EnsureGeminiWebAliasMap() {
-	GeminiWebAliasOnce.Do(func() {
-		GeminiWebAliasMap = make(map[string]string)
-		for _, m := range registry.GetGeminiModels() {
-			if m.ID == "gemini-2.5-flash-lite" {
-				continue
-			} else if m.ID == "gemini-2.5-flash" {
-				GeminiWebAliasMap["gemini-2.5-flash-image-preview"] = "gemini-2.5-flash"
-			}
-			alias := AliasFromModelID(m.ID)
-			GeminiWebAliasMap[strings.ToLower(alias)] = strings.ToLower(m.ID)
-		}
-	})
-}
+func EnsureGeminiWebAliasMap() { conversation.EnsureGeminiWebAliasMap() }

 func GetGeminiWebAliasedModels() []*registry.ModelInfo {
-	EnsureGeminiWebAliasMap()
-	aliased := make([]*registry.ModelInfo, 0)
-	for _, m := range registry.GetGeminiModels() {
-		if m.ID == "gemini-2.5-flash-lite" {
-			continue
-		} else if m.ID == "gemini-2.5-flash" {
-			cpy := *m
-			cpy.ID = "gemini-2.5-flash-image-preview"
-			cpy.Name = "gemini-2.5-flash-image-preview"
-			cpy.DisplayName = "Nano Banana"
-			cpy.Description = "Gemini 2.5 Flash Preview Image"
-			aliased = append(aliased, &cpy)
-		}
-		cpy := *m
-		cpy.ID = AliasFromModelID(m.ID)
-		cpy.Name = cpy.ID
-		aliased = append(aliased, &cpy)
-	}
-	return aliased
+	return conversation.GetGeminiWebAliasedModels()
 }

-func MapAliasToUnderlying(name string) string {
-	EnsureGeminiWebAliasMap()
-	n := strings.ToLower(name)
-	if u, ok := GeminiWebAliasMap[n]; ok {
-		return u
-	}
-	const suffix = "-web"
-	if strings.HasSuffix(n, suffix) {
-		return strings.TrimSuffix(n, suffix)
-	}
-	return name
-}
+func MapAliasToUnderlying(name string) string { return conversation.MapAliasToUnderlying(name) }

-func AliasFromModelID(modelID string) string {
-	return modelID + "-web"
-}
+func AliasFromModelID(modelID string) string { return conversation.AliasFromModelID(modelID) }

 // Conversation domain structures -------------------------------------------
-type RoleText struct {
-	Role string
-	Text string
-}
+type RoleText = conversation.Message

-type StoredMessage struct {
-	Role    string `json:"role"`
-	Content string `json:"content"`
-	Name    string `json:"name,omitempty"`
-}
+type StoredMessage = conversation.StoredMessage

 type ConversationRecord struct {
 	Model     string          `json:"model"`
--- a/internal/provider/gemini-web/prompt.go
+++ b/internal/provider/gemini-web/prompt.go
@@ -8,11 +8,11 @@ import (
 	"unicode/utf8"

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	"github.com/tidwall/gjson"
 )

 var (
-	reThink     = regexp.MustCompile(`(?s)^\s*<think>.*?</think>\s*`)
 	reXMLAnyTag = regexp.MustCompile(`(?s)<\s*[^>]+>`)
 )

@@ -77,20 +77,13 @@ func BuildPrompt(msgs []RoleText, tagged bool, appendAssistant bool) string {

 // RemoveThinkTags strips <think>...</think> blocks from a string.
 func RemoveThinkTags(s string) string {
-	return strings.TrimSpace(reThink.ReplaceAllString(s, ""))
+	return conversation.RemoveThinkTags(s)
 }

 // SanitizeAssistantMessages removes think tags from assistant messages.
 func SanitizeAssistantMessages(msgs []RoleText) []RoleText {
-	out := make([]RoleText, 0, len(msgs))
-	for _, m := range msgs {
-		if strings.ToLower(m.Role) == "assistant" {
-			out = append(out, RoleText{Role: m.Role, Text: RemoveThinkTags(m.Text)})
-		} else {
-			out = append(out, m)
-		}
-	}
-	return out
+	cleaned := conversation.SanitizeAssistantMessages(msgs)
+	return cleaned
 }

 // AppendXMLWrapHintIfNeeded appends an XML wrap hint to messages containing XML-like blocks.
--- a/internal/provider/gemini-web/state.go
+++ b/internal/provider/gemini-web/state.go
@@ -3,8 +3,6 @@ package geminiwebapi
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -19,8 +17,10 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/translator/translator"
 	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	log "github.com/sirupsen/logrus"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 	bolt "go.etcd.io/bbolt"
@@ -34,6 +34,7 @@ type GeminiWebState struct {
 	cfg         *config.Config
 	token       *gemini.GeminiWebTokenStorage
 	storagePath string
+	authLabel   string

 	stableClientID string
 	accountID      string
@@ -50,18 +51,28 @@ type GeminiWebState struct {
 	convIndex map[string]string

 	lastRefresh time.Time
+
+	pendingMatchMu sync.Mutex
+	pendingMatch   *conversation.MatchResult
 }

-func NewGeminiWebState(cfg *config.Config, token *gemini.GeminiWebTokenStorage, storagePath string) *GeminiWebState {
+type reuseComputation struct {
+	metadata []string
+	history  []RoleText
+	overlap  int
+}
+
+func NewGeminiWebState(cfg *config.Config, token *gemini.GeminiWebTokenStorage, storagePath, authLabel string) *GeminiWebState {
 	state := &GeminiWebState{
 		cfg:         cfg,
 		token:       token,
 		storagePath: storagePath,
+		authLabel:   strings.TrimSpace(authLabel),
 		convStore:   make(map[string][]string),
 		convData:    make(map[string]ConversationRecord),
 		convIndex:   make(map[string]string),
 	}
-	suffix := Sha256Hex(token.Secure1PSID)
+	suffix := conversation.Sha256Hex(token.Secure1PSID)
 	if len(suffix) > 16 {
 		suffix = suffix[:16]
 	}
@@ -80,34 +91,146 @@ func NewGeminiWebState(cfg *config.Config, token *gemini.GeminiWebTokenStorage,
 	return state
 }

+func (s *GeminiWebState) setPendingMatch(match *conversation.MatchResult) {
+	if s == nil {
+		return
+	}
+	s.pendingMatchMu.Lock()
+	s.pendingMatch = match
+	s.pendingMatchMu.Unlock()
+}
+
+func (s *GeminiWebState) consumePendingMatch() *conversation.MatchResult {
+	s.pendingMatchMu.Lock()
+	defer s.pendingMatchMu.Unlock()
+	match := s.pendingMatch
+	s.pendingMatch = nil
+	return match
+}
+
+// SetPendingMatch makes a cached conversation match available for the next request.
+func (s *GeminiWebState) SetPendingMatch(match *conversation.MatchResult) {
+	s.setPendingMatch(match)
+}
+
+// Label returns a stable account label for logging and persistence.
+// If a storage file path is known, it uses the file base name (without extension).
+// Otherwise, it falls back to the stable client ID (e.g., "gemini-web-<hash>").
+func (s *GeminiWebState) Label() string {
+	if s == nil {
+		return ""
+	}
+	if s.token != nil {
+		if lbl := strings.TrimSpace(s.token.Label); lbl != "" {
+			return lbl
+		}
+	}
+	if lbl := strings.TrimSpace(s.authLabel); lbl != "" {
+		return lbl
+	}
+	if s.storagePath != "" {
+		base := strings.TrimSuffix(filepath.Base(s.storagePath), filepath.Ext(s.storagePath))
+		if base != "" {
+			return base
+		}
+	}
+	return s.stableClientID
+}
+
 func (s *GeminiWebState) loadConversationCaches() {
-	if path := s.convStorePath(); path != "" {
-		if store, err := LoadConvStore(path); err == nil {
-			s.convStore = store
-		}
+	path := s.convPath()
+	if path == "" {
+		return
 	}
-	if path := s.convDataPath(); path != "" {
-		if items, index, err := LoadConvData(path); err == nil {
-			s.convData = items
-			s.convIndex = index
-		}
+	if store, err := LoadConvStore(path); err == nil {
+		s.convStore = store
+	}
+	if items, index, err := LoadConvData(path); err == nil {
+		s.convData = items
+		s.convIndex = index
 	}
 }

-func (s *GeminiWebState) convStorePath() string {
+// convPath returns the BoltDB file path used for both account metadata and conversation data.
+func (s *GeminiWebState) convPath() string {
 	base := s.storagePath
 	if base == "" {
-		base = s.accountID + ".json"
+		// Use accountID directly as base name; ConvBoltPath will append .bolt.
+		base = s.accountID
 	}
-	return ConvStorePath(base)
+	return ConvBoltPath(base)
 }

-func (s *GeminiWebState) convDataPath() string {
-	base := s.storagePath
-	if base == "" {
-		base = s.accountID + ".json"
+func cloneRoleTextSlice(in []RoleText) []RoleText {
+	if len(in) == 0 {
+		return nil
 	}
-	return ConvDataPath(base)
+	out := make([]RoleText, len(in))
+	copy(out, in)
+	return out
+}
+
+func cloneStringSlice(in []string) []string {
+	if len(in) == 0 {
+		return nil
+	}
+	out := make([]string, len(in))
+	copy(out, in)
+	return out
+}
+
+func longestHistoryOverlap(history, incoming []RoleText) int {
+	max := len(history)
+	if len(incoming) < max {
+		max = len(incoming)
+	}
+	for overlap := max; overlap > 0; overlap-- {
+		if conversation.EqualMessages(history[len(history)-overlap:], incoming[:overlap]) {
+			return overlap
+		}
+	}
+	return 0
+}
+
+func equalStringSlice(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func storedMessagesToRoleText(stored []conversation.StoredMessage) []RoleText {
+	if len(stored) == 0 {
+		return nil
+	}
+	converted := make([]RoleText, len(stored))
+	for i, msg := range stored {
+		converted[i] = RoleText{Role: msg.Role, Text: msg.Content}
+	}
+	return converted
+}
+
+func (s *GeminiWebState) findConversationByMetadata(model string, metadata []string) ([]RoleText, bool) {
+	if len(metadata) == 0 {
+		return nil, false
+	}
+	s.convMu.RLock()
+	defer s.convMu.RUnlock()
+	for _, rec := range s.convData {
+		if !strings.EqualFold(strings.TrimSpace(rec.Model), strings.TrimSpace(model)) {
+			continue
+		}
+		if !equalStringSlice(rec.Metadata, metadata) {
+			continue
+		}
+		return cloneRoleTextSlice(storedMessagesToRoleText(rec.Messages)), true
+	}
+	return nil, false
 }

 func (s *GeminiWebState) GetRequestMutex() *sync.Mutex { return &s.reqMu }
@@ -158,6 +281,12 @@ func (s *GeminiWebState) Refresh(ctx context.Context) error {
 			s.client.Cookies["__Secure-1PSIDTS"] = newTS
 		}
 		s.tokenMu.Unlock()
+		// Detailed debug log: provider and account label.
+		label := strings.TrimSpace(s.Label())
+		if label == "" {
+			label = s.accountID
+		}
+		log.Debugf("gemini web account %s rotated 1PSIDTS: %s", label, MaskToken28(newTS))
 	}
 	s.lastRefresh = time.Now()
 	return nil
@@ -197,7 +326,7 @@ func (s *GeminiWebState) prepare(ctx context.Context, modelName string, rawJSON
 		return nil, &interfaces.ErrorMessage{StatusCode: 400, Error: fmt.Errorf("bad request: %w", err)}
 	}
 	cleaned := SanitizeAssistantMessages(messages)
-	res.cleaned = cleaned
+	fullCleaned := cloneRoleTextSlice(cleaned)
 	res.underlying = MapAliasToUnderlying(modelName)
 	model, err := ModelFromName(res.underlying)
 	if err != nil {
@@ -210,15 +339,27 @@ func (s *GeminiWebState) prepare(ctx context.Context, modelName string, rawJSON
 	mimesSubset := mimes

 	if s.useReusableContext() {
-		reuseMeta, remaining := s.findReusableSession(res.underlying, cleaned)
-		if len(reuseMeta) > 0 {
+		reusePlan := s.reuseFromPending(res.underlying, cleaned)
+		if reusePlan == nil {
+			reusePlan = s.findReusableSession(res.underlying, cleaned)
+		}
+		if reusePlan != nil {
 			res.reuse = true
-			meta = reuseMeta
-			if len(remaining) == 1 {
-				useMsgs = []RoleText{remaining[0]}
-			} else if len(remaining) > 1 {
-				useMsgs = remaining
-			} else if len(cleaned) > 0 {
+			meta = cloneStringSlice(reusePlan.metadata)
+			overlap := reusePlan.overlap
+			if overlap > len(cleaned) {
+				overlap = len(cleaned)
+			} else if overlap < 0 {
+				overlap = 0
+			}
+			delta := cloneRoleTextSlice(cleaned[overlap:])
+			if len(reusePlan.history) > 0 {
+				fullCleaned = append(cloneRoleTextSlice(reusePlan.history), delta...)
+			} else {
+				fullCleaned = append(cloneRoleTextSlice(cleaned[:overlap]), delta...)
+			}
+			useMsgs = delta
+			if len(delta) == 0 && len(cleaned) > 0 {
 				useMsgs = []RoleText{cleaned[len(cleaned)-1]}
 			}
 			if len(useMsgs) == 1 && len(messages) > 0 && len(msgFileIdx) == len(messages) {
@@ -276,6 +417,8 @@ func (s *GeminiWebState) prepare(ctx context.Context, modelName string, rawJSON
 		s.convMu.RUnlock()
 	}

+	res.cleaned = fullCleaned
+
 	res.tagged = NeedRoleTags(useMsgs)
 	if res.reuse && len(useMsgs) == 1 {
 		res.tagged = false
@@ -389,7 +532,7 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 			storeSnapshot[k] = cp
 		}
 		s.convMu.Unlock()
-		_ = SaveConvStore(s.convStorePath(), storeSnapshot)
+		_ = SaveConvStore(s.convPath(), storeSnapshot)
 	}

 	if !s.useReusableContext() {
@@ -399,8 +542,22 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 	if !ok {
 		return
 	}
-	stableHash := HashConversation(rec.ClientID, prep.underlying, rec.Messages)
-	accountHash := HashConversation(s.accountID, prep.underlying, rec.Messages)
+	label := strings.TrimSpace(s.Label())
+	if label == "" {
+		label = s.accountID
+	}
+	conversationMsgs := conversation.StoredToMessages(rec.Messages)
+	if err := conversation.StoreConversation(label, prep.underlying, conversationMsgs, metadata); err != nil {
+		log.Debugf("gemini web: failed to persist global conversation index: %v", err)
+	}
+	stableHash := conversation.HashConversationForAccount(rec.ClientID, prep.underlying, rec.Messages)
+	accountHash := conversation.HashConversationForAccount(s.accountID, prep.underlying, rec.Messages)
+
+	suffixSeen := make(map[string]struct{})
+	suffixSeen["hash:"+stableHash] = struct{}{}
+	if accountHash != stableHash {
+		suffixSeen["hash:"+accountHash] = struct{}{}
+	}

 	s.convMu.Lock()
 	s.convData[stableHash] = rec
@@ -408,6 +565,33 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 	if accountHash != stableHash {
 		s.convIndex["hash:"+accountHash] = stableHash
 	}
+
+	sanitizedHistory := conversation.SanitizeAssistantMessages(conversation.StoredToMessages(rec.Messages))
+	for start := 1; start < len(sanitizedHistory); start++ {
+		segment := sanitizedHistory[start:]
+		if len(segment) < 2 {
+			continue
+		}
+		tailRole := strings.ToLower(strings.TrimSpace(segment[len(segment)-1].Role))
+		if tailRole != "assistant" && tailRole != "system" {
+			continue
+		}
+		storedSegment := conversation.ToStoredMessages(segment)
+		segmentStableHash := conversation.HashConversationForAccount(rec.ClientID, prep.underlying, storedSegment)
+		keyStable := "hash:" + segmentStableHash
+		if _, exists := suffixSeen[keyStable]; !exists {
+			s.convIndex[keyStable] = stableHash
+			suffixSeen[keyStable] = struct{}{}
+		}
+		segmentAccountHash := conversation.HashConversationForAccount(s.accountID, prep.underlying, storedSegment)
+		if segmentAccountHash != segmentStableHash {
+			keyAccount := "hash:" + segmentAccountHash
+			if _, exists := suffixSeen[keyAccount]; !exists {
+				s.convIndex[keyAccount] = stableHash
+				suffixSeen[keyAccount] = struct{}{}
+			}
+		}
+	}
 	dataSnapshot := make(map[string]ConversationRecord, len(s.convData))
 	for k, v := range s.convData {
 		dataSnapshot[k] = v
@@ -417,7 +601,7 @@ func (s *GeminiWebState) persistConversation(modelName string, prep *geminiWebPr
 		indexSnapshot[k] = v
 	}
 	s.convMu.Unlock()
-	_ = SaveConvData(s.convDataPath(), dataSnapshot, indexSnapshot)
+	_ = SaveConvData(s.convPath(), dataSnapshot, indexSnapshot)
 }

 func (s *GeminiWebState) addAPIResponseData(ctx context.Context, line []byte) {
@@ -471,12 +655,44 @@ func (s *GeminiWebState) useReusableContext() bool {
 	return s.cfg.GeminiWeb.Context
 }

-func (s *GeminiWebState) findReusableSession(modelName string, msgs []RoleText) ([]string, []RoleText) {
+func (s *GeminiWebState) reuseFromPending(modelName string, msgs []RoleText) *reuseComputation {
+	match := s.consumePendingMatch()
+	if match == nil {
+		return nil
+	}
+	if !strings.EqualFold(strings.TrimSpace(match.Model), strings.TrimSpace(modelName)) {
+		return nil
+	}
+	metadata := cloneStringSlice(match.Record.Metadata)
+	if len(metadata) == 0 {
+		return nil
+	}
+	history, ok := s.findConversationByMetadata(modelName, metadata)
+	if !ok {
+		return nil
+	}
+	overlap := longestHistoryOverlap(history, msgs)
+	return &reuseComputation{metadata: metadata, history: history, overlap: overlap}
+}
+
+func (s *GeminiWebState) findReusableSession(modelName string, msgs []RoleText) *reuseComputation {
 	s.convMu.RLock()
 	items := s.convData
 	index := s.convIndex
 	s.convMu.RUnlock()
-	return FindReusableSessionIn(items, index, s.stableClientID, s.accountID, modelName, msgs)
+	rec, metadata, overlap, ok := FindReusableSessionIn(items, index, s.stableClientID, s.accountID, modelName, msgs)
+	if !ok {
+		return nil
+	}
+	history := cloneRoleTextSlice(storedMessagesToRoleText(rec.Messages))
+	if len(history) == 0 {
+		return nil
+	}
+	// Ensure overlap reflects the actual history alignment.
+	if computed := longestHistoryOverlap(history, msgs); computed > 0 {
+		overlap = computed
+	}
+	return &reuseComputation{metadata: cloneStringSlice(metadata), history: history, overlap: overlap}
 }

 func (s *GeminiWebState) getConfiguredGem() *Gem {
@@ -518,55 +734,9 @@ func appendAPIResponseChunk(ctx context.Context, cfg *config.Config, chunk []byt
 	}
 }

-// Persistence helpers --------------------------------------------------
-
-// Sha256Hex computes the SHA256 hash of a string and returns its hex representation.
-func Sha256Hex(s string) string {
-	sum := sha256.Sum256([]byte(s))
-	return hex.EncodeToString(sum[:])
-}
-
-func ToStoredMessages(msgs []RoleText) []StoredMessage {
-	out := make([]StoredMessage, 0, len(msgs))
-	for _, m := range msgs {
-		out = append(out, StoredMessage{
-			Role:    m.Role,
-			Content: m.Text,
-		})
-	}
-	return out
-}
-
-func HashMessage(m StoredMessage) string {
-	s := fmt.Sprintf(`{"content":%q,"role":%q}`, m.Content, strings.ToLower(m.Role))
-	return Sha256Hex(s)
-}
-
-func HashConversation(clientID, model string, msgs []StoredMessage) string {
-	var b strings.Builder
-	b.WriteString(clientID)
-	b.WriteString("|")
-	b.WriteString(model)
-	for _, m := range msgs {
-		b.WriteString("|")
-		b.WriteString(HashMessage(m))
-	}
-	return Sha256Hex(b.String())
-}
-
-// ConvStorePath returns the path for account-level metadata persistence based on token file path.
-func ConvStorePath(tokenFilePath string) string {
-	wd, err := os.Getwd()
-	if err != nil || wd == "" {
-		wd = "."
-	}
-	convDir := filepath.Join(wd, "conv")
-	base := strings.TrimSuffix(filepath.Base(tokenFilePath), filepath.Ext(tokenFilePath))
-	return filepath.Join(convDir, base+".bolt")
-}
-
-// ConvDataPath returns the path for full conversation persistence based on token file path.
-func ConvDataPath(tokenFilePath string) string {
+// ConvBoltPath returns the BoltDB file path used for both account metadata and conversation data.
+// Different logical datasets are kept in separate buckets within this single DB file.
+func ConvBoltPath(tokenFilePath string) string {
 	wd, err := os.Getwd()
 	if err != nil || wd == "" {
 		wd = "."
@@ -778,7 +948,7 @@ func BuildConversationRecord(model, clientID string, history []RoleText, output
 		Model:     model,
 		ClientID:  clientID,
 		Metadata:  metadata,
-		Messages:  ToStoredMessages(final),
+		Messages:  conversation.ToStoredMessages(final),
 		CreatedAt: time.Now(),
 		UpdatedAt: time.Now(),
 	}
@@ -788,9 +958,9 @@ func BuildConversationRecord(model, clientID string, history []RoleText, output
 // FindByMessageListIn looks up a conversation record by hashed message list.
 // It attempts both the stable client ID and a legacy email-based ID.
 func FindByMessageListIn(items map[string]ConversationRecord, index map[string]string, stableClientID, email, model string, msgs []RoleText) (ConversationRecord, bool) {
-	stored := ToStoredMessages(msgs)
-	stableHash := HashConversation(stableClientID, model, stored)
-	fallbackHash := HashConversation(email, model, stored)
+	stored := conversation.ToStoredMessages(msgs)
+	stableHash := conversation.HashConversationForAccount(stableClientID, model, stored)
+	fallbackHash := conversation.HashConversationForAccount(email, model, stored)

 	// Try stable hash via index indirection first
 	if key, ok := index["hash:"+stableHash]; ok {
@@ -828,9 +998,9 @@ func FindConversationIn(items map[string]ConversationRecord, index map[string]st
 }

 // FindReusableSessionIn returns reusable metadata and the remaining message suffix.
-func FindReusableSessionIn(items map[string]ConversationRecord, index map[string]string, stableClientID, email, model string, msgs []RoleText) ([]string, []RoleText) {
+func FindReusableSessionIn(items map[string]ConversationRecord, index map[string]string, stableClientID, email, model string, msgs []RoleText) (ConversationRecord, []string, int, bool) {
 	if len(msgs) < 2 {
-		return nil, nil
+		return ConversationRecord{}, nil, 0, false
 	}
 	searchEnd := len(msgs)
 	for searchEnd >= 2 {
@@ -838,11 +1008,10 @@ func FindReusableSessionIn(items map[string]ConversationRecord, index map[string
 		tail := sub[len(sub)-1]
 		if strings.EqualFold(tail.Role, "assistant") || strings.EqualFold(tail.Role, "system") {
 			if rec, ok := FindConversationIn(items, index, stableClientID, email, model, sub); ok {
-				remain := msgs[searchEnd:]
-				return rec.Metadata, remain
+				return rec, rec.Metadata, searchEnd, true
 			}
 		}
 		searchEnd--
 	}
-	return nil, nil
+	return ConversationRecord{}, nil, 0, false
 }
--- a/internal/registry/model_definitions.go
+++ b/internal/registry/model_definitions.go
@@ -8,6 +8,14 @@ import "time"
 // GetClaudeModels returns the standard Claude model definitions
 func GetClaudeModels() []*ModelInfo {
 	return []*ModelInfo{
+		{
+			ID:          "claude-sonnet-4-5-20250929",
+			Object:      "model",
+			Created:     1759104000, // 2025-09-29
+			OwnedBy:     "anthropic",
+			Type:        "claude",
+			DisplayName: "Claude 4.5 Sonnet",
+		},
 		{
 			ID:          "claude-opus-4-1-20250805",
 			Object:      "model",
--- a/internal/registry/model_registry.go
+++ b/internal/registry/model_registry.go
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"

+	misc "github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	log "github.com/sirupsen/logrus"
 )

@@ -100,54 +101,265 @@ func (r *ModelRegistry) RegisterClient(clientID, clientProvider string, models [
 	r.mutex.Lock()
 	defer r.mutex.Unlock()

-	// Remove any existing registration for this client
-	r.unregisterClientInternal(clientID)
-
 	provider := strings.ToLower(clientProvider)
-	modelIDs := make([]string, 0, len(models))
+	uniqueModelIDs := make([]string, 0, len(models))
+	rawModelIDs := make([]string, 0, len(models))
+	newModels := make(map[string]*ModelInfo, len(models))
+	newCounts := make(map[string]int, len(models))
+	for _, model := range models {
+		if model == nil || model.ID == "" {
+			continue
+		}
+		rawModelIDs = append(rawModelIDs, model.ID)
+		newCounts[model.ID]++
+		if _, exists := newModels[model.ID]; exists {
+			continue
+		}
+		newModels[model.ID] = model
+		uniqueModelIDs = append(uniqueModelIDs, model.ID)
+	}
+
+	if len(uniqueModelIDs) == 0 {
+		// No models supplied; unregister existing client state if present.
+		r.unregisterClientInternal(clientID)
+		delete(r.clientModels, clientID)
+		delete(r.clientProviders, clientID)
+		misc.LogCredentialSeparator()
+		return
+	}
+
 	now := time.Now()

-	for _, model := range models {
-		modelIDs = append(modelIDs, model.ID)
-
-		if existing, exists := r.models[model.ID]; exists {
-			// Model already exists, increment count
-			existing.Count++
-			existing.LastUpdated = now
-			if existing.SuspendedClients == nil {
-				existing.SuspendedClients = make(map[string]string)
-			}
-			if provider != "" {
-				if existing.Providers == nil {
-					existing.Providers = make(map[string]int)
-				}
-				existing.Providers[provider]++
-			}
-			log.Debugf("Incremented count for model %s, now %d clients", model.ID, existing.Count)
+	oldModels, hadExisting := r.clientModels[clientID]
+	oldProvider, _ := r.clientProviders[clientID]
+	providerChanged := oldProvider != provider
+	if !hadExisting {
+		// Pure addition path.
+		for _, modelID := range rawModelIDs {
+			model := newModels[modelID]
+			r.addModelRegistration(modelID, provider, model, now)
+		}
+		r.clientModels[clientID] = append([]string(nil), rawModelIDs...)
+		if provider != "" {
+			r.clientProviders[clientID] = provider
 		} else {
-			// New model, create registration
-			registration := &ModelRegistration{
-				Info:                 model,
-				Count:                1,
-				LastUpdated:          now,
-				QuotaExceededClients: make(map[string]*time.Time),
-				SuspendedClients:     make(map[string]string),
-			}
-			if provider != "" {
-				registration.Providers = map[string]int{provider: 1}
-			}
-			r.models[model.ID] = registration
-			log.Debugf("Registered new model %s from provider %s", model.ID, clientProvider)
+			delete(r.clientProviders, clientID)
+		}
+		log.Debugf("Registered client %s from provider %s with %d models", clientID, clientProvider, len(rawModelIDs))
+		misc.LogCredentialSeparator()
+		return
+	}
+
+	oldCounts := make(map[string]int, len(oldModels))
+	for _, id := range oldModels {
+		oldCounts[id]++
+	}
+
+	added := make([]string, 0)
+	for _, id := range uniqueModelIDs {
+		if oldCounts[id] == 0 {
+			added = append(added, id)
 		}
 	}

-	r.clientModels[clientID] = modelIDs
+	removed := make([]string, 0)
+	for id := range oldCounts {
+		if newCounts[id] == 0 {
+			removed = append(removed, id)
+		}
+	}
+
+	// Handle provider change for overlapping models before modifications.
+	if providerChanged && oldProvider != "" {
+		for id, newCount := range newCounts {
+			if newCount == 0 {
+				continue
+			}
+			oldCount := oldCounts[id]
+			if oldCount == 0 {
+				continue
+			}
+			toRemove := newCount
+			if oldCount < toRemove {
+				toRemove = oldCount
+			}
+			if reg, ok := r.models[id]; ok && reg.Providers != nil {
+				if count, okProv := reg.Providers[oldProvider]; okProv {
+					if count <= toRemove {
+						delete(reg.Providers, oldProvider)
+					} else {
+						reg.Providers[oldProvider] = count - toRemove
+					}
+				}
+			}
+		}
+	}
+
+	// Apply removals first to keep counters accurate.
+	for _, id := range removed {
+		oldCount := oldCounts[id]
+		for i := 0; i < oldCount; i++ {
+			r.removeModelRegistration(clientID, id, oldProvider, now)
+		}
+	}
+
+	for id, oldCount := range oldCounts {
+		newCount := newCounts[id]
+		if newCount == 0 || oldCount <= newCount {
+			continue
+		}
+		overage := oldCount - newCount
+		for i := 0; i < overage; i++ {
+			r.removeModelRegistration(clientID, id, oldProvider, now)
+		}
+	}
+
+	// Apply additions.
+	for id, newCount := range newCounts {
+		oldCount := oldCounts[id]
+		if newCount <= oldCount {
+			continue
+		}
+		model := newModels[id]
+		diff := newCount - oldCount
+		for i := 0; i < diff; i++ {
+			r.addModelRegistration(id, provider, model, now)
+		}
+	}
+
+	// Update metadata for models that remain associated with the client.
+	addedSet := make(map[string]struct{}, len(added))
+	for _, id := range added {
+		addedSet[id] = struct{}{}
+	}
+	for _, id := range uniqueModelIDs {
+		model := newModels[id]
+		if reg, ok := r.models[id]; ok {
+			reg.Info = cloneModelInfo(model)
+			reg.LastUpdated = now
+			if reg.QuotaExceededClients != nil {
+				delete(reg.QuotaExceededClients, clientID)
+			}
+			if reg.SuspendedClients != nil {
+				delete(reg.SuspendedClients, clientID)
+			}
+			if providerChanged && provider != "" {
+				if _, newlyAdded := addedSet[id]; newlyAdded {
+					continue
+				}
+				overlapCount := newCounts[id]
+				if oldCount := oldCounts[id]; oldCount < overlapCount {
+					overlapCount = oldCount
+				}
+				if overlapCount <= 0 {
+					continue
+				}
+				if reg.Providers == nil {
+					reg.Providers = make(map[string]int)
+				}
+				reg.Providers[provider] += overlapCount
+			}
+		}
+	}
+
+	// Update client bookkeeping.
+	if len(rawModelIDs) > 0 {
+		r.clientModels[clientID] = append([]string(nil), rawModelIDs...)
+	}
 	if provider != "" {
 		r.clientProviders[clientID] = provider
 	} else {
 		delete(r.clientProviders, clientID)
 	}
-	log.Debugf("Registered client %s from provider %s with %d models", clientID, clientProvider, len(models))
+
+	if len(added) == 0 && len(removed) == 0 && !providerChanged {
+		// Only metadata (e.g., display name) changed; skip separator when no log output.
+		return
+	}
+
+	log.Debugf("Reconciled client %s (provider %s) models: +%d, -%d", clientID, provider, len(added), len(removed))
+	misc.LogCredentialSeparator()
+}
+
+func (r *ModelRegistry) addModelRegistration(modelID, provider string, model *ModelInfo, now time.Time) {
+	if model == nil || modelID == "" {
+		return
+	}
+	if existing, exists := r.models[modelID]; exists {
+		existing.Count++
+		existing.LastUpdated = now
+		existing.Info = cloneModelInfo(model)
+		if existing.SuspendedClients == nil {
+			existing.SuspendedClients = make(map[string]string)
+		}
+		if provider != "" {
+			if existing.Providers == nil {
+				existing.Providers = make(map[string]int)
+			}
+			existing.Providers[provider]++
+		}
+		log.Debugf("Incremented count for model %s, now %d clients", modelID, existing.Count)
+		return
+	}
+
+	registration := &ModelRegistration{
+		Info:                 cloneModelInfo(model),
+		Count:                1,
+		LastUpdated:          now,
+		QuotaExceededClients: make(map[string]*time.Time),
+		SuspendedClients:     make(map[string]string),
+	}
+	if provider != "" {
+		registration.Providers = map[string]int{provider: 1}
+	}
+	r.models[modelID] = registration
+	log.Debugf("Registered new model %s from provider %s", modelID, provider)
+}
+
+func (r *ModelRegistry) removeModelRegistration(clientID, modelID, provider string, now time.Time) {
+	registration, exists := r.models[modelID]
+	if !exists {
+		return
+	}
+	registration.Count--
+	registration.LastUpdated = now
+	if registration.QuotaExceededClients != nil {
+		delete(registration.QuotaExceededClients, clientID)
+	}
+	if registration.SuspendedClients != nil {
+		delete(registration.SuspendedClients, clientID)
+	}
+	if registration.Count < 0 {
+		registration.Count = 0
+	}
+	if provider != "" && registration.Providers != nil {
+		if count, ok := registration.Providers[provider]; ok {
+			if count <= 1 {
+				delete(registration.Providers, provider)
+			} else {
+				registration.Providers[provider] = count - 1
+			}
+		}
+	}
+	log.Debugf("Decremented count for model %s, now %d clients", modelID, registration.Count)
+	if registration.Count <= 0 {
+		delete(r.models, modelID)
+		log.Debugf("Removed model %s as no clients remain", modelID)
+	}
+}
+
+func cloneModelInfo(model *ModelInfo) *ModelInfo {
+	if model == nil {
+		return nil
+	}
+	copy := *model
+	if len(model.SupportedGenerationMethods) > 0 {
+		copy.SupportedGenerationMethods = append([]string(nil), model.SupportedGenerationMethods...)
+	}
+	if len(model.SupportedParameters) > 0 {
+		copy.SupportedParameters = append([]string(nil), model.SupportedParameters...)
+	}
+	return &copy
 }

 // UnregisterClient removes a client and decrements counts for its models
@@ -207,6 +419,8 @@ func (r *ModelRegistry) unregisterClientInternal(clientID string) {
 		delete(r.clientProviders, clientID)
 	}
 	log.Debugf("Unregistered client %s", clientID)
+	// Separator line after completing client unregistration (after the summary line)
+	misc.LogCredentialSeparator()
 }

 // SetModelQuotaExceeded marks a model as quota exceeded for a specific client
--- a/internal/runtime/executor/claude_executor.go
+++ b/internal/runtime/executor/claude_executor.go
@@ -61,10 +61,7 @@ func (e *ClaudeExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, r
 	}
 	applyClaudeHeaders(httpReq, apiKey, false)

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -130,10 +127,7 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 	}
 	applyClaudeHeaders(httpReq, apiKey, true)

-	httpClient := &http.Client{Timeout: 0}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return nil, err
@@ -196,10 +190,7 @@ func (e *ClaudeExecutor) CountTokens(ctx context.Context, auth *cliproxyauth.Aut
 	}
 	applyClaudeHeaders(httpReq, apiKey, false)

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -284,6 +275,7 @@ func hasZSTDEcoding(contentEncoding string) bool {
 func applyClaudeHeaders(r *http.Request, apiKey string, stream bool) {
 	r.Header.Set("Authorization", "Bearer "+apiKey)
 	r.Header.Set("Content-Type", "application/json")
+	r.Header.Set("Anthropic-Beta", "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14")

 	var ginHeaders http.Header
 	if ginCtx, ok := r.Context().Value("gin").(*gin.Context); ok && ginCtx != nil && ginCtx.Request != nil {
@@ -292,7 +284,6 @@ func applyClaudeHeaders(r *http.Request, apiKey string, stream bool) {

 	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Version", "2023-06-01")
 	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Dangerous-Direct-Browser-Access", "true")
-	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Beta", "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-App", "cli")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-Stainless-Helper-Method", "stream")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-Stainless-Retry-Count", "0")
--- a/internal/runtime/executor/codex_executor.go
+++ b/internal/runtime/executor/codex_executor.go
@@ -54,8 +54,6 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	if util.InArray([]string{"gpt-5", "gpt-5-minimal", "gpt-5-low", "gpt-5-medium", "gpt-5-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5")
 		switch req.Model {
-		case "gpt-5":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-minimal":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "minimal")
 		case "gpt-5-low":
@@ -68,8 +66,6 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	} else if util.InArray([]string{"gpt-5-codex", "gpt-5-codex-low", "gpt-5-codex-medium", "gpt-5-codex-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5-codex")
 		switch req.Model {
-		case "gpt-5-codex":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-codex-low":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "low")
 		case "gpt-5-codex-medium":
@@ -89,10 +85,7 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	}
 	applyCodexHeaders(httpReq, auth, apiKey)

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -147,8 +140,6 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	if util.InArray([]string{"gpt-5", "gpt-5-minimal", "gpt-5-low", "gpt-5-medium", "gpt-5-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5")
 		switch req.Model {
-		case "gpt-5":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-minimal":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "minimal")
 		case "gpt-5-low":
@@ -161,8 +152,6 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	} else if util.InArray([]string{"gpt-5-codex", "gpt-5-codex-low", "gpt-5-codex-medium", "gpt-5-codex-high"}, req.Model) {
 		body, _ = sjson.SetBytes(body, "model", "gpt-5-codex")
 		switch req.Model {
-		case "gpt-5-codex":
-			body, _ = sjson.DeleteBytes(body, "reasoning.effort")
 		case "gpt-5-codex-low":
 			body, _ = sjson.SetBytes(body, "reasoning.effort", "low")
 		case "gpt-5-codex-medium":
@@ -180,10 +169,7 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	}
 	applyCodexHeaders(httpReq, auth, apiKey)

-	httpClient := &http.Client{Timeout: 0}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return nil, err
--- a/internal/runtime/executor/gemini_cli_executor.go
+++ b/internal/runtime/executor/gemini_cli_executor.go
@@ -74,7 +74,7 @@ func (e *GeminiCLIExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth
 		models = append([]string{req.Model}, models...)
 	}

-	httpClient := newHTTPClient(ctx, 0)
+	httpClient := newHTTPClient(ctx, e.cfg, auth, 0)
 	respCtx := context.WithValue(ctx, "alt", opts.Alt)

 	var lastStatus int
@@ -155,7 +155,7 @@ func (e *GeminiCLIExecutor) ExecuteStream(ctx context.Context, auth *cliproxyaut
 		models = append([]string{req.Model}, models...)
 	}

-	httpClient := newHTTPClient(ctx, 0)
+	httpClient := newHTTPClient(ctx, e.cfg, auth, 0)
 	respCtx := context.WithValue(ctx, "alt", opts.Alt)

 	var lastStatus int
@@ -281,7 +281,7 @@ func (e *GeminiCLIExecutor) CountTokens(ctx context.Context, auth *cliproxyauth.
 		models = append([]string{req.Model}, models...)
 	}

-	httpClient := newHTTPClient(ctx, 0)
+	httpClient := newHTTPClient(ctx, e.cfg, auth, 0)
 	respCtx := context.WithValue(ctx, "alt", opts.Alt)

 	var lastStatus int
@@ -438,15 +438,8 @@ func updateGeminiCLITokenMetadata(auth *cliproxyauth.Auth, base map[string]any,
 	auth.Metadata["token"] = merged
 }

-func newHTTPClient(ctx context.Context, timeout time.Duration) *http.Client {
-	client := &http.Client{}
-	if timeout > 0 {
-		client.Timeout = timeout
-	}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		client.Transport = rt
-	}
-	return client
+func newHTTPClient(ctx context.Context, cfg *config.Config, auth *cliproxyauth.Auth, timeout time.Duration) *http.Client {
+	return newProxyAwareHTTPClient(ctx, cfg, auth, timeout)
 }

 func cloneMap(in map[string]any) map[string]any {
--- a/internal/runtime/executor/gemini_executor.go
+++ b/internal/runtime/executor/gemini_executor.go
@@ -103,10 +103,7 @@ func (e *GeminiExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, r
 		httpReq.Header.Set("Authorization", "Bearer "+bearer)
 	}

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -159,10 +156,7 @@ func (e *GeminiExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 		httpReq.Header.Set("Authorization", "Bearer "+bearer)
 	}

-	httpClient := &http.Client{Timeout: 0}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return nil, err
@@ -230,10 +224,7 @@ func (e *GeminiExecutor) CountTokens(ctx context.Context, auth *cliproxyauth.Aut
 		httpReq.Header.Set("Authorization", "Bearer "+bearer)
 	}

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -320,7 +311,7 @@ func (e *GeminiExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (
 	conf := &oauth2.Config{ClientID: clientID, ClientSecret: clientSecret, Endpoint: endpoint}

 	// Ensure proxy-aware HTTP client for token refresh
-	httpClient := util.SetProxy(e.cfg, &http.Client{})
+	httpClient := util.SetProxy(&e.cfg.SDKConfig, &http.Client{})
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)

 	// Build base token
--- a/internal/runtime/executor/gemini_web_executor.go
+++ b/internal/runtime/executor/gemini_web_executor.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"sync"
 	"time"

@@ -12,6 +13,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	geminiwebapi "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web"
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
 	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
@@ -39,12 +41,18 @@ func (e *GeminiWebExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth
 	if err = state.EnsureClient(); err != nil {
 		return cliproxyexecutor.Response{}, err
 	}
+	match := extractGeminiWebMatch(opts.Metadata)
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)

 	mutex := state.GetRequestMutex()
 	if mutex != nil {
 		mutex.Lock()
 		defer mutex.Unlock()
+		if match != nil {
+			state.SetPendingMatch(match)
+		}
+	} else if match != nil {
+		state.SetPendingMatch(match)
 	}

 	payload := bytes.Clone(req.Payload)
@@ -71,11 +79,18 @@ func (e *GeminiWebExecutor) ExecuteStream(ctx context.Context, auth *cliproxyaut
 	if err = state.EnsureClient(); err != nil {
 		return nil, err
 	}
+	match := extractGeminiWebMatch(opts.Metadata)
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)

 	mutex := state.GetRequestMutex()
 	if mutex != nil {
 		mutex.Lock()
+		if match != nil {
+			state.SetPendingMatch(match)
+		}
+	}
+	if mutex == nil && match != nil {
+		state.SetPendingMatch(match)
 	}

 	gemBytes, errMsg, prep := state.Send(ctx, req.Model, bytes.Clone(req.Payload), opts)
@@ -136,6 +151,11 @@ func (e *GeminiWebExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth
 	auth.Metadata["secure_1psidts"] = ts.Secure1PSIDTS
 	auth.Metadata["type"] = "gemini-web"
 	auth.Metadata["last_refresh"] = time.Now().Format(time.RFC3339)
+	if v, ok := auth.Metadata["label"].(string); !ok || strings.TrimSpace(v) == "" {
+		if lbl := state.Label(); strings.TrimSpace(lbl) != "" {
+			auth.Metadata["label"] = strings.TrimSpace(lbl)
+		}
+	}
 	return auth, nil
 }

@@ -176,7 +196,7 @@ func (e *GeminiWebExecutor) stateFor(auth *cliproxyauth.Auth) (*geminiwebapi.Gem
 			storagePath = p
 		}
 	}
-	state := geminiwebapi.NewGeminiWebState(cfg, ts, storagePath)
+	state := geminiwebapi.NewGeminiWebState(cfg, ts, storagePath, auth.Label)
 	runtime := &geminiWebRuntime{state: state}
 	auth.Runtime = runtime
 	return state, nil
@@ -194,7 +214,8 @@ func parseGeminiWebToken(auth *cliproxyauth.Auth) (*gemini.GeminiWebTokenStorage
 	if psid == "" || psidts == "" {
 		return nil, fmt.Errorf("gemini-web executor: incomplete cookie metadata")
 	}
-	return &gemini.GeminiWebTokenStorage{Secure1PSID: psid, Secure1PSIDTS: psidts}, nil
+	label := strings.TrimSpace(stringFromMetadata(auth.Metadata, "label"))
+	return &gemini.GeminiWebTokenStorage{Secure1PSID: psid, Secure1PSIDTS: psidts, Label: label}, nil
 }

 func stringFromMetadata(meta map[string]any, keys ...string) string {
@@ -235,3 +256,21 @@ func (e geminiWebError) StatusCode() int {
 	}
 	return e.message.StatusCode
 }
+
+func extractGeminiWebMatch(metadata map[string]any) *conversation.MatchResult {
+	if metadata == nil {
+		return nil
+	}
+	value, ok := metadata[conversation.MetadataMatchKey]
+	if !ok {
+		return nil
+	}
+	switch v := value.(type) {
+	case *conversation.MatchResult:
+		return v
+	case conversation.MatchResult:
+		return &v
+	default:
+		return nil
+	}
+}
--- a/internal/runtime/executor/openai_compat_executor.go
+++ b/internal/runtime/executor/openai_compat_executor.go
@@ -63,10 +63,7 @@ func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.A
 	httpReq.Header.Set("Authorization", "Bearer "+apiKey)
 	httpReq.Header.Set("User-Agent", "cli-proxy-openai-compat")

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -115,10 +112,7 @@ func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxy
 	httpReq.Header.Set("Accept", "text/event-stream")
 	httpReq.Header.Set("Cache-Control", "no-cache")

-	httpClient := &http.Client{Timeout: 0}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return nil, err
--- a/internal/runtime/executor/proxy_helpers.go
+++ b/internal/runtime/executor/proxy_helpers.go
@@ -0,0 +1,116 @@
+package executor
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/proxy"
+)
+
+// newProxyAwareHTTPClient creates an HTTP client with proper proxy configuration priority:
+// 1. Use auth.ProxyURL if configured (highest priority)
+// 2. Use cfg.ProxyURL if auth proxy is not configured
+// 3. Use RoundTripper from context if neither are configured
+//
+// Parameters:
+//   - ctx: The context containing optional RoundTripper
+//   - cfg: The application configuration
+//   - auth: The authentication information
+//   - timeout: The client timeout (0 means no timeout)
+//
+// Returns:
+//   - *http.Client: An HTTP client with configured proxy or transport
+func newProxyAwareHTTPClient(ctx context.Context, cfg *config.Config, auth *cliproxyauth.Auth, timeout time.Duration) *http.Client {
+	httpClient := &http.Client{}
+	if timeout > 0 {
+		httpClient.Timeout = timeout
+	}
+
+	// Priority 1: Use auth.ProxyURL if configured
+	var proxyURL string
+	if auth != nil {
+		proxyURL = strings.TrimSpace(auth.ProxyURL)
+	}
+
+	// Priority 2: Use cfg.ProxyURL if auth proxy is not configured
+	if proxyURL == "" && cfg != nil {
+		proxyURL = strings.TrimSpace(cfg.ProxyURL)
+	}
+
+	// If we have a proxy URL configured, set up the transport
+	if proxyURL != "" {
+		transport := buildProxyTransport(proxyURL)
+		if transport != nil {
+			httpClient.Transport = transport
+			return httpClient
+		}
+		// If proxy setup failed, log and fall through to context RoundTripper
+		log.Debugf("failed to setup proxy from URL: %s, falling back to context transport", proxyURL)
+	}
+
+	// Priority 3: Use RoundTripper from context (typically from RoundTripperFor)
+	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
+		httpClient.Transport = rt
+	}
+
+	return httpClient
+}
+
+// buildProxyTransport creates an HTTP transport configured for the given proxy URL.
+// It supports SOCKS5, HTTP, and HTTPS proxy protocols.
+//
+// Parameters:
+//   - proxyURL: The proxy URL string (e.g., "socks5://user:pass@host:port", "http://host:port")
+//
+// Returns:
+//   - *http.Transport: A configured transport, or nil if the proxy URL is invalid
+func buildProxyTransport(proxyURL string) *http.Transport {
+	if proxyURL == "" {
+		return nil
+	}
+
+	parsedURL, errParse := url.Parse(proxyURL)
+	if errParse != nil {
+		log.Errorf("parse proxy URL failed: %v", errParse)
+		return nil
+	}
+
+	var transport *http.Transport
+
+	// Handle different proxy schemes
+	if parsedURL.Scheme == "socks5" {
+		// Configure SOCKS5 proxy with optional authentication
+		var proxyAuth *proxy.Auth
+		if parsedURL.User != nil {
+			username := parsedURL.User.Username()
+			password, _ := parsedURL.User.Password()
+			proxyAuth = &proxy.Auth{User: username, Password: password}
+		}
+		dialer, errSOCKS5 := proxy.SOCKS5("tcp", parsedURL.Host, proxyAuth, proxy.Direct)
+		if errSOCKS5 != nil {
+			log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5)
+			return nil
+		}
+		// Set up a custom transport using the SOCKS5 dialer
+		transport = &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.Dial(network, addr)
+			},
+		}
+	} else if parsedURL.Scheme == "http" || parsedURL.Scheme == "https" {
+		// Configure HTTP or HTTPS proxy
+		transport = &http.Transport{Proxy: http.ProxyURL(parsedURL)}
+	} else {
+		log.Errorf("unsupported proxy scheme: %s", parsedURL.Scheme)
+		return nil
+	}
+
+	return transport
+}
--- a/internal/runtime/executor/qwen_executor.go
+++ b/internal/runtime/executor/qwen_executor.go
@@ -58,10 +58,7 @@ func (e *QwenExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req
 	}
 	applyQwenHeaders(httpReq, token, false)

-	httpClient := &http.Client{}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return cliproxyexecutor.Response{}, err
@@ -112,10 +109,7 @@ func (e *QwenExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Aut
 	}
 	applyQwenHeaders(httpReq, token, true)

-	httpClient := &http.Client{Timeout: 0}
-	if rt, ok := ctx.Value("cliproxy.roundtripper").(http.RoundTripper); ok && rt != nil {
-		httpClient.Transport = rt
-	}
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
 		return nil, err
--- a/internal/translator/claude/gemini/claude_gemini_request.go
+++ b/internal/translator/claude/gemini/claude_gemini_request.go
@@ -8,15 +8,24 @@ package gemini
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"math/big"
 	"strings"

+	"github.com/google/uuid"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )

+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertGeminiRequestToClaude parses and transforms a Gemini API request into Claude Code API format.
 // It extracts the model name, system instruction, message contents, and tool declarations
 // from the raw JSON request and returns them in the format expected by the Claude Code API.
@@ -37,8 +46,23 @@ import (
 //   - []byte: The transformed request data in Claude Code API format
 func ConvertGeminiRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)
-	// Base Claude Code API template with default max_tokens value
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+
+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
+	// Base Claude message payload
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)

 	root := gjson.ParseBytes(rawJSON)

--- a/internal/translator/claude/openai/chat-completions/claude_openai_request.go
+++ b/internal/translator/claude/openai/chat-completions/claude_openai_request.go
@@ -8,14 +8,24 @@ package chat_completions
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"math/big"
 	"strings"

+	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )

+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertOpenAIRequestToClaude parses and transforms an OpenAI Chat Completions API request into Claude Code API format.
 // It extracts the model name, system instruction, message contents, and tool declarations
 // from the raw JSON request and returns them in the format expected by the Claude Code API.
@@ -36,8 +46,22 @@ import (
 func ConvertOpenAIRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)

+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
 	// Base Claude Code API template with default max_tokens value
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)

 	root := gjson.ParseBytes(rawJSON)

--- a/internal/translator/claude/openai/responses/claude_openai-responses_request.go
+++ b/internal/translator/claude/openai/responses/claude_openai-responses_request.go
@@ -3,13 +3,23 @@ package responses
 import (
 	"bytes"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 	"math/big"
 	"strings"

+	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )

+var (
+	user    = ""
+	account = ""
+	session = ""
+)
+
 // ConvertOpenAIResponsesRequestToClaude transforms an OpenAI Responses API request
 // into a Claude Messages API request using only gjson/sjson for JSON handling.
 // It supports:
@@ -23,8 +33,22 @@ import (
 func ConvertOpenAIResponsesRequestToClaude(modelName string, inputRawJSON []byte, stream bool) []byte {
 	rawJSON := bytes.Clone(inputRawJSON)

+	if account == "" {
+		u, _ := uuid.NewRandom()
+		account = u.String()
+	}
+	if session == "" {
+		u, _ := uuid.NewRandom()
+		session = u.String()
+	}
+	if user == "" {
+		sum := sha256.Sum256([]byte(account + session))
+		user = hex.EncodeToString(sum[:])
+	}
+	userID := fmt.Sprintf("user_%s_account_%s_session_%s", user, account, session)
+
 	// Base Claude message payload
-	out := `{"model":"","max_tokens":32000,"messages":[]}`
+	out := fmt.Sprintf(`{"model":"","max_tokens":32000,"messages":[],"metadata":{"user_id":"%s"}}`, userID)

 	root := gjson.ParseBytes(rawJSON)

--- a/internal/translator/claude/openai/responses/claude_openai-responses_response.go
+++ b/internal/translator/claude/openai/responses/claude_openai-responses_response.go
@@ -32,6 +32,10 @@ type claudeToResponsesState struct {
 	ReasoningBuf       strings.Builder
 	ReasoningPartAdded bool
 	ReasoningIndex     int
+	// usage aggregation
+	InputTokens  int64
+	OutputTokens int64
+	UsageSeen    bool
 }

 var dataTag = []byte("data:")
@@ -77,6 +81,19 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			st.FuncArgsBuf = make(map[int]*strings.Builder)
 			st.FuncNames = make(map[int]string)
 			st.FuncCallIDs = make(map[int]string)
+			st.InputTokens = 0
+			st.OutputTokens = 0
+			st.UsageSeen = false
+			if usage := msg.Get("usage"); usage.Exists() {
+				if v := usage.Get("input_tokens"); v.Exists() {
+					st.InputTokens = v.Int()
+					st.UsageSeen = true
+				}
+				if v := usage.Get("output_tokens"); v.Exists() {
+					st.OutputTokens = v.Int()
+					st.UsageSeen = true
+				}
+			}
 			// response.created
 			created := `{"type":"response.created","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"in_progress","background":false,"error":null,"instructions":""}}`
 			created, _ = sjson.Set(created, "sequence_number", nextSeq())
@@ -227,7 +244,6 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			out = append(out, emitEvent("response.output_item.done", itemDone))
 			st.InFuncBlock = false
 		} else if st.ReasoningActive {
-			// close reasoning
 			full := st.ReasoningBuf.String()
 			textDone := `{"type":"response.reasoning_summary_text.done","sequence_number":0,"item_id":"","output_index":0,"summary_index":0,"text":""}`
 			textDone, _ = sjson.Set(textDone, "sequence_number", nextSeq())
@@ -244,7 +260,19 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			st.ReasoningActive = false
 			st.ReasoningPartAdded = false
 		}
+	case "message_delta":
+		if usage := root.Get("usage"); usage.Exists() {
+			if v := usage.Get("output_tokens"); v.Exists() {
+				st.OutputTokens = v.Int()
+				st.UsageSeen = true
+			}
+			if v := usage.Get("input_tokens"); v.Exists() {
+				st.InputTokens = v.Int()
+				st.UsageSeen = true
+			}
+		}
 	case "message_stop":
+
 		completed := `{"type":"response.completed","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"completed","background":false,"error":null}}`
 		completed, _ = sjson.Set(completed, "sequence_number", nextSeq())
 		completed, _ = sjson.Set(completed, "response.id", st.ResponseID)
@@ -381,6 +409,24 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 		if len(outputs) > 0 {
 			completed, _ = sjson.Set(completed, "response.output", outputs)
 		}
+
+		reasoningTokens := int64(0)
+		if st.ReasoningBuf.Len() > 0 {
+			reasoningTokens = int64(st.ReasoningBuf.Len() / 4)
+		}
+		usagePresent := st.UsageSeen || reasoningTokens > 0
+		if usagePresent {
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens", st.InputTokens)
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", 0)
+			completed, _ = sjson.Set(completed, "response.usage.output_tokens", st.OutputTokens)
+			if reasoningTokens > 0 {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", reasoningTokens)
+			}
+			total := st.InputTokens + st.OutputTokens
+			if total > 0 || st.UsageSeen {
+				completed, _ = sjson.Set(completed, "response.usage.total_tokens", total)
+			}
+		}
 		out = append(out, emitEvent("response.completed", completed))
 	}

--- a/internal/translator/codex/openai/responses/codex_openai-responses_request.go
+++ b/internal/translator/codex/openai/responses/codex_openai-responses_request.go
@@ -17,6 +17,9 @@ func ConvertOpenAIResponsesRequestToCodex(modelName string, inputRawJSON []byte,
 	rawJSON, _ = sjson.SetBytes(rawJSON, "store", false)
 	rawJSON, _ = sjson.SetBytes(rawJSON, "parallel_tool_calls", true)
 	rawJSON, _ = sjson.SetBytes(rawJSON, "include", []string{"reasoning.encrypted_content"})
+	// Codex Responses rejects token limit fields, so strip them out before forwarding.
+	rawJSON, _ = sjson.DeleteBytes(rawJSON, "max_output_tokens")
+	rawJSON, _ = sjson.DeleteBytes(rawJSON, "max_completion_tokens")
 	rawJSON, _ = sjson.DeleteBytes(rawJSON, "temperature")
 	rawJSON, _ = sjson.DeleteBytes(rawJSON, "top_p")

--- a/internal/translator/gemini-cli/openai/chat-completions/cli_openai_request.go
+++ b/internal/translator/gemini-cli/openai/chat-completions/cli_openai_request.go
@@ -25,7 +25,6 @@ import (
 // Returns:
 //   - []byte: The transformed request data in Gemini CLI API format
 func ConvertOpenAIRequestToGeminiCLI(modelName string, inputRawJSON []byte, _ bool) []byte {
-	log.Debug("ConvertOpenAIRequestToGeminiCLI")
 	rawJSON := bytes.Clone(inputRawJSON)
 	// Base envelope
 	out := []byte(`{"project":"","request":{"contents":[],"generationConfig":{"thinkingConfig":{"include_thoughts":true}}},"model":"gemini-2.5-pro"}`)
--- a/internal/translator/gemini/openai/responses/gemini_openai-responses_response.go
+++ b/internal/translator/gemini/openai/responses/gemini_openai-responses_response.go
@@ -78,12 +78,21 @@ func ConvertGeminiResponseToOpenAIResponses(_ context.Context, modelName string,
 		textDone, _ = sjson.Set(textDone, "output_index", st.ReasoningIndex)
 		textDone, _ = sjson.Set(textDone, "text", full)
 		out = append(out, emitEvent("response.reasoning_summary_text.done", textDone))
+
 		partDone := `{"type":"response.reasoning_summary_part.done","sequence_number":0,"item_id":"","output_index":0,"summary_index":0,"part":{"type":"summary_text","text":""}}`
 		partDone, _ = sjson.Set(partDone, "sequence_number", nextSeq())
 		partDone, _ = sjson.Set(partDone, "item_id", st.ReasoningItemID)
 		partDone, _ = sjson.Set(partDone, "output_index", st.ReasoningIndex)
 		partDone, _ = sjson.Set(partDone, "part.text", full)
 		out = append(out, emitEvent("response.reasoning_summary_part.done", partDone))
+
+		itemDone := `{"type":"response.output_item.done","sequence_number":0,"output_index":0,"item":{"id":"","type":"reasoning","encrypted_content":"","summary":[{"type":"summary_text","text":""}]}}`
+		itemDone, _ = sjson.Set(itemDone, "sequence_number", nextSeq())
+		itemDone, _ = sjson.Set(itemDone, "item.id", st.ReasoningItemID)
+		itemDone, _ = sjson.Set(itemDone, "output_index", st.ReasoningIndex)
+		itemDone, _ = sjson.Set(itemDone, "item.summary.0.text", full)
+		out = append(out, emitEvent("response.output_item.done", itemDone))
+
 		st.ReasoningClosed = true
 	}

@@ -414,6 +423,25 @@ func ConvertGeminiResponseToOpenAIResponses(_ context.Context, modelName string,
 			completed, _ = sjson.Set(completed, "response.output", outputs)
 		}

+		// usage mapping
+		if um := root.Get("usageMetadata"); um.Exists() {
+			// input tokens = prompt + thoughts
+			input := um.Get("promptTokenCount").Int() + um.Get("thoughtsTokenCount").Int()
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens", input)
+			// cached_tokens not provided by Gemini; default to 0 for structure compatibility
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", 0)
+			// output tokens
+			if v := um.Get("candidatesTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens", v.Int())
+			}
+			if v := um.Get("thoughtsTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", v.Int())
+			}
+			if v := um.Get("totalTokenCount"); v.Exists() {
+				completed, _ = sjson.Set(completed, "response.usage.total_tokens", v.Int())
+			}
+		}
+
 		out = append(out, emitEvent("response.completed", completed))
 	}

--- a/internal/translator/openai/openai/responses/openai_openai-responses_response.go
+++ b/internal/translator/openai/openai/responses/openai_openai-responses_response.go
@@ -32,6 +32,13 @@ type oaiToResponsesState struct {
 	// function item done state
 	FuncArgsDone map[int]bool
 	FuncItemDone map[int]bool
+	// usage aggregation
+	PromptTokens     int64
+	CachedTokens     int64
+	CompletionTokens int64
+	TotalTokens      int64
+	ReasoningTokens  int64
+	UsageSeen        bool
 }

 func emitRespEvent(event string, payload string) string {
@@ -66,6 +73,35 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 		return []string{}
 	}

+	if usage := root.Get("usage"); usage.Exists() {
+		if v := usage.Get("prompt_tokens"); v.Exists() {
+			st.PromptTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("prompt_tokens_details.cached_tokens"); v.Exists() {
+			st.CachedTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("completion_tokens"); v.Exists() {
+			st.CompletionTokens = v.Int()
+			st.UsageSeen = true
+		} else if v := usage.Get("output_tokens"); v.Exists() {
+			st.CompletionTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("output_tokens_details.reasoning_tokens"); v.Exists() {
+			st.ReasoningTokens = v.Int()
+			st.UsageSeen = true
+		} else if v := usage.Get("completion_tokens_details.reasoning_tokens"); v.Exists() {
+			st.ReasoningTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("total_tokens"); v.Exists() {
+			st.TotalTokens = v.Int()
+			st.UsageSeen = true
+		}
+	}
+
 	nextSeq := func() int { st.Seq++; return st.Seq }
 	var out []string

@@ -85,6 +121,12 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 		st.MsgItemDone = make(map[int]bool)
 		st.FuncArgsDone = make(map[int]bool)
 		st.FuncItemDone = make(map[int]bool)
+		st.PromptTokens = 0
+		st.CachedTokens = 0
+		st.CompletionTokens = 0
+		st.TotalTokens = 0
+		st.ReasoningTokens = 0
+		st.UsageSeen = false
 		// response.created
 		created := `{"type":"response.created","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"in_progress","background":false,"error":null}}`
 		created, _ = sjson.Set(created, "sequence_number", nextSeq())
@@ -503,6 +545,19 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 				if len(outputs) > 0 {
 					completed, _ = sjson.Set(completed, "response.output", outputs)
 				}
+				if st.UsageSeen {
+					completed, _ = sjson.Set(completed, "response.usage.input_tokens", st.PromptTokens)
+					completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", st.CachedTokens)
+					completed, _ = sjson.Set(completed, "response.usage.output_tokens", st.CompletionTokens)
+					if st.ReasoningTokens > 0 {
+						completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", st.ReasoningTokens)
+					}
+					total := st.TotalTokens
+					if total == 0 {
+						total = st.PromptTokens + st.CompletionTokens
+					}
+					completed, _ = sjson.Set(completed, "response.usage.total_tokens", total)
+				}
 				out = append(out, emitRespEvent("response.completed", completed))
 			}

--- a/internal/usage/logger_plugin.go
+++ b/internal/usage/logger_plugin.go
@@ -7,13 +7,17 @@ import (
 	"context"
 	"fmt"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/gin-gonic/gin"
 	coreusage "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/usage"
 )

+var statisticsEnabled atomic.Bool
+
 func init() {
+	statisticsEnabled.Store(true)
 	coreusage.RegisterPlugin(NewLoggerPlugin())
 }

@@ -36,12 +40,21 @@ func NewLoggerPlugin() *LoggerPlugin { return &LoggerPlugin{stats: defaultReques
 //   - ctx: The context for the usage record
 //   - record: The usage record to aggregate
 func (p *LoggerPlugin) HandleUsage(ctx context.Context, record coreusage.Record) {
+	if !statisticsEnabled.Load() {
+		return
+	}
 	if p == nil || p.stats == nil {
 		return
 	}
 	p.stats.Record(ctx, record)
 }

+// SetStatisticsEnabled toggles whether in-memory statistics are recorded.
+func SetStatisticsEnabled(enabled bool) { statisticsEnabled.Store(enabled) }
+
+// StatisticsEnabled reports the current recording state.
+func StatisticsEnabled() bool { return statisticsEnabled.Load() }
+
 // RequestStatistics maintains aggregated request metrics in memory.
 type RequestStatistics struct {
 	mu sync.RWMutex
@@ -138,6 +151,9 @@ func (s *RequestStatistics) Record(ctx context.Context, record coreusage.Record)
 	if s == nil {
 		return
 	}
+	if !statisticsEnabled.Load() {
+		return
+	}
 	timestamp := record.RequestedAt
 	if timestamp.IsZero() {
 		timestamp = time.Now()
--- a/internal/util/provider.go
+++ b/internal/util/provider.go
@@ -26,7 +26,7 @@ import (
 //
 // Returns:
 //   - []string: All provider identifiers capable of serving the model, ordered by preference.
-func GetProviderName(modelName string, cfg *config.Config) []string {
+func GetProviderName(modelName string) []string {
 	if modelName == "" {
 		return nil
 	}
--- a/internal/util/proxy.go
+++ b/internal/util/proxy.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"net/url"

-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/proxy"
 )
@@ -17,7 +17,7 @@ import (
 // SetProxy configures the provided HTTP client with proxy settings from the configuration.
 // It supports SOCKS5, HTTP, and HTTPS proxies. The function modifies the client's transport
 // to route requests through the configured proxy server.
-func SetProxy(cfg *config.Config, httpClient *http.Client) *http.Client {
+func SetProxy(cfg *config.SDKConfig, httpClient *http.Client) *http.Client {
 	var transport *http.Transport
 	// Attempt to parse the proxy URL from the configuration.
 	proxyURL, errParse := url.Parse(cfg.ProxyURL)
@@ -25,9 +25,12 @@ func SetProxy(cfg *config.Config, httpClient *http.Client) *http.Client {
 		// Handle different proxy schemes.
 		if proxyURL.Scheme == "socks5" {
 			// Configure SOCKS5 proxy with optional authentication.
-			username := proxyURL.User.Username()
-			password, _ := proxyURL.User.Password()
-			proxyAuth := &proxy.Auth{User: username, Password: password}
+			var proxyAuth *proxy.Auth
+			if proxyURL.User != nil {
+				username := proxyURL.User.Username()
+				password, _ := proxyURL.User.Password()
+				proxyAuth = &proxy.Auth{User: username, Password: password}
+			}
 			dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, proxyAuth, proxy.Direct)
 			if errSOCKS5 != nil {
 				log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5)
--- a/internal/util/ssh_helper.go
+++ b/internal/util/ssh_helper.go
@@ -120,7 +120,7 @@ func GetIPAddress() string {
 func PrintSSHTunnelInstructions(port int) {
 	ipAddress := GetIPAddress()
 	border := "================================================================================"
-	log.Infof("To authenticate from a remote machine, an SSH tunnel may be required.")
+	fmt.Println("To authenticate from a remote machine, an SSH tunnel may be required.")
 	fmt.Println(border)
 	fmt.Println("  Run one of the following commands on your local machine (NOT the server):")
 	fmt.Println()
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -4,6 +4,7 @@
 package util

 import (
+	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -30,23 +31,42 @@ func SetLogLevel(cfg *config.Config) {
 	}
 }

-// CountAuthFiles returns the number of JSON auth files located under the provided directory.
-// The function resolves leading tildes to the user's home directory and performs a case-insensitive
-// match on the ".json" suffix so that files saved with uppercase extensions are also counted.
-func CountAuthFiles(authDir string) int {
+// ResolveAuthDir normalizes the auth directory path for consistent reuse throughout the app.
+// It expands a leading tilde (~) to the user's home directory and returns a cleaned path.
+func ResolveAuthDir(authDir string) (string, error) {
 	if authDir == "" {
-		return 0
+		return "", nil
 	}
 	if strings.HasPrefix(authDir, "~") {
 		home, err := os.UserHomeDir()
 		if err != nil {
-			log.Debugf("countAuthFiles: failed to resolve home directory: %v", err)
-			return 0
+			return "", fmt.Errorf("resolve auth dir: %w", err)
 		}
-		authDir = filepath.Join(home, authDir[1:])
+		remainder := strings.TrimPrefix(authDir, "~")
+		remainder = strings.TrimLeft(remainder, "/\\")
+		if remainder == "" {
+			return filepath.Clean(home), nil
+		}
+		normalized := strings.ReplaceAll(remainder, "\\", "/")
+		return filepath.Clean(filepath.Join(home, filepath.FromSlash(normalized))), nil
+	}
+	return filepath.Clean(authDir), nil
+}
+
+// CountAuthFiles returns the number of JSON auth files located under the provided directory.
+// The function resolves leading tildes to the user's home directory and performs a case-insensitive
+// match on the ".json" suffix so that files saved with uppercase extensions are also counted.
+func CountAuthFiles(authDir string) int {
+	dir, err := ResolveAuthDir(authDir)
+	if err != nil {
+		log.Debugf("countAuthFiles: failed to resolve auth directory: %v", err)
+		return 0
+	}
+	if dir == "" {
+		return 0
 	}
 	count := 0
-	walkErr := filepath.WalkDir(authDir, func(path string, d fs.DirEntry, err error) error {
+	walkErr := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			log.Debugf("countAuthFiles: error accessing %s: %v", path, err)
 			return nil
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -52,6 +53,39 @@ type Watcher struct {
 	dispatchCancel context.CancelFunc
 }

+type stableIDGenerator struct {
+	counters map[string]int
+}
+
+func newStableIDGenerator() *stableIDGenerator {
+	return &stableIDGenerator{counters: make(map[string]int)}
+}
+
+func (g *stableIDGenerator) next(kind string, parts ...string) (string, string) {
+	if g == nil {
+		return kind + ":000000000000", "000000000000"
+	}
+	hasher := sha256.New()
+	hasher.Write([]byte(kind))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		hasher.Write([]byte{0})
+		hasher.Write([]byte(trimmed))
+	}
+	digest := hex.EncodeToString(hasher.Sum(nil))
+	if len(digest) < 12 {
+		digest = fmt.Sprintf("%012s", digest)
+	}
+	short := digest[:12]
+	key := kind + ":" + short
+	index := g.counters[key]
+	g.counters[key] = index + 1
+	if index > 0 {
+		short = fmt.Sprintf("%s-%d", short, index)
+	}
+	return fmt.Sprintf("%s:%s", kind, short), short
+}
+
 // AuthUpdateAction represents the type of change detected in auth sources.
 type AuthUpdateAction string

@@ -112,7 +146,7 @@ func (w *Watcher) Start(ctx context.Context) error {
 	go w.processEvents(ctx)

 	// Perform an initial full reload based on current config and auth dir
-	w.reloadClients()
+	w.reloadClients(true)
 	return nil
 }

@@ -320,6 +354,20 @@ func normalizeAuth(a *coreauth.Auth) *coreauth.Auth {
 	return clone
 }

+// computeOpenAICompatModelsHash returns a stable hash for the compatibility models so that
+// changes to the model list trigger auth updates during hot reload.
+func computeOpenAICompatModelsHash(models []config.OpenAICompatibilityModel) string {
+	if len(models) == 0 {
+		return ""
+	}
+	data, err := json.Marshal(models)
+	if err != nil || len(data) == 0 {
+		return ""
+	}
+	sum := sha256.Sum256(data)
+	return hex.EncodeToString(sum[:])
+}
+
 // SetClients sets the file-based clients.
 // SetClients removed
 // SetAPIKeyClients removed
@@ -380,7 +428,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 			log.Debugf("config file content unchanged (hash match), skipping reload")
 			return
 		}
-		log.Infof("config file changed, reloading: %s", w.configPath)
+		fmt.Printf("config file changed, reloading: %s\n", w.configPath)
 		if w.reloadConfig() {
 			w.clientsMutex.Lock()
 			w.lastConfigHash = newHash
@@ -390,7 +438,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 	}

 	// Handle auth directory changes incrementally (.json only)
-	log.Infof("auth file changed (%s): %s, processing incrementally", event.Op.String(), filepath.Base(event.Name))
+	fmt.Printf("auth file changed (%s): %s, processing incrementally\n", event.Op.String(), filepath.Base(event.Name))
 	if event.Op&fsnotify.Create == fsnotify.Create || event.Op&fsnotify.Write == fsnotify.Write {
 		w.addOrUpdateClient(event.Name)
 	} else if event.Op&fsnotify.Remove == fsnotify.Remove {
@@ -408,6 +456,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {

 // reloadConfig reloads the configuration and triggers a full reload
 func (w *Watcher) reloadConfig() bool {
+	log.Debug("=========================== CONFIG RELOAD ============================")
 	log.Debugf("starting config reload from: %s", w.configPath)

 	newConfig, errLoadConfig := config.LoadConfig(w.configPath)
@@ -416,6 +465,12 @@ func (w *Watcher) reloadConfig() bool {
 		return false
 	}

+	if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(newConfig.AuthDir); errResolveAuthDir != nil {
+		log.Errorf("failed to resolve auth directory from config: %v", errResolveAuthDir)
+	} else {
+		newConfig.AuthDir = resolvedAuthDir
+	}
+
 	w.clientsMutex.Lock()
 	oldConfig := w.config
 	w.config = newConfig
@@ -477,17 +532,31 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
+		if oldConfig.LoggingToFile != newConfig.LoggingToFile {
+			log.Debugf("  logging-to-file: %t -> %t", oldConfig.LoggingToFile, newConfig.LoggingToFile)
+		}
+		if oldConfig.UsageStatisticsEnabled != newConfig.UsageStatisticsEnabled {
+			log.Debugf("  usage-statistics-enabled: %t -> %t", oldConfig.UsageStatisticsEnabled, newConfig.UsageStatisticsEnabled)
+		}
+		if changes := diffOpenAICompatibility(oldConfig.OpenAICompatibility, newConfig.OpenAICompatibility); len(changes) > 0 {
+			log.Debugf("  openai-compatibility:")
+			for _, change := range changes {
+				log.Debugf("    %s", change)
+			}
+		}
 	}

+	authDirChanged := oldConfig == nil || oldConfig.AuthDir != newConfig.AuthDir
+
 	log.Infof("config successfully reloaded, triggering client reload")
 	// Reload clients with new config
-	w.reloadClients()
+	w.reloadClients(authDirChanged)
 	return true
 }

 // reloadClients performs a full scan and reload of all clients.
-func (w *Watcher) reloadClients() {
-	log.Debugf("starting full client reload process")
+func (w *Watcher) reloadClients(rescanAuth bool) {
+	log.Debugf("starting full client load process")

 	w.clientsMutex.RLock()
 	cfg := w.config
@@ -503,40 +572,60 @@ func (w *Watcher) reloadClients() {

 	// Create new API key clients based on the new config
 	glAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount := BuildAPIKeyClients(cfg)
-	log.Debugf("created %d new API key clients", 0)
+	totalAPIKeyClients := glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
+	log.Debugf("loaded %d API key clients", totalAPIKeyClients)

-	// Load file-based clients
-	authFileCount := w.loadFileClients(cfg)
-	log.Debugf("loaded %d new file-based clients", 0)
+	var authFileCount int
+	if rescanAuth {
+		// Load file-based clients when explicitly requested (startup or authDir change)
+		authFileCount = w.loadFileClients(cfg)
+		log.Debugf("loaded %d file-based clients", authFileCount)
+	} else {
+		// Preserve existing auth hashes and only report current known count to avoid redundant scans.
+		w.clientsMutex.RLock()
+		authFileCount = len(w.lastAuthHashes)
+		w.clientsMutex.RUnlock()
+		log.Debugf("skipping auth directory rescan; retaining %d existing auth files", authFileCount)
+	}

 	// no legacy file-based clients to unregister

 	// Update client maps
-	w.clientsMutex.Lock()
+	if rescanAuth {
+		w.clientsMutex.Lock()

-	// Rebuild auth file hash cache for current clients
-	w.lastAuthHashes = make(map[string]string)
-	// Recompute hashes for current auth files
-	_ = filepath.Walk(cfg.AuthDir, func(path string, info fs.FileInfo, err error) error {
-		if err != nil {
-			return nil
+		// Rebuild auth file hash cache for current clients
+		w.lastAuthHashes = make(map[string]string)
+		if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir); errResolveAuthDir != nil {
+			log.Errorf("failed to resolve auth directory for hash cache: %v", errResolveAuthDir)
+		} else if resolvedAuthDir != "" {
+			_ = filepath.Walk(resolvedAuthDir, func(path string, info fs.FileInfo, err error) error {
+				if err != nil {
+					return nil
+				}
+				if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
+					if data, errReadFile := os.ReadFile(path); errReadFile == nil && len(data) > 0 {
+						sum := sha256.Sum256(data)
+						w.lastAuthHashes[path] = hex.EncodeToString(sum[:])
+					}
+				}
+				return nil
+			})
 		}
-		if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
-			if data, errReadFile := os.ReadFile(path); errReadFile == nil && len(data) > 0 {
-				sum := sha256.Sum256(data)
-				w.lastAuthHashes[path] = hex.EncodeToString(sum[:])
-			}
-		}
-		return nil
-	})
-	w.clientsMutex.Unlock()
+		w.clientsMutex.Unlock()
+	}

 	totalNewClients := authFileCount + glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount

+	// Ensure consumers observe the new configuration before auth updates dispatch.
+	if w.reloadCallback != nil {
+		log.Debugf("triggering server update callback before auth refresh")
+		w.reloadCallback(cfg)
+	}
+
 	w.refreshAuthState()

-	log.Infof("full client reload complete - old: %d clients, new: %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
-		0,
+	log.Infof("full client load complete - %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
 		totalNewClients,
 		authFileCount,
 		glAPIKeyCount,
@@ -544,12 +633,6 @@ func (w *Watcher) reloadClients() {
 		codexAPIKeyCount,
 		openAICompatCount,
 	)
-
-	// Trigger the callback to update the server
-	if w.reloadCallback != nil {
-		log.Debugf("triggering server update callback")
-		w.reloadCallback(cfg)
-	}
 }

 // createClientFromFile creates a single client instance from a given token file path.
@@ -621,6 +704,7 @@ func (w *Watcher) removeClient(path string) {
 func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 	out := make([]*coreauth.Auth, 0, 32)
 	now := time.Now()
+	idGen := newStableIDGenerator()
 	// Also synthesize auth entries for OpenAI-compatibility providers directly from config
 	w.clientsMutex.RLock()
 	cfg := w.config
@@ -628,14 +712,18 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 	if cfg != nil {
 		// Gemini official API keys -> synthesize auths
 		for i := range cfg.GlAPIKey {
-			k := cfg.GlAPIKey[i]
+			k := strings.TrimSpace(cfg.GlAPIKey[i])
+			if k == "" {
+				continue
+			}
+			id, token := idGen.next("gemini:apikey", k)
 			a := &coreauth.Auth{
-				ID:       fmt.Sprintf("gemini:apikey:%d", i),
+				ID:       id,
 				Provider: "gemini",
 				Label:    "gemini-apikey",
 				Status:   coreauth.StatusActive,
 				Attributes: map[string]string{
-					"source":  fmt.Sprintf("config:gemini#%d", i),
+					"source":  fmt.Sprintf("config:gemini[%s]", token),
 					"api_key": k,
 				},
 				CreatedAt: now,
@@ -646,18 +734,25 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 		// Claude API keys -> synthesize auths
 		for i := range cfg.ClaudeKey {
 			ck := cfg.ClaudeKey[i]
+			key := strings.TrimSpace(ck.APIKey)
+			if key == "" {
+				continue
+			}
+			id, token := idGen.next("claude:apikey", key, ck.BaseURL)
 			attrs := map[string]string{
-				"source":  fmt.Sprintf("config:claude#%d", i),
-				"api_key": ck.APIKey,
+				"source":  fmt.Sprintf("config:claude[%s]", token),
+				"api_key": key,
 			}
 			if ck.BaseURL != "" {
 				attrs["base_url"] = ck.BaseURL
 			}
+			proxyURL := strings.TrimSpace(ck.ProxyURL)
 			a := &coreauth.Auth{
-				ID:         fmt.Sprintf("claude:apikey:%d", i),
+				ID:         id,
 				Provider:   "claude",
 				Label:      "claude-apikey",
 				Status:     coreauth.StatusActive,
+				ProxyURL:   proxyURL,
 				Attributes: attrs,
 				CreatedAt:  now,
 				UpdatedAt:  now,
@@ -667,18 +762,25 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 		// Codex API keys -> synthesize auths
 		for i := range cfg.CodexKey {
 			ck := cfg.CodexKey[i]
+			key := strings.TrimSpace(ck.APIKey)
+			if key == "" {
+				continue
+			}
+			id, token := idGen.next("codex:apikey", key, ck.BaseURL)
 			attrs := map[string]string{
-				"source":  fmt.Sprintf("config:codex#%d", i),
-				"api_key": ck.APIKey,
+				"source":  fmt.Sprintf("config:codex[%s]", token),
+				"api_key": key,
 			}
 			if ck.BaseURL != "" {
 				attrs["base_url"] = ck.BaseURL
 			}
+			proxyURL := strings.TrimSpace(ck.ProxyURL)
 			a := &coreauth.Auth{
-				ID:         fmt.Sprintf("codex:apikey:%d", i),
+				ID:         id,
 				Provider:   "codex",
 				Label:      "codex-apikey",
 				Status:     coreauth.StatusActive,
+				ProxyURL:   proxyURL,
 				Attributes: attrs,
 				CreatedAt:  now,
 				UpdatedAt:  now,
@@ -691,25 +793,71 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 			if providerName == "" {
 				providerName = "openai-compatibility"
 			}
-			base := compat.BaseURL
-			for j := range compat.APIKeys {
-				key := compat.APIKeys[j]
-				a := &coreauth.Auth{
-					ID:       fmt.Sprintf("openai-compatibility:%s:%d", compat.Name, j),
-					Provider: providerName,
-					Label:    compat.Name,
-					Status:   coreauth.StatusActive,
-					Attributes: map[string]string{
-						"source":       fmt.Sprintf("config:%s#%d", compat.Name, j),
+			base := strings.TrimSpace(compat.BaseURL)
+
+			// Handle new APIKeyEntries format (preferred)
+			if len(compat.APIKeyEntries) > 0 {
+				for j := range compat.APIKeyEntries {
+					entry := &compat.APIKeyEntries[j]
+					key := strings.TrimSpace(entry.APIKey)
+					if key == "" {
+						continue
+					}
+					proxyURL := strings.TrimSpace(entry.ProxyURL)
+					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+					id, token := idGen.next(idKind, key, base, proxyURL)
+					attrs := map[string]string{
+						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
 						"base_url":     base,
 						"api_key":      key,
 						"compat_name":  compat.Name,
 						"provider_key": providerName,
-					},
-					CreatedAt: now,
-					UpdatedAt: now,
+					}
+					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+						attrs["models_hash"] = hash
+					}
+					a := &coreauth.Auth{
+						ID:         id,
+						Provider:   providerName,
+						Label:      compat.Name,
+						Status:     coreauth.StatusActive,
+						ProxyURL:   proxyURL,
+						Attributes: attrs,
+						CreatedAt:  now,
+						UpdatedAt:  now,
+					}
+					out = append(out, a)
+				}
+			} else {
+				// Handle legacy APIKeys format for backward compatibility
+				for j := range compat.APIKeys {
+					key := strings.TrimSpace(compat.APIKeys[j])
+					if key == "" {
+						continue
+					}
+					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+					id, token := idGen.next(idKind, key, base)
+					attrs := map[string]string{
+						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+						"base_url":     base,
+						"api_key":      key,
+						"compat_name":  compat.Name,
+						"provider_key": providerName,
+					}
+					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+						attrs["models_hash"] = hash
+					}
+					a := &coreauth.Auth{
+						ID:         id,
+						Provider:   providerName,
+						Label:      compat.Name,
+						Status:     coreauth.StatusActive,
+						Attributes: attrs,
+						CreatedAt:  now,
+						UpdatedAt:  now,
+					}
+					out = append(out, a)
 				}
-				out = append(out, a)
 			}
 		}
 	}
@@ -779,14 +927,13 @@ func (w *Watcher) loadFileClients(cfg *config.Config) int {
 	authFileCount := 0
 	successfulAuthCount := 0

-	authDir := cfg.AuthDir
-	if strings.HasPrefix(authDir, "~") {
-		home, err := os.UserHomeDir()
-		if err != nil {
-			log.Errorf("failed to get home directory: %v", err)
-			return 0
-		}
-		authDir = filepath.Join(home, authDir[1:])
+	authDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir)
+	if errResolveAuthDir != nil {
+		log.Errorf("failed to resolve auth directory: %v", errResolveAuthDir)
+		return 0
+	}
+	if authDir == "" {
+		return 0
 	}

 	errWalk := filepath.Walk(authDir, func(path string, info fs.FileInfo, err error) error {
@@ -831,8 +978,139 @@ func BuildAPIKeyClients(cfg *config.Config) (int, int, int, int) {
 	if len(cfg.OpenAICompatibility) > 0 {
 		// Do not construct legacy clients for OpenAI-compat providers; these are handled by the stateless executor.
 		for _, compatConfig := range cfg.OpenAICompatibility {
-			openAICompatCount += len(compatConfig.APIKeys)
+			// Count from new APIKeyEntries format if present, otherwise fall back to legacy APIKeys
+			if len(compatConfig.APIKeyEntries) > 0 {
+				openAICompatCount += len(compatConfig.APIKeyEntries)
+			} else {
+				openAICompatCount += len(compatConfig.APIKeys)
+			}
 		}
 	}
 	return glAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount
 }
+
+func diffOpenAICompatibility(oldList, newList []config.OpenAICompatibility) []string {
+	changes := make([]string, 0)
+	oldMap := make(map[string]config.OpenAICompatibility, len(oldList))
+	oldLabels := make(map[string]string, len(oldList))
+	for idx, entry := range oldList {
+		key, label := openAICompatKey(entry, idx)
+		oldMap[key] = entry
+		oldLabels[key] = label
+	}
+	newMap := make(map[string]config.OpenAICompatibility, len(newList))
+	newLabels := make(map[string]string, len(newList))
+	for idx, entry := range newList {
+		key, label := openAICompatKey(entry, idx)
+		newMap[key] = entry
+		newLabels[key] = label
+	}
+	keySet := make(map[string]struct{}, len(oldMap)+len(newMap))
+	for key := range oldMap {
+		keySet[key] = struct{}{}
+	}
+	for key := range newMap {
+		keySet[key] = struct{}{}
+	}
+	orderedKeys := make([]string, 0, len(keySet))
+	for key := range keySet {
+		orderedKeys = append(orderedKeys, key)
+	}
+	sort.Strings(orderedKeys)
+	for _, key := range orderedKeys {
+		oldEntry, oldOk := oldMap[key]
+		newEntry, newOk := newMap[key]
+		label := oldLabels[key]
+		if label == "" {
+			label = newLabels[key]
+		}
+		switch {
+		case !oldOk:
+			changes = append(changes, fmt.Sprintf("provider added: %s (api-keys=%d, models=%d)", label, countAPIKeys(newEntry), countOpenAIModels(newEntry.Models)))
+		case !newOk:
+			changes = append(changes, fmt.Sprintf("provider removed: %s (api-keys=%d, models=%d)", label, countAPIKeys(oldEntry), countOpenAIModels(oldEntry.Models)))
+		default:
+			if detail := describeOpenAICompatibilityUpdate(oldEntry, newEntry); detail != "" {
+				changes = append(changes, fmt.Sprintf("provider updated: %s %s", label, detail))
+			}
+		}
+	}
+	return changes
+}
+
+func describeOpenAICompatibilityUpdate(oldEntry, newEntry config.OpenAICompatibility) string {
+	oldKeyCount := countAPIKeys(oldEntry)
+	newKeyCount := countAPIKeys(newEntry)
+	oldModelCount := countOpenAIModels(oldEntry.Models)
+	newModelCount := countOpenAIModels(newEntry.Models)
+	details := make([]string, 0, 2)
+	if oldKeyCount != newKeyCount {
+		details = append(details, fmt.Sprintf("api-keys %d -> %d", oldKeyCount, newKeyCount))
+	}
+	if oldModelCount != newModelCount {
+		details = append(details, fmt.Sprintf("models %d -> %d", oldModelCount, newModelCount))
+	}
+	if len(details) == 0 {
+		return ""
+	}
+	return "(" + strings.Join(details, ", ") + ")"
+}
+
+func countAPIKeys(entry config.OpenAICompatibility) int {
+	// Prefer new APIKeyEntries format
+	if len(entry.APIKeyEntries) > 0 {
+		count := 0
+		for _, keyEntry := range entry.APIKeyEntries {
+			if strings.TrimSpace(keyEntry.APIKey) != "" {
+				count++
+			}
+		}
+		return count
+	}
+	// Fall back to legacy APIKeys format
+	return countNonEmptyStrings(entry.APIKeys)
+}
+
+func countNonEmptyStrings(values []string) int {
+	count := 0
+	for _, value := range values {
+		if strings.TrimSpace(value) != "" {
+			count++
+		}
+	}
+	return count
+}
+
+func countOpenAIModels(models []config.OpenAICompatibilityModel) int {
+	count := 0
+	for _, model := range models {
+		name := strings.TrimSpace(model.Name)
+		alias := strings.TrimSpace(model.Alias)
+		if name == "" && alias == "" {
+			continue
+		}
+		count++
+	}
+	return count
+}
+
+func openAICompatKey(entry config.OpenAICompatibility, index int) (string, string) {
+	name := strings.TrimSpace(entry.Name)
+	if name != "" {
+		return "name:" + name, name
+	}
+	base := strings.TrimSpace(entry.BaseURL)
+	if base != "" {
+		return "base:" + base, base
+	}
+	for _, model := range entry.Models {
+		alias := strings.TrimSpace(model.Alias)
+		if alias == "" {
+			alias = strings.TrimSpace(model.Name)
+		}
+		if alias != "" {
+			return "alias:" + alias, alias
+		}
+	}
+	return fmt.Sprintf("index:%d", index), fmt.Sprintf("entry-%d", index+1)
+}
--- a/sdk/access/registry.go
+++ b/sdk/access/registry.go
@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"sync"

-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 )

 // Provider validates credentials for incoming requests.
@@ -23,7 +23,7 @@ type Result struct {
 }

 // ProviderFactory builds a provider from configuration data.
-type ProviderFactory func(cfg *config.AccessProvider, root *config.Config) (Provider, error)
+type ProviderFactory func(cfg *config.AccessProvider, root *config.SDKConfig) (Provider, error)

 var (
 	registryMu sync.RWMutex
@@ -40,7 +40,7 @@ func RegisterProvider(typ string, factory ProviderFactory) {
 	registryMu.Unlock()
 }

-func buildProvider(cfg *config.AccessProvider, root *config.Config) (Provider, error) {
+func BuildProvider(cfg *config.AccessProvider, root *config.SDKConfig) (Provider, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("access: nil provider config")
 	}
@@ -58,7 +58,7 @@ func buildProvider(cfg *config.AccessProvider, root *config.Config) (Provider, e
 }

 // BuildProviders constructs providers declared in configuration.
-func BuildProviders(root *config.Config) ([]Provider, error) {
+func BuildProviders(root *config.SDKConfig) ([]Provider, error) {
 	if root == nil {
 		return nil, nil
 	}
@@ -68,16 +68,15 @@ func BuildProviders(root *config.Config) ([]Provider, error) {
 		if providerCfg.Type == "" {
 			continue
 		}
-		provider, err := buildProvider(providerCfg, root)
+		provider, err := BuildProvider(providerCfg, root)
 		if err != nil {
 			return nil, err
 		}
 		providers = append(providers, provider)
 	}
-	if len(providers) == 0 && len(root.APIKeys) > 0 {
-		config.SyncInlineAPIKeys(root, root.APIKeys)
-		if providerCfg := root.ConfigAPIKeyProvider(); providerCfg != nil {
-			provider, err := buildProvider(providerCfg, root)
+	if len(providers) == 0 {
+		if inline := config.MakeInlineAPIKeyProvider(root.APIKeys); inline != nil {
+			provider, err := BuildProvider(inline, root)
 			if err != nil {
 				return nil, err
 			}
--- a/internal/api/handlers/claude/code_handlers.go
+++ b/internal/api/handlers/claude/code_handlers.go
@@ -14,10 +14,10 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 )

--- a/internal/api/handlers/gemini/gemini-cli_handlers.go
+++ b/internal/api/handlers/gemini/gemini-cli_handlers.go
@@ -14,10 +14,10 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	log "github.com/sirupsen/logrus"
 	"github.com/tidwall/gjson"
 )
--- a/internal/api/handlers/gemini/gemini_handlers.go
+++ b/internal/api/handlers/gemini/gemini_handlers.go
@@ -13,10 +13,10 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 )

 // GeminiAPIHandler contains the handlers for Gemini API endpoints.
--- a/internal/api/handlers/handlers.go
+++ b/internal/api/handlers/handlers.go
@@ -8,11 +8,12 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	coreexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
 	"golang.org/x/net/context"
 )
@@ -45,9 +46,11 @@ type BaseAPIHandler struct {
 	AuthManager *coreauth.Manager

 	// Cfg holds the current application configuration.
-	Cfg *config.Config
+	Cfg *config.SDKConfig
 }

+const geminiWebProvider = "gemini-web"
+
 // NewBaseAPIHandlers creates a new API handlers instance.
 // It takes a slice of clients and configuration as input.
 //
@@ -57,7 +60,7 @@ type BaseAPIHandler struct {
 //
 // Returns:
 //   - *BaseAPIHandler: A new API handlers instance
-func NewBaseAPIHandlers(cfg *config.Config, authManager *coreauth.Manager) *BaseAPIHandler {
+func NewBaseAPIHandlers(cfg *config.SDKConfig, authManager *coreauth.Manager) *BaseAPIHandler {
 	return &BaseAPIHandler{
 		Cfg:         cfg,
 		AuthManager: authManager,
@@ -70,7 +73,7 @@ func NewBaseAPIHandlers(cfg *config.Config, authManager *coreauth.Manager) *Base
 // Parameters:
 //   - clients: The new slice of AI service clients
 //   - cfg: The new application configuration
-func (h *BaseAPIHandler) UpdateClients(cfg *config.Config) { h.Cfg = cfg }
+func (h *BaseAPIHandler) UpdateClients(cfg *config.SDKConfig) { h.Cfg = cfg }

 // GetAlt extracts the 'alt' parameter from the request query string.
 // It checks both 'alt' and '$alt' parameters and returns the appropriate value.
@@ -133,10 +136,11 @@ func (h *BaseAPIHandler) GetContextWithCancel(handler interfaces.APIHandler, c *
 // ExecuteWithAuthManager executes a non-streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) ([]byte, *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		return nil, &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}
 	}
+	metadata := h.buildGeminiWebMetadata(handlerType, providers, rawJSON)
 	req := coreexecutor.Request{
 		Model:   modelName,
 		Payload: cloneBytes(rawJSON),
@@ -146,6 +150,7 @@ func (h *BaseAPIHandler) ExecuteWithAuthManager(ctx context.Context, handlerType
 		Alt:             alt,
 		OriginalRequest: cloneBytes(rawJSON),
 		SourceFormat:    sdktranslator.FromString(handlerType),
+		Metadata:        metadata,
 	}
 	resp, err := h.AuthManager.Execute(ctx, providers, req, opts)
 	if err != nil {
@@ -157,10 +162,11 @@ func (h *BaseAPIHandler) ExecuteWithAuthManager(ctx context.Context, handlerType
 // ExecuteCountWithAuthManager executes a non-streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteCountWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) ([]byte, *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		return nil, &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}
 	}
+	metadata := h.buildGeminiWebMetadata(handlerType, providers, rawJSON)
 	req := coreexecutor.Request{
 		Model:   modelName,
 		Payload: cloneBytes(rawJSON),
@@ -170,6 +176,7 @@ func (h *BaseAPIHandler) ExecuteCountWithAuthManager(ctx context.Context, handle
 		Alt:             alt,
 		OriginalRequest: cloneBytes(rawJSON),
 		SourceFormat:    sdktranslator.FromString(handlerType),
+		Metadata:        metadata,
 	}
 	resp, err := h.AuthManager.ExecuteCount(ctx, providers, req, opts)
 	if err != nil {
@@ -181,13 +188,14 @@ func (h *BaseAPIHandler) ExecuteCountWithAuthManager(ctx context.Context, handle
 // ExecuteStreamWithAuthManager executes a streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteStreamWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) (<-chan []byte, <-chan *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		errChan := make(chan *interfaces.ErrorMessage, 1)
 		errChan <- &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}
 		close(errChan)
 		return nil, errChan
 	}
+	metadata := h.buildGeminiWebMetadata(handlerType, providers, rawJSON)
 	req := coreexecutor.Request{
 		Model:   modelName,
 		Payload: cloneBytes(rawJSON),
@@ -197,6 +205,7 @@ func (h *BaseAPIHandler) ExecuteStreamWithAuthManager(ctx context.Context, handl
 		Alt:             alt,
 		OriginalRequest: cloneBytes(rawJSON),
 		SourceFormat:    sdktranslator.FromString(handlerType),
+		Metadata:        metadata,
 	}
 	chunks, err := h.AuthManager.ExecuteStream(ctx, providers, req, opts)
 	if err != nil {
@@ -232,6 +241,18 @@ func cloneBytes(src []byte) []byte {
 	return dst
 }

+func (h *BaseAPIHandler) buildGeminiWebMetadata(handlerType string, providers []string, rawJSON []byte) map[string]any {
+	if !util.InArray(providers, geminiWebProvider) {
+		return nil
+	}
+	meta := make(map[string]any)
+	msgs := conversation.ExtractMessages(handlerType, rawJSON)
+	if len(msgs) > 0 {
+		meta[conversation.MetadataMessagesKey] = msgs
+	}
+	return meta
+}
+
 // WriteErrorResponse writes an error message to the response writer using the HTTP status embedded in the message.
 func (h *BaseAPIHandler) WriteErrorResponse(c *gin.Context, msg *interfaces.ErrorMessage) {
 	status := http.StatusInternalServerError
--- a/internal/api/handlers/openai/openai_handlers.go
+++ b/internal/api/handlers/openai/openai_handlers.go
@@ -14,10 +14,10 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )
--- a/internal/api/handlers/openai/openai_responses_handlers.go
+++ b/internal/api/handlers/openai/openai_responses_handlers.go
@@ -14,10 +14,10 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 )

--- a/sdk/auth/claude.go
+++ b/sdk/auth/claude.go
@@ -13,6 +13,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )

@@ -35,7 +36,7 @@ func (a *ClaudeAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }

-func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -80,22 +81,22 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	state = returnedState

 	if !opts.NoBrowser {
-		log.Info("Opening browser for Claude authentication")
+		fmt.Println("Opening browser for Claude authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(a.CallbackPort)
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}

-	log.Info("Waiting for Claude authentication callback...")
+	fmt.Println("Waiting for Claude authentication callback...")

 	result, err := oauthServer.WaitForCallback(5 * time.Minute)
 	if err != nil {
@@ -127,16 +128,17 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	}

 	fileName := fmt.Sprintf("claude-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}

-	log.Info("Claude authentication successful")
+	fmt.Println("Claude authentication successful")
 	if authBundle.APIKey != "" {
-		log.Info("Claude API key obtained and stored")
+		fmt.Println("Claude API key obtained and stored")
 	}

-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,
--- a/sdk/auth/codex.go
+++ b/sdk/auth/codex.go
@@ -13,6 +13,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )

@@ -35,7 +36,7 @@ func (a *CodexAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }

-func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -79,22 +80,22 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	}

 	if !opts.NoBrowser {
-		log.Info("Opening browser for Codex authentication")
+		fmt.Println("Opening browser for Codex authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
 			util.PrintSSHTunnelInstructions(a.CallbackPort)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
 		util.PrintSSHTunnelInstructions(a.CallbackPort)
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}

-	log.Info("Waiting for Codex authentication callback...")
+	fmt.Println("Waiting for Codex authentication callback...")

 	result, err := oauthServer.WaitForCallback(5 * time.Minute)
 	if err != nil {
@@ -126,16 +127,17 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	}

 	fileName := fmt.Sprintf("codex-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}

-	log.Info("Codex authentication successful")
+	fmt.Println("Codex authentication successful")
 	if authBundle.APIKey != "" {
-		log.Info("Codex API key obtained and stored")
+		fmt.Println("Codex API key obtained and stored")
 	}

-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,
--- a/sdk/auth/filestore.go
+++ b/sdk/auth/filestore.go
@@ -11,7 +11,6 @@ import (
 	"sync"
 	"time"

-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

@@ -35,27 +34,71 @@ func (s *FileTokenStore) SetBaseDir(dir string) {
 	s.dirLock.Unlock()
 }

-// Save writes the token storage to the resolved file path.
-func (s *FileTokenStore) Save(ctx context.Context, cfg *config.Config, record *TokenRecord) (string, error) {
-	if record == nil || record.Storage == nil {
-		return "", fmt.Errorf("cliproxy auth: token record is incomplete")
+// Save persists token storage and metadata to the resolved auth file path.
+func (s *FileTokenStore) Save(ctx context.Context, auth *cliproxyauth.Auth) (string, error) {
+	if auth == nil {
+		return "", fmt.Errorf("auth filestore: auth is nil")
 	}
-	target := strings.TrimSpace(record.FileName)
-	if target == "" {
-		return "", fmt.Errorf("cliproxy auth: missing file name for provider %s", record.Provider)
-	}
-	if !filepath.IsAbs(target) {
-		baseDir := s.baseDirFromConfig(cfg)
-		if baseDir != "" {
-			target = filepath.Join(baseDir, target)
-		}
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if err := record.Storage.SaveTokenToFile(target); err != nil {
+
+	path, err := s.resolveAuthPath(auth)
+	if err != nil {
 		return "", err
 	}
-	return target, nil
+	if path == "" {
+		return "", fmt.Errorf("auth filestore: missing file path attribute for %s", auth.ID)
+	}
+
+	if auth.Disabled {
+		if _, statErr := os.Stat(path); os.IsNotExist(statErr) {
+			return "", nil
+		}
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if err = os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return "", fmt.Errorf("auth filestore: create dir failed: %w", err)
+	}
+
+	switch {
+	case auth.Storage != nil:
+		if err = auth.Storage.SaveTokenToFile(path); err != nil {
+			return "", err
+		}
+	case auth.Metadata != nil:
+		raw, errMarshal := json.Marshal(auth.Metadata)
+		if errMarshal != nil {
+			return "", fmt.Errorf("auth filestore: marshal metadata failed: %w", errMarshal)
+		}
+		if existing, errRead := os.ReadFile(path); errRead == nil {
+			if jsonEqual(existing, raw) {
+				return path, nil
+			}
+		} else if errRead != nil && !os.IsNotExist(errRead) {
+			return "", fmt.Errorf("auth filestore: read existing failed: %w", errRead)
+		}
+		tmp := path + ".tmp"
+		if errWrite := os.WriteFile(tmp, raw, 0o600); errWrite != nil {
+			return "", fmt.Errorf("auth filestore: write temp failed: %w", errWrite)
+		}
+		if errRename := os.Rename(tmp, path); errRename != nil {
+			return "", fmt.Errorf("auth filestore: rename failed: %w", errRename)
+		}
+	default:
+		return "", fmt.Errorf("auth filestore: nothing to persist for %s", auth.ID)
+	}
+
+	if auth.Attributes == nil {
+		auth.Attributes = make(map[string]string)
+	}
+	auth.Attributes["path"] = path
+
+	if strings.TrimSpace(auth.FileName) == "" {
+		auth.FileName = auth.ID
+	}
+
+	return path, nil
 }

 // List enumerates all auth JSON files under the configured directory.
@@ -90,50 +133,6 @@ func (s *FileTokenStore) List(ctx context.Context) ([]*cliproxyauth.Auth, error)
 	return entries, nil
 }

-// SaveAuth writes the auth metadata back to its source file location.
-func (s *FileTokenStore) SaveAuth(ctx context.Context, auth *cliproxyauth.Auth) error {
-	if auth == nil {
-		return fmt.Errorf("auth filestore: auth is nil")
-	}
-	path, err := s.resolveAuthPath(auth)
-	if err != nil {
-		return err
-	}
-	if path == "" {
-		return fmt.Errorf("auth filestore: missing file path attribute for %s", auth.ID)
-	}
-	// If the auth has been disabled and the original file was removed, avoid recreating it on disk.
-	if auth.Disabled {
-		if _, statErr := os.Stat(path); statErr != nil {
-			if os.IsNotExist(statErr) {
-				return nil
-			}
-		}
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if err = os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
-		return fmt.Errorf("auth filestore: create dir failed: %w", err)
-	}
-	raw, err := json.Marshal(auth.Metadata)
-	if err != nil {
-		return fmt.Errorf("auth filestore: marshal metadata failed: %w", err)
-	}
-	if existing, errRead := os.ReadFile(path); errRead == nil {
-		if jsonEqual(existing, raw) {
-			return nil
-		}
-	}
-	tmp := path + ".tmp"
-	if err = os.WriteFile(tmp, raw, 0o600); err != nil {
-		return fmt.Errorf("auth filestore: write temp failed: %w", err)
-	}
-	if err = os.Rename(tmp, path); err != nil {
-		return fmt.Errorf("auth filestore: rename failed: %w", err)
-	}
-	return nil
-}
-
 // Delete removes the auth file.
 func (s *FileTokenStore) Delete(ctx context.Context, id string) error {
 	id = strings.TrimSpace(id)
@@ -185,6 +184,7 @@ func (s *FileTokenStore) readAuthFile(path, baseDir string) (*cliproxyauth.Auth,
 	auth := &cliproxyauth.Auth{
 		ID:               id,
 		Provider:         provider,
+		FileName:         id,
 		Label:            s.labelFor(metadata),
 		Status:           cliproxyauth.StatusActive,
 		Attributes:       map[string]string{"path": path},
@@ -220,6 +220,15 @@ func (s *FileTokenStore) resolveAuthPath(auth *cliproxyauth.Auth) (string, error
 			return p, nil
 		}
 	}
+	if fileName := strings.TrimSpace(auth.FileName); fileName != "" {
+		if filepath.IsAbs(fileName) {
+			return fileName, nil
+		}
+		if dir := s.baseDirSnapshot(); dir != "" {
+			return filepath.Join(dir, fileName), nil
+		}
+		return fileName, nil
+	}
 	if auth.ID == "" {
 		return "", fmt.Errorf("auth filestore: missing id")
 	}
@@ -249,13 +258,6 @@ func (s *FileTokenStore) labelFor(metadata map[string]any) string {
 	return ""
 }

-func (s *FileTokenStore) baseDirFromConfig(cfg *config.Config) string {
-	if cfg != nil && strings.TrimSpace(cfg.AuthDir) != "" {
-		return strings.TrimSpace(cfg.AuthDir)
-	}
-	return s.baseDirSnapshot()
-}
-
 func (s *FileTokenStore) baseDirSnapshot() string {
 	s.dirLock.RLock()
 	defer s.dirLock.RUnlock()
--- a/sdk/auth/gemini-web.go
+++ b/sdk/auth/gemini-web.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

 // GeminiWebAuthenticator provides a minimal wrapper so core components can treat
@@ -16,7 +17,7 @@ func NewGeminiWebAuthenticator() *GeminiWebAuthenticator { return &GeminiWebAuth

 func (a *GeminiWebAuthenticator) Provider() string { return "gemini-web" }

-func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	_ = ctx
 	_ = cfg
 	_ = opts
@@ -24,6 +25,6 @@ func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config,
 }

 func (a *GeminiWebAuthenticator) RefreshLead() *time.Duration {
-	d := 15 * time.Minute
+	d := time.Hour
 	return &d
 }
--- a/sdk/auth/gemini.go
+++ b/sdk/auth/gemini.go
@@ -8,7 +8,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	// legacy client removed
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
-	log "github.com/sirupsen/logrus"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

 // GeminiAuthenticator implements the login flow for Google Gemini CLI accounts.
@@ -27,7 +27,7 @@ func (a *GeminiAuthenticator) RefreshLead() *time.Duration {
 	return nil
 }

-func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -52,14 +52,15 @@ func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	// Skip onboarding here; rely on upstream configuration

 	fileName := fmt.Sprintf("%s-%s.json", ts.Email, ts.ProjectID)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email":      ts.Email,
 		"project_id": ts.ProjectID,
 	}

-	log.Info("Gemini authentication successful")
+	fmt.Println("Gemini authentication successful")

-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  &ts,
--- a/sdk/auth/interfaces.go
+++ b/sdk/auth/interfaces.go
@@ -5,8 +5,8 @@ import (
 	"errors"
 	"time"

-	baseauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

 var ErrRefreshNotSupported = errors.New("cliproxy auth: refresh not supported")
@@ -20,22 +20,9 @@ type LoginOptions struct {
 	Prompt    func(prompt string) (string, error)
 }

-// TokenRecord represents credential material produced by an authenticator.
-type TokenRecord struct {
-	Provider string
-	FileName string
-	Storage  baseauth.TokenStorage
-	Metadata map[string]string
-}
-
-// TokenStore persists token records.
-type TokenStore interface {
-	Save(ctx context.Context, cfg *config.Config, record *TokenRecord) (string, error)
-}
-
 // Authenticator manages login and optional refresh flows for a provider.
 type Authenticator interface {
 	Provider() string
-	Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error)
+	Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error)
 	RefreshLead() *time.Duration
 }
--- a/sdk/auth/manager.go
+++ b/sdk/auth/manager.go
@@ -5,17 +5,18 @@ import (
 	"fmt"

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )

 // Manager aggregates authenticators and coordinates persistence via a token store.
 type Manager struct {
 	authenticators map[string]Authenticator
-	store          TokenStore
+	store          coreauth.Store
 }

 // NewManager constructs a manager with the provided token store and authenticators.
 // If store is nil, the caller must set it later using SetStore.
-func NewManager(store TokenStore, authenticators ...Authenticator) *Manager {
+func NewManager(store coreauth.Store, authenticators ...Authenticator) *Manager {
 	mgr := &Manager{
 		authenticators: make(map[string]Authenticator),
 		store:          store,
@@ -38,12 +39,12 @@ func (m *Manager) Register(a Authenticator) {
 }

 // SetStore updates the token store used for persistence.
-func (m *Manager) SetStore(store TokenStore) {
+func (m *Manager) SetStore(store coreauth.Store) {
 	m.store = store
 }

-// Login executes the provider login flow and persists the resulting token record.
-func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config, opts *LoginOptions) (*TokenRecord, string, error) {
+// Login executes the provider login flow and persists the resulting auth record.
+func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, string, error) {
 	auth, ok := m.authenticators[provider]
 	if !ok {
 		return nil, "", fmt.Errorf("cliproxy auth: authenticator %s not registered", provider)
@@ -61,7 +62,13 @@ func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config
 		return record, "", nil
 	}

-	savedPath, err := m.store.Save(ctx, cfg, record)
+	if cfg != nil {
+		if dirSetter, ok := m.store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(cfg.AuthDir)
+		}
+	}
+
+	savedPath, err := m.store.Save(ctx, record)
 	if err != nil {
 		return record, "", err
 	}
--- a/sdk/auth/qwen.go
+++ b/sdk/auth/qwen.go
@@ -10,6 +10,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/browser"
 	// legacy client removed
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )

@@ -30,7 +31,7 @@ func (a *QwenAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }

-func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -51,19 +52,19 @@ func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	authURL := deviceFlow.VerificationURIComplete

 	if !opts.NoBrowser {
-		log.Info("Opening browser for Qwen authentication")
+		fmt.Println("Opening browser for Qwen authentication")
 		if !browser.IsAvailable() {
 			log.Warn("No browser available; please open the URL manually")
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		} else if err = browser.OpenURL(authURL); err != nil {
 			log.Warnf("Failed to open browser automatically: %v", err)
-			log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 		}
 	} else {
-		log.Infof("Visit the following URL to continue authentication:\n%s", authURL)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
 	}

-	log.Info("Waiting for Qwen authentication...")
+	fmt.Println("Waiting for Qwen authentication...")

 	tokenData, err := authSvc.PollForToken(deviceFlow.DeviceCode, deviceFlow.CodeVerifier)
 	if err != nil {
@@ -97,13 +98,14 @@ func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	// no legacy client construction

 	fileName := fmt.Sprintf("qwen-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}

-	log.Info("Qwen authentication successful")
+	fmt.Println("Qwen authentication successful")

-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,
--- a/sdk/auth/store_registry.go
+++ b/sdk/auth/store_registry.go
@@ -1,31 +1,35 @@
 package auth

-import "sync"
+import (
+	"sync"
+
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)

 var (
-	storeMu              sync.RWMutex
-	registeredTokenStore TokenStore
+	storeMu         sync.RWMutex
+	registeredStore coreauth.Store
 )

 // RegisterTokenStore sets the global token store used by the authentication helpers.
-func RegisterTokenStore(store TokenStore) {
+func RegisterTokenStore(store coreauth.Store) {
 	storeMu.Lock()
-	registeredTokenStore = store
+	registeredStore = store
 	storeMu.Unlock()
 }

 // GetTokenStore returns the globally registered token store.
-func GetTokenStore() TokenStore {
+func GetTokenStore() coreauth.Store {
 	storeMu.RLock()
-	s := registeredTokenStore
+	s := registeredStore
 	storeMu.RUnlock()
 	if s != nil {
 		return s
 	}
 	storeMu.Lock()
 	defer storeMu.Unlock()
-	if registeredTokenStore == nil {
-		registeredTokenStore = NewFileTokenStore()
+	if registeredStore == nil {
+		registeredStore = NewFileTokenStore()
 	}
-	return registeredTokenStore
+	return registeredStore
 }
--- a/sdk/cliproxy/auth/manager.go
+++ b/sdk/cliproxy/auth/manager.go
@@ -286,7 +286,8 @@ func (m *Manager) executeWithProvider(ctx context.Context, provider string, req
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			// Only Gemini Web uses cookie; print stable account label as-is.
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}

 		tried[auth.ID] = struct{}{}
@@ -333,7 +334,7 @@ func (m *Manager) executeCountWithProvider(ctx context.Context, provider string,
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}

 		tried[auth.ID] = struct{}{}
@@ -380,7 +381,7 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string
 		} else if accountType == "oauth" {
 			log.Debugf("Use OAuth %s for model %s", accountInfo, req.Model)
 		} else if accountType == "cookie" {
-			log.Debugf("Use Cookie %s for model %s", util.HideAPIKey(accountInfo), req.Model)
+			log.Debugf("Use Cookie %s for model %s", accountInfo, req.Model)
 		}

 		tried[auth.ID] = struct{}{}
@@ -817,7 +818,8 @@ func (m *Manager) persist(ctx context.Context, auth *Auth) error {
 	if auth.Metadata == nil {
 		return nil
 	}
-	return m.store.SaveAuth(ctx, auth)
+	_, err := m.store.Save(ctx, auth)
+	return err
 }

 // StartAutoRefresh launches a background loop that evaluates auth freshness
--- a/sdk/cliproxy/auth/selector.go
+++ b/sdk/cliproxy/auth/selector.go
@@ -2,6 +2,7 @@ package auth

 import (
 	"context"
+	"sort"
 	"sync"
 	"time"

@@ -36,6 +37,10 @@ func (s *RoundRobinSelector) Pick(ctx context.Context, provider, model string, o
 	if len(available) == 0 {
 		return nil, &Error{Code: "auth_unavailable", Message: "no auth available"}
 	}
+	// Make round-robin deterministic even if caller's candidate order is unstable.
+	if len(available) > 1 {
+		sort.Slice(available, func(i, j int) bool { return available[i].ID < available[j].ID })
+	}
 	key := provider + ":" + model
 	s.mu.Lock()
 	index := s.cursors[key]
@@ -57,21 +62,32 @@ func isAuthBlockedForModel(auth *Auth, model string, now time.Time) bool {
 	if auth.Disabled || auth.Status == StatusDisabled {
 		return true
 	}
-	if model != "" && len(auth.ModelStates) > 0 {
-		if state, ok := auth.ModelStates[model]; ok && state != nil {
-			if state.Status == StatusDisabled {
-				return true
-			}
-			if state.Unavailable {
-				if state.NextRetryAfter.IsZero() {
-					return false
-				}
-				if state.NextRetryAfter.After(now) {
+	// If a specific model is requested, prefer its per-model state over any aggregated
+	// auth-level unavailable flag. This prevents a failure on one model (e.g., 429 quota)
+	// from blocking other models of the same provider that have no errors.
+	if model != "" {
+		if len(auth.ModelStates) > 0 {
+			if state, ok := auth.ModelStates[model]; ok && state != nil {
+				if state.Status == StatusDisabled {
 					return true
 				}
+				if state.Unavailable {
+					if state.NextRetryAfter.IsZero() {
+						return false
+					}
+					if state.NextRetryAfter.After(now) {
+						return true
+					}
+				}
+				// Explicit state exists and is not blocking.
+				return false
 			}
 		}
+		// No explicit state for this model; do not block based on aggregated
+		// auth-level unavailable status. Allow trying this model.
+		return false
 	}
+	// No specific model context: fall back to auth-level unavailable window.
 	if auth.Unavailable && auth.NextRetryAfter.After(now) {
 		return true
 	}
--- a/sdk/cliproxy/auth/selector_rr.go
+++ b/sdk/cliproxy/auth/selector_rr.go
@@ -0,0 +1,125 @@
+package auth
+
+import (
+	"context"
+	"strings"
+
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
+	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	geminiWebProviderKey = "gemini-web"
+)
+
+type geminiWebStickySelector struct {
+	base Selector
+}
+
+func NewGeminiWebStickySelector(base Selector) Selector {
+	if selector, ok := base.(*geminiWebStickySelector); ok {
+		return selector
+	}
+	if base == nil {
+		base = &RoundRobinSelector{}
+	}
+	return &geminiWebStickySelector{base: base}
+}
+
+func (m *Manager) EnableGeminiWebStickySelector() {
+	if m == nil {
+		return
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if _, ok := m.selector.(*geminiWebStickySelector); ok {
+		return
+	}
+	m.selector = NewGeminiWebStickySelector(m.selector)
+}
+
+func (s *geminiWebStickySelector) Pick(ctx context.Context, provider, model string, opts cliproxyexecutor.Options, auths []*Auth) (*Auth, error) {
+	if !strings.EqualFold(provider, geminiWebProviderKey) {
+		if opts.Metadata != nil {
+			delete(opts.Metadata, conversation.MetadataMatchKey)
+		}
+		return s.base.Pick(ctx, provider, model, opts, auths)
+	}
+
+	messages := extractGeminiWebMessages(opts.Metadata)
+	if len(messages) >= 2 {
+		normalizedModel := conversation.NormalizeModel(model)
+		candidates := conversation.BuildLookupHashes(normalizedModel, messages)
+		for _, candidate := range candidates {
+			record, ok, err := conversation.LookupMatch(candidate.Hash)
+			if err != nil {
+				log.Warnf("gemini-web selector: lookup failed for hash %s: %v", candidate.Hash, err)
+				continue
+			}
+			if !ok {
+				continue
+			}
+			label := strings.TrimSpace(record.AccountLabel)
+			if label == "" {
+				continue
+			}
+			auth := findAuthByLabel(auths, label)
+			if auth != nil {
+				if opts.Metadata != nil {
+					opts.Metadata[conversation.MetadataMatchKey] = &conversation.MatchResult{
+						Hash:   candidate.Hash,
+						Record: record,
+						Model:  normalizedModel,
+					}
+				}
+				return auth, nil
+			}
+			_ = conversation.RemoveMatchForLabel(candidate.Hash, label)
+		}
+	}
+
+	return s.base.Pick(ctx, provider, model, opts, auths)
+}
+
+func extractGeminiWebMessages(metadata map[string]any) []conversation.Message {
+	if metadata == nil {
+		return nil
+	}
+	raw, ok := metadata[conversation.MetadataMessagesKey]
+	if !ok {
+		return nil
+	}
+	switch v := raw.(type) {
+	case []conversation.Message:
+		return v
+	case *[]conversation.Message:
+		if v == nil {
+			return nil
+		}
+		return *v
+	default:
+		return nil
+	}
+}
+
+func findAuthByLabel(auths []*Auth, label string) *Auth {
+	if len(auths) == 0 {
+		return nil
+	}
+	normalized := strings.ToLower(strings.TrimSpace(label))
+	for _, auth := range auths {
+		if auth == nil {
+			continue
+		}
+		if strings.ToLower(strings.TrimSpace(auth.Label)) == normalized {
+			return auth
+		}
+		if auth.Metadata != nil {
+			if v, ok := auth.Metadata["label"].(string); ok && strings.ToLower(strings.TrimSpace(v)) == normalized {
+				return auth
+			}
+		}
+	}
+	return nil
+}
--- a/sdk/cliproxy/auth/store.go
+++ b/sdk/cliproxy/auth/store.go
@@ -6,8 +6,8 @@ import "context"
 type Store interface {
 	// List returns all auth records stored in the backend.
 	List(ctx context.Context) ([]*Auth, error)
-	// SaveAuth persists the provided auth record, replacing any existing one with same ID.
-	SaveAuth(ctx context.Context, auth *Auth) error
+	// Save persists the provided auth record, replacing any existing one with same ID.
+	Save(ctx context.Context, auth *Auth) (string, error)
 	// Delete removes the auth record identified by id.
 	Delete(ctx context.Context, id string) error
 }
--- a/sdk/cliproxy/auth/types.go
+++ b/sdk/cliproxy/auth/types.go
@@ -6,6 +6,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	baseauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth"
 )

 // Auth encapsulates the runtime state and metadata associated with a single credential.
@@ -14,6 +16,10 @@ type Auth struct {
 	ID string `json:"id"`
 	// Provider is the upstream provider key (e.g. "gemini", "claude").
 	Provider string `json:"provider"`
+	// FileName stores the relative or absolute path of the backing auth file.
+	FileName string `json:"-"`
+	// Storage holds the token persistence implementation used during login flows.
+	Storage baseauth.TokenStorage `json:"-"`
 	// Label is an optional human readable label for logging.
 	Label string `json:"label,omitempty"`
 	// Status is the lifecycle status managed by the AuthManager.
@@ -128,7 +134,15 @@ func (a *Auth) AccountInfo() (string, string) {
 	if a == nil {
 		return "", ""
 	}
+	// For Gemini Web, prefer explicit cookie label for stability.
 	if strings.ToLower(a.Provider) == "gemini-web" {
+		// Prefer explicit label written into auth file (e.g., gemini-web-<hash>)
+		if a.Metadata != nil {
+			if v, ok := a.Metadata["label"].(string); ok && strings.TrimSpace(v) != "" {
+				return "cookie", strings.TrimSpace(v)
+			}
+		}
+		// Minimal fallback to cookie value for backward compatibility
 		if a.Metadata != nil {
 			if v, ok := a.Metadata["secure_1psid"].(string); ok && v != "" {
 				return "cookie", v
@@ -137,12 +151,20 @@ func (a *Auth) AccountInfo() (string, string) {
 				return "cookie", v
 			}
 		}
-		if a.Attributes != nil {
-			if v := a.Attributes["secure_1psid"]; v != "" {
-				return "cookie", v
-			}
-			if v := a.Attributes["api_key"]; v != "" {
-				return "cookie", v
+	}
+	// For Gemini CLI, include project ID in the OAuth account info if present.
+	if strings.ToLower(a.Provider) == "gemini-cli" {
+		if a.Metadata != nil {
+			email, _ := a.Metadata["email"].(string)
+			email = strings.TrimSpace(email)
+			if email != "" {
+				if p, ok := a.Metadata["project_id"].(string); ok {
+					p = strings.TrimSpace(p)
+					if p != "" {
+						return "oauth", email + " (" + p + ")"
+					}
+				}
+				return "oauth", email
 			}
 		}
 	}
--- a/sdk/cliproxy/builder.go
+++ b/sdk/cliproxy/builder.go
@@ -142,6 +142,15 @@ func (b *Builder) WithServerOptions(opts ...api.ServerOption) *Builder {
 	return b
 }

+// WithLocalManagementPassword configures a password that is only accepted from localhost management requests.
+func (b *Builder) WithLocalManagementPassword(password string) *Builder {
+	if password == "" {
+		return b
+	}
+	b.serverOptions = append(b.serverOptions, api.WithLocalManagementPassword(password))
+	return b
+}
+
 // Build validates inputs, applies defaults, and returns a ready-to-run service.
 func (b *Builder) Build() (*Service, error) {
 	if b.cfg == nil {
@@ -175,7 +184,8 @@ func (b *Builder) Build() (*Service, error) {
 	if accessManager == nil {
 		accessManager = sdkaccess.NewManager()
 	}
-	providers, err := sdkaccess.BuildProviders(b.cfg)
+
+	providers, err := sdkaccess.BuildProviders(&b.cfg.SDKConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -187,11 +197,7 @@ func (b *Builder) Build() (*Service, error) {
 		if dirSetter, ok := tokenStore.(interface{ SetBaseDir(string) }); ok && b.cfg != nil {
 			dirSetter.SetBaseDir(b.cfg.AuthDir)
 		}
-		store, ok := tokenStore.(coreauth.Store)
-		if !ok {
-			return nil, fmt.Errorf("cliproxy: token store does not implement coreauth.Store")
-		}
-		coreManager = coreauth.NewManager(store, nil, nil)
+		coreManager = coreauth.NewManager(tokenStore, nil, nil)
 	}
 	// Attach a default RoundTripper provider so providers can opt-in per-auth transports.
 	coreManager.SetRoundTripperProvider(newDefaultRoundTripperProvider())
--- a/sdk/cliproxy/executor/types.go
+++ b/sdk/cliproxy/executor/types.go
@@ -33,6 +33,8 @@ type Options struct {
 	OriginalRequest []byte
 	// SourceFormat identifies the inbound schema.
 	SourceFormat sdktranslator.Format
+	// Metadata carries extra execution hints shared across selection and executors.
+	Metadata map[string]any
 }

 // Response wraps either a full provider response or metadata for streaming flows.
--- a/sdk/cliproxy/rtprovider.go
+++ b/sdk/cliproxy/rtprovider.go
@@ -1,12 +1,16 @@
 package cliproxy

 import (
+	"context"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
 	"sync"

 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/proxy"
 )

 // defaultRoundTripperProvider returns a per-auth HTTP RoundTripper based on
@@ -25,27 +29,49 @@ func (p *defaultRoundTripperProvider) RoundTripperFor(auth *coreauth.Auth) http.
 	if auth == nil {
 		return nil
 	}
-	proxy := strings.TrimSpace(auth.ProxyURL)
-	if proxy == "" {
+	proxyStr := strings.TrimSpace(auth.ProxyURL)
+	if proxyStr == "" {
 		return nil
 	}
 	p.mu.RLock()
-	rt := p.cache[proxy]
+	rt := p.cache[proxyStr]
 	p.mu.RUnlock()
 	if rt != nil {
 		return rt
 	}
-	// Build HTTP/HTTPS proxy transport; ignore SOCKS for simplicity here.
-	u, err := url.Parse(proxy)
-	if err != nil {
+	// Parse the proxy URL to determine the scheme.
+	proxyURL, errParse := url.Parse(proxyStr)
+	if errParse != nil {
+		log.Errorf("parse proxy URL failed: %v", errParse)
 		return nil
 	}
-	if u.Scheme != "http" && u.Scheme != "https" {
+	var transport *http.Transport
+	// Handle different proxy schemes.
+	if proxyURL.Scheme == "socks5" {
+		// Configure SOCKS5 proxy with optional authentication.
+		username := proxyURL.User.Username()
+		password, _ := proxyURL.User.Password()
+		proxyAuth := &proxy.Auth{User: username, Password: password}
+		dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, proxyAuth, proxy.Direct)
+		if errSOCKS5 != nil {
+			log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5)
+			return nil
+		}
+		// Set up a custom transport using the SOCKS5 dialer.
+		transport = &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.Dial(network, addr)
+			},
+		}
+	} else if proxyURL.Scheme == "http" || proxyURL.Scheme == "https" {
+		// Configure HTTP or HTTPS proxy.
+		transport = &http.Transport{Proxy: http.ProxyURL(proxyURL)}
+	} else {
+		log.Errorf("unsupported proxy scheme: %s", proxyURL.Scheme)
 		return nil
 	}
-	transport := &http.Transport{Proxy: http.ProxyURL(u)}
 	p.mu.Lock()
-	p.cache[proxy] = transport
+	p.cache[proxyStr] = transport
 	p.mu.Unlock()
 	return transport
 }
--- a/sdk/cliproxy/service.go
+++ b/sdk/cliproxy/service.go
@@ -15,13 +15,12 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	geminiwebclient "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web"
+	conversation "github.com/router-for-me/CLIProxyAPI/v6/internal/provider/gemini-web/conversation"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/runtime/executor"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
-	_ "github.com/router-for-me/CLIProxyAPI/v6/sdk/access/providers/configapikey"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/usage"
@@ -107,18 +106,6 @@ func newDefaultAuthManager() *sdkAuth.Manager {
 	)
 }

-func (s *Service) refreshAccessProviders(cfg *config.Config) {
-	if s == nil || s.accessManager == nil || cfg == nil {
-		return
-	}
-	providers, err := sdkaccess.BuildProviders(cfg)
-	if err != nil {
-		log.Errorf("failed to rebuild request auth providers: %v", err)
-		return
-	}
-	s.accessManager.SetProviders(providers)
-}
-
 func (s *Service) ensureAuthUpdateQueue(ctx context.Context) {
 	if s == nil {
 		return
@@ -220,6 +207,23 @@ func (s *Service) applyCoreAuthRemoval(ctx context.Context, id string) {
 	}
 	GlobalModelRegistry().UnregisterClient(id)
 	if existing, ok := s.coreManager.GetByID(id); ok && existing != nil {
+		if strings.EqualFold(existing.Provider, "gemini-web") {
+			// Prefer the stable cookie label stored in metadata when available.
+			var label string
+			if existing.Metadata != nil {
+				if v, ok := existing.Metadata["label"].(string); ok {
+					label = strings.TrimSpace(v)
+				}
+			}
+			if label == "" {
+				label = strings.TrimSpace(existing.Label)
+			}
+			if label != "" {
+				if err := conversation.RemoveMatchesByLabel(label); err != nil {
+					log.Debugf("failed to remove gemini web sticky entries for %s: %v", label, err)
+				}
+			}
+		}
 		existing.Disabled = true
 		existing.Status = coreauth.StatusDisabled
 		if _, err := s.coreManager.Update(ctx, existing); err != nil {
@@ -239,6 +243,7 @@ func (s *Service) ensureExecutorsForAuth(a *coreauth.Auth) {
 		s.coreManager.RegisterExecutor(executor.NewGeminiCLIExecutor(s.cfg))
 	case "gemini-web":
 		s.coreManager.RegisterExecutor(executor.NewGeminiWebExecutor(s.cfg))
+		s.coreManager.EnableGeminiWebStickySelector()
 	case "claude":
 		s.coreManager.RegisterExecutor(executor.NewClaudeExecutor(s.cfg))
 	case "codex":
@@ -310,7 +315,6 @@ func (s *Service) Run(ctx context.Context) error {
 	// legacy clients removed; no caches to refresh

 	// handlers no longer depend on legacy clients; pass nil slice initially
-	s.refreshAccessProviders(s.cfg)
 	s.server = api.NewServer(s.cfg, s.coreManager, s.accessManager, s.configPath, s.serverOptions...)

 	if s.authManager == nil {
@@ -331,7 +335,7 @@ func (s *Service) Run(ctx context.Context) error {
 	}()

 	time.Sleep(100 * time.Millisecond)
-	log.Info("API server started successfully")
+	fmt.Println("API server started successfully")

 	if s.hooks.OnAfterStart != nil {
 		s.hooks.OnAfterStart(s)
@@ -347,7 +351,6 @@ func (s *Service) Run(ctx context.Context) error {
 		if newCfg == nil {
 			return
 		}
-		s.refreshAccessProviders(newCfg)
 		if s.server != nil {
 			s.server.UpdateClients(newCfg)
 		}
@@ -382,17 +385,6 @@ func (s *Service) Run(ctx context.Context) error {
 		log.Infof("core auth auto-refresh started (interval=%s)", interval)
 	}

-	authFileCount := util.CountAuthFiles(s.cfg.AuthDir)
-	totalNewClients := authFileCount + apiKeyResult.GeminiKeyCount + apiKeyResult.ClaudeKeyCount + apiKeyResult.CodexKeyCount + apiKeyResult.OpenAICompatCount
-	log.Infof("full client load complete - %d clients (%d auth files + %d GL API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
-		totalNewClients,
-		authFileCount,
-		apiKeyResult.GeminiKeyCount,
-		apiKeyResult.ClaudeKeyCount,
-		apiKeyResult.CodexKeyCount,
-		apiKeyResult.OpenAICompatCount,
-	)
-
 	select {
 	case <-ctx.Done():
 		log.Debug("service context cancelled, shutting down...")
@@ -509,22 +501,35 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		if s.cfg != nil {
 			providerKey := provider
 			compatName := strings.TrimSpace(a.Provider)
+			isCompatAuth := false
 			if strings.EqualFold(providerKey, "openai-compatibility") {
+				isCompatAuth = true
 				if a.Attributes != nil {
 					if v := strings.TrimSpace(a.Attributes["compat_name"]); v != "" {
 						compatName = v
 					}
 					if v := strings.TrimSpace(a.Attributes["provider_key"]); v != "" {
 						providerKey = strings.ToLower(v)
+						isCompatAuth = true
 					}
 				}
 				if providerKey == "openai-compatibility" && compatName != "" {
 					providerKey = strings.ToLower(compatName)
 				}
+			} else if a.Attributes != nil {
+				if v := strings.TrimSpace(a.Attributes["compat_name"]); v != "" {
+					compatName = v
+					isCompatAuth = true
+				}
+				if v := strings.TrimSpace(a.Attributes["provider_key"]); v != "" {
+					providerKey = strings.ToLower(v)
+					isCompatAuth = true
+				}
 			}
 			for i := range s.cfg.OpenAICompatibility {
 				compat := &s.cfg.OpenAICompatibility[i]
 				if strings.EqualFold(compat.Name, compatName) {
+					isCompatAuth = true
 					// Convert compatibility models to registry models
 					ms := make([]*ModelInfo, 0, len(compat.Models))
 					for j := range compat.Models {
@@ -544,10 +549,18 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 							providerKey = "openai-compatibility"
 						}
 						GlobalModelRegistry().RegisterClient(a.ID, providerKey, ms)
+					} else {
+						// Ensure stale registrations are cleared when model list becomes empty.
+						GlobalModelRegistry().UnregisterClient(a.ID)
 					}
 					return
 				}
 			}
+			if isCompatAuth {
+				// No matching provider found or models removed entirely; drop any prior registration.
+				GlobalModelRegistry().UnregisterClient(a.ID)
+				return
+			}
 		}
 	}
 	if len(models) > 0 {
--- a/sdk/config/config.go
+++ b/sdk/config/config.go
@@ -0,0 +1,82 @@
+// Package config provides configuration management for the CLI Proxy API server.
+// It handles loading and parsing YAML configuration files, and provides structured
+// access to application settings including server port, authentication directory,
+// debug settings, proxy configuration, and API keys.
+package config
+
+// SDKConfig represents the application's configuration, loaded from a YAML file.
+type SDKConfig struct {
+	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
+	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
+
+	// RequestLog enables or disables detailed request logging functionality.
+	RequestLog bool `yaml:"request-log" json:"request-log"`
+
+	// APIKeys is a list of keys for authenticating clients to this proxy server.
+	APIKeys []string `yaml:"api-keys" json:"api-keys"`
+
+	// Access holds request authentication provider configuration.
+	Access AccessConfig `yaml:"auth,omitempty" json:"auth,omitempty"`
+}
+
+// AccessConfig groups request authentication providers.
+type AccessConfig struct {
+	// Providers lists configured authentication providers.
+	Providers []AccessProvider `yaml:"providers,omitempty" json:"providers,omitempty"`
+}
+
+// AccessProvider describes a request authentication provider entry.
+type AccessProvider struct {
+	// Name is the instance identifier for the provider.
+	Name string `yaml:"name" json:"name"`
+
+	// Type selects the provider implementation registered via the SDK.
+	Type string `yaml:"type" json:"type"`
+
+	// SDK optionally names a third-party SDK module providing this provider.
+	SDK string `yaml:"sdk,omitempty" json:"sdk,omitempty"`
+
+	// APIKeys lists inline keys for providers that require them.
+	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
+
+	// Config passes provider-specific options to the implementation.
+	Config map[string]any `yaml:"config,omitempty" json:"config,omitempty"`
+}
+
+const (
+	// AccessProviderTypeConfigAPIKey is the built-in provider validating inline API keys.
+	AccessProviderTypeConfigAPIKey = "config-api-key"
+
+	// DefaultAccessProviderName is applied when no provider name is supplied.
+	DefaultAccessProviderName = "config-inline"
+)
+
+// ConfigAPIKeyProvider returns the first inline API key provider if present.
+func (c *SDKConfig) ConfigAPIKeyProvider() *AccessProvider {
+	if c == nil {
+		return nil
+	}
+	for i := range c.Access.Providers {
+		if c.Access.Providers[i].Type == AccessProviderTypeConfigAPIKey {
+			if c.Access.Providers[i].Name == "" {
+				c.Access.Providers[i].Name = DefaultAccessProviderName
+			}
+			return &c.Access.Providers[i]
+		}
+	}
+	return nil
+}
+
+// MakeInlineAPIKeyProvider constructs an inline API key provider configuration.
+// It returns nil when no keys are supplied.
+func MakeInlineAPIKeyProvider(keys []string) *AccessProvider {
+	if len(keys) == 0 {
+		return nil
+	}
+	provider := &AccessProvider{
+		Name:    DefaultAccessProviderName,
+		Type:    AccessProviderTypeConfigAPIKey,
+		APIKeys: append([]string(nil), keys...),
+	}
+	return provider
+}