feat(auth): enhance DoLogin to include Gemini CLI user onboarding flow

- Integrated Gemini CLI user setup into the `DoLogin` flow for streamlined authentication.
- Added project selection handling, automatic project detection, and validation of Cloud AI API enablement.
- Implemented new helper functions for Gemini CLI operations, project fetching, and onboarding logic.
- Enhanced token storage and metadata updates for better user and project management.

README.md

@@ -282,11 +282,6 @@ The server uses a YAML configuration file (`config.yaml`) located in the project
 | `debug`                                 | boolean  | false              | Enable debug mode for verbose logging.                                                                                                                                                    |
 | `logging-to-file`                       | boolean  | true               | Write application logs to rotating files instead of stdout. Set to `false` to log to stdout/stderr.                                                                                      |
 | `usage-statistics-enabled`              | boolean  | true               | Enable in-memory usage aggregation for management APIs. Disable to drop all collected usage metrics.                                                                                    |
-| `auth`                                  | object   | {}                 | Request authentication configuration.                                                                                                                                                     |
-| `auth.providers`                        | object[] | []                 | Authentication providers. Includes built-in `config-api-key` for inline keys.                                                                                                             |
-| `auth.providers.*.name`                 | string   | ""                 | Provider instance name.                                                                                                                                                                   |
-| `auth.providers.*.type`                 | string   | ""                 | Provider implementation identifier (for example `config-api-key`).                                                                                                                        |
-| `auth.providers.*.api-keys`             | string[] | []                 | Inline API keys consumed by the `config-api-key` provider.                                                                                                                                |
 | `api-keys`                              | string[] | []                 | Legacy shorthand for inline API keys. Values are mirrored into the `config-api-key` provider for backwards compatibility.                                                                 |
 | `generative-language-api-key`           | string[] | []                 | List of Generative Language API keys.                                                                                                                                                     |
 | `codex-api-key`                         | object   | {}                 | List of Codex API keys.                                                                                                                                                                   |
@@ -354,15 +349,6 @@ gemini-web:
   code-mode: false # Enable code mode
   max-chars-per-request: 1000000 # Max characters per request
 
-# Request authentication providers
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # API keys for official Generative Language API
 generative-language-api-key:
   - "AIzaSy...01"

README_CN.md

@@ -294,11 +294,6 @@ console.log(await claudeResponse.json());
 | `debug`                                 | boolean  | false              | 启用调试模式以获取详细日志。                                                      |
 | `logging-to-file`                       | boolean  | true               | 是否将应用日志写入滚动文件；设为 false 时输出到 stdout/stderr。                           |
 | `usage-statistics-enabled`              | boolean  | true               | 是否启用内存中的使用统计；设为 false 时直接丢弃所有统计数据。                               |
-| `auth`                                  | object   | {}                 | 请求鉴权配置。                                                                  |
-| `auth.providers`                        | object[] | []                 | 鉴权提供方列表，内置 `config-api-key` 支持内联密钥。                             |
-| `auth.providers.*.name`                 | string   | ""                 | 提供方实例名称。                                                                |
-| `auth.providers.*.type`                 | string   | ""                 | 提供方实现标识（例如 `config-api-key`）。                                       |
-| `auth.providers.*.api-keys`             | string[] | []                 | `config-api-key` 提供方使用的内联密钥。                                          |
 | `api-keys`                              | string[] | []                 | 兼容旧配置的简写，会自动同步到默认 `config-api-key` 提供方。                     |
 | `generative-language-api-key`           | string[] | []                 | 生成式语言API密钥列表。                                                       |
 | `codex-api-key`                         | object   | {}                 | Codex API密钥列表。                                                      |
@@ -366,15 +361,6 @@ gemini-web:
   code-mode: false # 启用代码模式
   max-chars-per-request: 1000000 # 单次请求最大字符数
 
-# 请求鉴权提供方
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # AIStduio Gemini API 的 API 密钥
 generative-language-api-key:
   - "AIzaSy...01"

cmd/server/main.go

@@ -8,8 +8,8 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 
+	configaccess "github.com/router-for-me/CLIProxyAPI/v6/internal/access/config_access"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/cmd"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
@@ -67,7 +67,7 @@ func main() {
 				return
 			}
 			s := fmt.Sprintf("  -%s", f.Name)
-			name, usage := flag.UnquoteUsage(f)
+			name, unquoteUsage := flag.UnquoteUsage(f)
 			if name != "" {
 				s += " " + name
 			}
@@ -76,8 +76,8 @@ func main() {
 			} else {
 				s += "\n    "
 			}
-			if usage != "" {
-				s += usage
+			if unquoteUsage != "" {
+				s += unquoteUsage
 			}
 			if f.DefValue != "" && f.DefValue != "false" && f.DefValue != "0" {
 				s += fmt.Sprintf(" (default %s)", f.DefValue)
@@ -123,22 +123,10 @@ func main() {
 	// Set the log level based on the configuration.
 	util.SetLogLevel(cfg)
 
-	// Expand the tilde (~) in the auth directory path to the user's home directory.
-	if strings.HasPrefix(cfg.AuthDir, "~") {
-		home, errUserHomeDir := os.UserHomeDir()
-		if errUserHomeDir != nil {
-			log.Fatalf("failed to get home directory: %v", errUserHomeDir)
-		}
-		// Reconstruct the path by replacing the tilde with the user's home directory.
-		remainder := strings.TrimPrefix(cfg.AuthDir, "~")
-		remainder = strings.TrimLeft(remainder, "/\\")
-		if remainder == "" {
-			cfg.AuthDir = home
-		} else {
-			// Normalize any slash style in the remainder so Windows paths keep nested directories.
-			normalized := strings.ReplaceAll(remainder, "\\", "/")
-			cfg.AuthDir = filepath.Join(home, filepath.FromSlash(normalized))
-		}
+	if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir); errResolveAuthDir != nil {
+		log.Fatalf("failed to resolve auth directory: %v", errResolveAuthDir)
+	} else {
+		cfg.AuthDir = resolvedAuthDir
 	}
 
 	// Create login options to be used in authentication flows.
@@ -149,6 +137,9 @@ func main() {
 	// Register the shared token store once so all components use the same persistence backend.
 	sdkAuth.RegisterTokenStore(sdkAuth.NewFileTokenStore())
 
+	// Register built-in access providers before constructing services.
+	configaccess.Register()
+
 	// Handle different command modes based on the provided flags.
 
 	if login {

config.example.yaml

@@ -15,14 +15,19 @@ remote-management:
 # Authentication directory (supports ~ for home directory)
 auth-dir: "~/.cli-proxy-api"
 
+# API keys for authentication
+api-keys:
+  - "your-api-key-1"
+  - "your-api-key-2"
+
 # Enable debug logging
 debug: false
 
 # When true, write application logs to rotating files instead of stdout
-logging-to-file: true
+logging-to-file: false
 
 # When false, disable in-memory usage statistics aggregation
-usage-statistics-enabled: true
+usage-statistics-enabled: false
 
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""
@@ -35,58 +40,49 @@ quota-exceeded:
   switch-project: true # Whether to automatically switch to another project when a quota is exceeded
   switch-preview-model: true # Whether to automatically switch to a preview model when a quota is exceeded
 
-# Request authentication providers
-auth:
-  providers:
-    - name: "default"
-      type: "config-api-key"
-      api-keys:
-        - "your-api-key-1"
-        - "your-api-key-2"
-
 # API keys for official Generative Language API
-generative-language-api-key:
-  - "AIzaSy...01"
-  - "AIzaSy...02"
-  - "AIzaSy...03"
-  - "AIzaSy...04"
+#generative-language-api-key:
+#  - "AIzaSy...01"
+#  - "AIzaSy...02"
+#  - "AIzaSy...03"
+#  - "AIzaSy...04"
 
 # Codex API keys
-codex-api-key:
-  - api-key: "sk-atSM..."
-    base-url: "https://www.example.com" # use the custom codex API endpoint
+#codex-api-key:
+#  - api-key: "sk-atSM..."
+#    base-url: "https://www.example.com" # use the custom codex API endpoint
 
 # Claude API keys
-claude-api-key:
-  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
-  - api-key: "sk-atSM..."
-    base-url: "https://www.example.com" # use the custom claude API endpoint
+#claude-api-key:
+#  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
+#  - api-key: "sk-atSM..."
+#    base-url: "https://www.example.com" # use the custom claude API endpoint
 
 # OpenAI compatibility providers
-openai-compatibility:
-  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
-    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
-    api-keys: # The API keys for the provider. Add multiple keys if needed. Omit if unauthenticated access is allowed.
-      - "sk-or-v1-...b780"
-      - "sk-or-v1-...b781"
-    models: # The models supported by the provider.
-      - name: "moonshotai/kimi-k2:free" # The actual model name.
-        alias: "kimi-k2" # The alias used in the API.
+#openai-compatibility:
+#  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
+#    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
+#    api-keys: # The API keys for the provider. Add multiple keys if needed. Omit if unauthenticated access is allowed.
+#      - "sk-or-v1-...b780"
+#      - "sk-or-v1-...b781"
+#    models: # The models supported by the provider.
+#      - name: "moonshotai/kimi-k2:free" # The actual model name.
+#        alias: "kimi-k2" # The alias used in the API.
 
 # Gemini Web settings
-gemini-web:
-    # Conversation reuse: set to true to enable (default), false to disable.
-    context: true
-    # Maximum characters per single request to Gemini Web. Requests exceeding this
-    # size split into chunks. Only the last chunk carries files and yields the final answer.
-    max-chars-per-request: 1000000
-    # Disable the short continuation hint appended to intermediate chunks
-    # when splitting long prompts. Default is false (hint enabled by default).
-    disable-continuation-hint: false
-    # Code mode:
-    #   - true: enable XML wrapping hint and attach the coding-partner Gem.
-    #           Thought merging (<think> into visible content) applies to STREAMING only;
-    #           non-stream responses keep reasoning/thought parts separate for clients
-    #           that expect explicit reasoning fields.
-    #   - false: disable XML hint and keep <think> separate
-    code-mode: false
+#gemini-web:
+#    # Conversation reuse: set to true to enable (default), false to disable.
+#    context: true
+#    # Maximum characters per single request to Gemini Web. Requests exceeding this
+#    # size split into chunks. Only the last chunk carries files and yields the final answer.
+#    max-chars-per-request: 1000000
+#    # Disable the short continuation hint appended to intermediate chunks
+#    # when splitting long prompts. Default is false (hint enabled by default).
+#    disable-continuation-hint: false
+#    # Code mode:
+#    #   - true: enable XML wrapping hint and attach the coding-partner Gem.
+#    #           Thought merging (<think> into visible content) applies to STREAMING only;
+#    #           non-stream responses keep reasoning/thought parts separate for clients
+#    #           that expect explicit reasoning fields.
+#    #   - false: disable XML hint and keep <think> separate
+#    code-mode: false

examples/custom-provider/main.go

@@ -160,11 +160,7 @@ func main() {
 	if dirSetter, ok := tokenStore.(interface{ SetBaseDir(string) }); ok {
 		dirSetter.SetBaseDir(cfg.AuthDir)
 	}
-	store, ok := tokenStore.(coreauth.Store)
-	if !ok {
-		panic("token store does not implement coreauth.Store")
-	}
-	core := coreauth.NewManager(store, nil, nil)
+	core := coreauth.NewManager(tokenStore, nil, nil)
 	core.RegisterExecutor(MyExecutor{})
 
 	hooks := cliproxy.Hooks{

internal/access/config_access/provider.go

@@ -1,27 +1,33 @@
-package configapikey
+package configaccess
 
 import (
 	"context"
 	"net/http"
 	"strings"
+	"sync"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 )
 
+var registerOnce sync.Once
+
+// Register ensures the config-access provider is available to the access manager.
+func Register() {
+	registerOnce.Do(func() {
+		sdkaccess.RegisterProvider(sdkconfig.AccessProviderTypeConfigAPIKey, newProvider)
+	})
+}
+
 type provider struct {
 	name string
 	keys map[string]struct{}
 }
 
-func init() {
-	sdkaccess.RegisterProvider(config.AccessProviderTypeConfigAPIKey, newProvider)
-}
-
-func newProvider(cfg *config.AccessProvider, _ *config.Config) (sdkaccess.Provider, error) {
+func newProvider(cfg *sdkconfig.AccessProvider, _ *sdkconfig.SDKConfig) (sdkaccess.Provider, error) {
 	name := cfg.Name
 	if name == "" {
-		name = config.DefaultAccessProviderName
+		name = sdkconfig.DefaultAccessProviderName
 	}
 	keys := make(map[string]struct{}, len(cfg.APIKeys))
 	for _, key := range cfg.APIKeys {
@@ -35,7 +41,7 @@ func newProvider(cfg *config.AccessProvider, _ *config.Config) (sdkaccess.Provid
 
 func (p *provider) Identifier() string {
 	if p == nil || p.name == "" {
-		return config.DefaultAccessProviderName
+		return sdkconfig.DefaultAccessProviderName
 	}
 	return p.name
 }

internal/access/reconcile.go

@@ -1,23 +1,27 @@
 package access
 
 import (
+	"fmt"
 	"reflect"
 	"sort"
 	"strings"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	sdkConfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
+	log "github.com/sirupsen/logrus"
 )
 
 // ReconcileProviders builds the desired provider list by reusing existing providers when possible
 // and creating or removing providers only when their configuration changed. It returns the final
 // ordered provider slice along with the identifiers of providers that were added, updated, or
 // removed compared to the previous configuration.
-func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (result []Provider, added, updated, removed []string, err error) {
+func ReconcileProviders(oldCfg, newCfg *config.Config, existing []sdkaccess.Provider) (result []sdkaccess.Provider, added, updated, removed []string, err error) {
 	if newCfg == nil {
 		return nil, nil, nil, nil, nil
 	}
 
-	existingMap := make(map[string]Provider, len(existing))
+	existingMap := make(map[string]sdkaccess.Provider, len(existing))
 	for _, provider := range existing {
 		if provider == nil {
 			continue
@@ -28,11 +32,11 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	oldCfgMap := accessProviderMap(oldCfg)
 	newEntries := collectProviderEntries(newCfg)
 
-	result = make([]Provider, 0, len(newEntries))
+	result = make([]sdkaccess.Provider, 0, len(newEntries))
 	finalIDs := make(map[string]struct{}, len(newEntries))
 
 	isInlineProvider := func(id string) bool {
-		return strings.EqualFold(id, config.DefaultAccessProviderName)
+		return strings.EqualFold(id, sdkConfig.DefaultAccessProviderName)
 	}
 	appendChange := func(list *[]string, id string) {
 		if isInlineProvider(id) {
@@ -58,7 +62,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 			}
 		}
 
-		provider, buildErr := buildProvider(providerCfg, newCfg)
+		provider, buildErr := sdkaccess.BuildProvider(providerCfg, &newCfg.SDKConfig)
 		if buildErr != nil {
 			return nil, nil, nil, nil, buildErr
 		}
@@ -76,7 +80,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	}
 
 	if len(result) == 0 && len(newCfg.APIKeys) > 0 {
-		config.SyncInlineAPIKeys(newCfg, newCfg.APIKeys)
+		sdkConfig.SyncInlineAPIKeys(&newCfg.SDKConfig, newCfg.APIKeys)
 		if providerCfg := newCfg.ConfigAPIKeyProvider(); providerCfg != nil {
 			key := providerIdentifier(providerCfg)
 			if key != "" {
@@ -86,7 +90,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 						if existingProvider, okExisting := existingMap[key]; okExisting {
 							result = append(result, existingProvider)
 						} else {
-							provider, buildErr := buildProvider(providerCfg, newCfg)
+							provider, buildErr := sdkaccess.BuildProvider(providerCfg, &newCfg.SDKConfig)
 							if buildErr != nil {
 								return nil, nil, nil, nil, buildErr
 							}
@@ -98,7 +102,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 							result = append(result, provider)
 						}
 					} else {
-						provider, buildErr := buildProvider(providerCfg, newCfg)
+						provider, buildErr := sdkaccess.BuildProvider(providerCfg, &newCfg.SDKConfig)
 						if buildErr != nil {
 							return nil, nil, nil, nil, buildErr
 						}
@@ -110,7 +114,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 						result = append(result, provider)
 					}
 				} else {
-					provider, buildErr := buildProvider(providerCfg, newCfg)
+					provider, buildErr := sdkaccess.BuildProvider(providerCfg, &newCfg.SDKConfig)
 					if buildErr != nil {
 						return nil, nil, nil, nil, buildErr
 					}
@@ -144,8 +148,35 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	return result, added, updated, removed, nil
 }
 
-func accessProviderMap(cfg *config.Config) map[string]*config.AccessProvider {
-	result := make(map[string]*config.AccessProvider)
+// ApplyAccessProviders reconciles the configured access providers against the
+// currently registered providers and updates the manager. It logs a concise
+// summary of the detected changes and returns whether any provider changed.
+func ApplyAccessProviders(manager *sdkaccess.Manager, oldCfg, newCfg *config.Config) (bool, error) {
+	if manager == nil || newCfg == nil {
+		return false, nil
+	}
+
+	existing := manager.Providers()
+	providers, added, updated, removed, err := ReconcileProviders(oldCfg, newCfg, existing)
+	if err != nil {
+		log.Errorf("failed to reconcile request auth providers: %v", err)
+		return false, fmt.Errorf("reconciling access providers: %w", err)
+	}
+
+	manager.SetProviders(providers)
+
+	if len(added)+len(updated)+len(removed) > 0 {
+		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
+		log.Debugf("auth providers changes details - added=%v updated=%v removed=%v", added, updated, removed)
+		return true, nil
+	}
+
+	log.Debug("auth providers unchanged after config update")
+	return false, nil
+}
+
+func accessProviderMap(cfg *config.Config) map[string]*sdkConfig.AccessProvider {
+	result := make(map[string]*sdkConfig.AccessProvider)
 	if cfg == nil {
 		return result
 	}
@@ -170,11 +201,8 @@ func accessProviderMap(cfg *config.Config) map[string]*config.AccessProvider {
 	return result
 }
 
-func collectProviderEntries(cfg *config.Config) []*config.AccessProvider {
-	entries := make([]*config.AccessProvider, 0, len(cfg.Access.Providers))
-	if cfg == nil {
-		return entries
-	}
+func collectProviderEntries(cfg *config.Config) []*sdkConfig.AccessProvider {
+	entries := make([]*sdkConfig.AccessProvider, 0, len(cfg.Access.Providers))
 	for i := range cfg.Access.Providers {
 		providerCfg := &cfg.Access.Providers[i]
 		if providerCfg.Type == "" {
@@ -187,7 +215,7 @@ func collectProviderEntries(cfg *config.Config) []*config.AccessProvider {
 	return entries
 }
 
-func providerIdentifier(provider *config.AccessProvider) string {
+func providerIdentifier(provider *sdkConfig.AccessProvider) string {
 	if provider == nil {
 		return ""
 	}
@@ -198,13 +226,13 @@ func providerIdentifier(provider *config.AccessProvider) string {
 	if typ == "" {
 		return ""
 	}
-	if strings.EqualFold(typ, config.AccessProviderTypeConfigAPIKey) {
-		return config.DefaultAccessProviderName
+	if strings.EqualFold(typ, sdkConfig.AccessProviderTypeConfigAPIKey) {
+		return sdkConfig.DefaultAccessProviderName
 	}
 	return typ
 }
 
-func providerConfigEqual(a, b *config.AccessProvider) bool {
+func providerConfigEqual(a, b *sdkConfig.AccessProvider) bool {
 	if a == nil || b == nil {
 		return a == nil && b == nil
 	}

internal/api/handlers/management/auth_files.go

@@ -344,7 +344,7 @@ func (h *Handler) disableAuth(ctx context.Context, id string) {
 	}
 }
 
-func (h *Handler) saveTokenRecord(ctx context.Context, record *sdkAuth.TokenRecord) (string, error) {
+func (h *Handler) saveTokenRecord(ctx context.Context, record *coreauth.Auth) (string, error) {
 	if record == nil {
 		return "", fmt.Errorf("token record is nil")
 	}
@@ -353,7 +353,12 @@ func (h *Handler) saveTokenRecord(ctx context.Context, record *sdkAuth.TokenReco
 		store = sdkAuth.GetTokenStore()
 		h.tokenStore = store
 	}
-	return store.Save(ctx, h.cfg, record)
+	if h.cfg != nil {
+		if dirSetter, ok := store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(h.cfg.AuthDir)
+		}
+	}
+	return store.Save(ctx, record)
 }
 
 func (h *Handler) RequestAnthropicToken(c *gin.Context) {
@@ -449,7 +454,7 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 		}
 		bodyJSON, _ := json.Marshal(bodyMap)
 
-		httpClient := util.SetProxy(h.cfg, &http.Client{})
+		httpClient := util.SetProxy(&h.cfg.SDKConfig, &http.Client{})
 		req, _ := http.NewRequestWithContext(ctx, "POST", "https://console.anthropic.com/v1/oauth/token", strings.NewReader(string(bodyJSON)))
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("Accept", "application/json")
@@ -496,11 +501,12 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 
 		// Create token storage
 		tokenStorage := anthropicAuth.CreateTokenStorage(bundle)
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("claude-%s.json", tokenStorage.Email),
 			Provider: "claude",
 			FileName: fmt.Sprintf("claude-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{"email": tokenStorage.Email},
+			Metadata: map[string]any{"email": tokenStorage.Email},
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {
@@ -659,11 +665,12 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 		}
 		fmt.Println("Authentication successful.")
 
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("gemini-%s.json", ts.Email),
 			Provider: "gemini",
 			FileName: fmt.Sprintf("gemini-%s.json", ts.Email),
 			Storage:  &ts,
-			Metadata: map[string]string{
+			Metadata: map[string]any{
 				"email":      ts.Email,
 				"project_id": ts.ProjectID,
 			},
@@ -724,7 +731,8 @@ func (h *Handler) CreateGeminiWebToken(c *gin.Context) {
 	// Provide a stable label (gemini-web-<hash>) for logging and identification
 	tokenStorage.Label = strings.TrimSuffix(fileName, ".json")
 
-	record := &sdkAuth.TokenRecord{
+	record := &coreauth.Auth{
+		ID:       fileName,
 		Provider: "gemini-web",
 		FileName: fileName,
 		Storage:  tokenStorage,
@@ -818,7 +826,7 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 			"redirect_uri":  {"http://localhost:1455/auth/callback"},
 			"code_verifier": {pkceCodes.CodeVerifier},
 		}
-		httpClient := util.SetProxy(h.cfg, &http.Client{})
+		httpClient := util.SetProxy(&h.cfg.SDKConfig, &http.Client{})
 		req, _ := http.NewRequestWithContext(ctx, "POST", "https://auth.openai.com/oauth/token", strings.NewReader(form.Encode()))
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 		req.Header.Set("Accept", "application/json")
@@ -869,11 +877,12 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 
 		// Create token storage and persist
 		tokenStorage := openaiAuth.CreateTokenStorage(bundle)
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("codex-%s.json", tokenStorage.Email),
 			Provider: "codex",
 			FileName: fmt.Sprintf("codex-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{
+			Metadata: map[string]any{
 				"email":      tokenStorage.Email,
 				"account_id": tokenStorage.AccountID,
 			},
@@ -926,11 +935,12 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 		tokenStorage := qwenAuth.CreateTokenStorage(tokenData)
 
 		tokenStorage.Email = fmt.Sprintf("qwen-%d", time.Now().UnixMilli())
-		record := &sdkAuth.TokenRecord{
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("qwen-%s.json", tokenStorage.Email),
 			Provider: "qwen",
 			FileName: fmt.Sprintf("qwen-%s.json", tokenStorage.Email),
 			Storage:  tokenStorage,
-			Metadata: map[string]string{"email": tokenStorage.Email},
+			Metadata: map[string]any{"email": tokenStorage.Email},
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {

internal/api/handlers/management/config_lists.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkConfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 )
 
 // Generic helpers for list[string]
@@ -106,13 +107,13 @@ func (h *Handler) deleteFromStringList(c *gin.Context, target *[]string, after f
 // api-keys
 func (h *Handler) GetAPIKeys(c *gin.Context) { c.JSON(200, gin.H{"api-keys": h.cfg.APIKeys}) }
 func (h *Handler) PutAPIKeys(c *gin.Context) {
-	h.putStringList(c, func(v []string) { config.SyncInlineAPIKeys(h.cfg, v) }, nil)
+	h.putStringList(c, func(v []string) { sdkConfig.SyncInlineAPIKeys(&h.cfg.SDKConfig, v) }, nil)
 }
 func (h *Handler) PatchAPIKeys(c *gin.Context) {
-	h.patchStringList(c, &h.cfg.APIKeys, func() { config.SyncInlineAPIKeys(h.cfg, h.cfg.APIKeys) })
+	h.patchStringList(c, &h.cfg.APIKeys, func() { sdkConfig.SyncInlineAPIKeys(&h.cfg.SDKConfig, h.cfg.APIKeys) })
 }
 func (h *Handler) DeleteAPIKeys(c *gin.Context) {
-	h.deleteFromStringList(c, &h.cfg.APIKeys, func() { config.SyncInlineAPIKeys(h.cfg, h.cfg.APIKeys) })
+	h.deleteFromStringList(c, &h.cfg.APIKeys, func() { sdkConfig.SyncInlineAPIKeys(&h.cfg.SDKConfig, h.cfg.APIKeys) })
 }
 
 // generative-language-api-key

internal/api/handlers/management/handler.go

@@ -33,7 +33,7 @@ type Handler struct {
 	failedAttempts map[string]*attemptInfo // keyed by client IP
 	authManager    *coreauth.Manager
 	usageStats     *usage.RequestStatistics
-	tokenStore     sdkAuth.TokenStore
+	tokenStore     coreauth.Store
 
 	localPassword string
 }

internal/api/server.go

@@ -16,17 +16,18 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/claude"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/gemini"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/access"
 	managementHandlers "github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/management"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers/openai"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/middleware"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/claude"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/gemini"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/openai"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )
@@ -187,7 +188,7 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 	// Create server instance
 	s := &Server{
 		engine:         engine,
-		handlers:       handlers.NewBaseAPIHandlers(cfg, authManager),
+		handlers:       handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager),
 		cfg:            cfg,
 		accessManager:  accessManager,
 		requestLogger:  requestLogger,
@@ -551,19 +552,9 @@ func (s *Server) applyAccessConfig(oldCfg, newCfg *config.Config) {
 	if s == nil || s.accessManager == nil || newCfg == nil {
 		return
 	}
-	existing := s.accessManager.Providers()
-	providers, added, updated, removed, err := sdkaccess.ReconcileProviders(oldCfg, newCfg, existing)
-	if err != nil {
-		log.Errorf("failed to reconcile request auth providers: %v", err)
+	if _, err := access.ApplyAccessProviders(s.accessManager, oldCfg, newCfg); err != nil {
 		return
 	}
-	s.accessManager.SetProviders(providers)
-	if len(added)+len(updated)+len(removed) > 0 {
-		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
-		log.Debugf("auth provider changes details - added=%v updated=%v removed=%v", added, updated, removed)
-	} else {
-		log.Debug("auth providers unchanged after config update")
-	}
 }
 
 // UpdateClients updates the server's client list and configuration.
@@ -622,7 +613,7 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 
 	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
-	s.handlers.UpdateClients(cfg)
+	s.handlers.UpdateClients(&cfg.SDKConfig)
 	if s.mgmt != nil {
 		s.mgmt.SetConfig(cfg)
 		s.mgmt.SetAuthManager(s.handlers.AuthManager)

internal/auth/claude/anthropic_auth.go

@@ -59,7 +59,7 @@ type ClaudeAuth struct {
 //   - *ClaudeAuth: A new Claude authentication service instance
 func NewClaudeAuth(cfg *config.Config) *ClaudeAuth {
 	return &ClaudeAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }
 

internal/auth/codex/openai_auth.go

@@ -37,7 +37,7 @@ type CodexAuth struct {
 // It initializes an HTTP client with proxy settings from the provided configuration.
 func NewCodexAuth(cfg *config.Config) *CodexAuth {
 	return &CodexAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }
 

internal/auth/qwen/qwen_auth.go

@@ -85,7 +85,7 @@ type QwenAuth struct {
 // NewQwenAuth creates a new QwenAuth instance with a proxy-configured HTTP client.
 func NewQwenAuth(cfg *config.Config) *QwenAuth {
 	return &QwenAuth{
-		httpClient: util.SetProxy(cfg, &http.Client{}),
+		httpClient: util.SetProxy(&cfg.SDKConfig, &http.Client{}),
 	}
 }
 

internal/cmd/gemini-web_auth.go

@@ -18,6 +18,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
 // banner prints a simple ASCII banner for clarity without ANSI colors.
@@ -75,7 +76,7 @@ func DoGeminiWebAuth(cfg *config.Config) {
 
 			// Build HTTP client with proxy settings respected.
 			httpClient := &http.Client{Timeout: 15 * time.Second}
-			httpClient = util.SetProxy(cfg, httpClient)
+			httpClient = util.SetProxy(&cfg.SDKConfig, httpClient)
 
 			// Request ListAccounts to extract email as label (use POST per upstream behavior).
 			req, err := http.NewRequest(http.MethodPost, "https://accounts.google.com/ListAccounts", nil)
@@ -88,8 +89,8 @@ func DoGeminiWebAuth(cfg *config.Config) {
 				req.Header.Set("Origin", "https://accounts.google.com")
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8")
 
-				resp, err := httpClient.Do(req)
-				if err != nil {
+				resp, errDo := httpClient.Do(req)
+				if errDo != nil {
 					fmt.Println("!! Request to ListAccounts failed:", err)
 				} else {
 					defer func() { _ = resp.Body.Close() }()
@@ -173,13 +174,19 @@ func DoGeminiWebAuth(cfg *config.Config) {
 		Secure1PSIDTS: secure1psidts,
 		Label:         label,
 	}
-	record := &sdkAuth.TokenRecord{
+	record := &coreauth.Auth{
+		ID:       fileName,
 		Provider: "gemini-web",
 		FileName: fileName,
 		Storage:  tokenStorage,
 	}
 	store := sdkAuth.GetTokenStore()
-	savedPath, err := store.Save(context.Background(), cfg, record)
+	if cfg != nil {
+		if dirSetter, ok := store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(cfg.AuthDir)
+		}
+	}
+	savedPath, err := store.Save(context.Background(), record)
 	if err != nil {
 		fmt.Println("!! Failed to save Gemini Web token to file:", err)
 		return

internal/cmd/login.go

@@ -4,18 +4,44 @@
 package cmd
 
 import (
+	"bufio"
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
 
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
+	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
+	"github.com/tidwall/gjson"
 )
 
+const (
+	geminiCLIEndpoint       = "https://cloudcode-pa.googleapis.com"
+	geminiCLIVersion        = "v1internal"
+	geminiCLIUserAgent      = "google-api-nodejs-client/9.15.1"
+	geminiCLIApiClient      = "gl-node/22.17.0"
+	geminiCLIClientMetadata = "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI"
+)
+
+type projectSelectionRequiredError struct{}
+
+func (e *projectSelectionRequiredError) Error() string {
+	return "gemini cli: project selection required"
+}
+
 // DoLogin handles Google Gemini authentication using the shared authentication manager.
-// It initiates the OAuth flow for Google Gemini services and saves the authentication
-// tokens to the configured auth directory.
+// It initiates the OAuth flow for Google Gemini services, performs the legacy CLI user setup,
+// and saves the authentication tokens to the configured auth directory.
 //
 // Parameters:
 //   - cfg: The application configuration
@@ -26,38 +52,78 @@ func DoLogin(cfg *config.Config, projectID string, options *LoginOptions) {
 		options = &LoginOptions{}
 	}
 
-	manager := newAuthManager()
+	ctx := context.Background()
 
-	metadata := map[string]string{}
-	if projectID != "" {
-		metadata["project_id"] = projectID
-	}
-
-	authOpts := &sdkAuth.LoginOptions{
+	loginOpts := &sdkAuth.LoginOptions{
 		NoBrowser: options.NoBrowser,
-		ProjectID: projectID,
-		Metadata:  metadata,
+		ProjectID: strings.TrimSpace(projectID),
+		Metadata:  map[string]string{},
 		Prompt:    options.Prompt,
 	}
 
-	_, savedPath, err := manager.Login(context.Background(), "gemini", cfg, authOpts)
-	if err != nil {
-		var selectionErr *sdkAuth.ProjectSelectionError
-		if errors.As(err, &selectionErr) {
-			fmt.Println(selectionErr.Error())
-			projects := selectionErr.ProjectsDisplay()
-			if len(projects) > 0 {
-				fmt.Println("========================================================================")
-				for _, p := range projects {
-					fmt.Printf("Project ID: %s\n", p.ProjectID)
-					fmt.Printf("Project Name: %s\n", p.Name)
-					fmt.Println("------------------------------------------------------------------------")
-				}
-				fmt.Println("Please rerun the login command with --project_id <project_id>.")
+	authenticator := sdkAuth.NewGeminiAuthenticator()
+	record, errLogin := authenticator.Login(ctx, cfg, loginOpts)
+	if errLogin != nil {
+		log.Fatalf("Gemini authentication failed: %v", errLogin)
+		return
+	}
+
+	storage, okStorage := record.Storage.(*gemini.GeminiTokenStorage)
+	if !okStorage || storage == nil {
+		log.Fatal("Gemini authentication failed: unsupported token storage")
+		return
+	}
+
+	geminiAuth := gemini.NewGeminiAuth()
+	httpClient, errClient := geminiAuth.GetAuthenticatedClient(ctx, storage, cfg, options.NoBrowser)
+	if errClient != nil {
+		log.Fatalf("Gemini authentication failed: %v", errClient)
+		return
+	}
+
+	log.Info("Authentication successful.")
+
+	if errSetup := performGeminiCLISetup(ctx, httpClient, storage, strings.TrimSpace(projectID)); errSetup != nil {
+		var projectErr *projectSelectionRequiredError
+		if errors.As(errSetup, &projectErr) {
+			log.Error("Failed to start user onboarding: A project ID is required.")
+			projects, errProjects := fetchGCPProjects(ctx, httpClient)
+			if errProjects != nil {
+				log.Fatalf("Failed to get project list: %v", errProjects)
+				return
 			}
+			showProjectSelectionHelp(storage.Email, projects)
 			return
 		}
-		log.Fatalf("Gemini authentication failed: %v", err)
+		log.Fatalf("Failed to complete user setup: %v", errSetup)
+		return
+	}
+
+	storage.Auto = strings.TrimSpace(projectID) == ""
+
+	if !storage.Auto && !storage.Checked {
+		isChecked, errCheck := checkCloudAPIIsEnabled(ctx, httpClient, storage.ProjectID)
+		if errCheck != nil {
+			log.Fatalf("Failed to check if Cloud AI API is enabled: %v", errCheck)
+			return
+		}
+		storage.Checked = isChecked
+		if !isChecked {
+			log.Fatal("Failed to check if Cloud AI API is enabled. If you encounter an error message, please create an issue.")
+			return
+		}
+	}
+
+	updateAuthRecord(record, storage)
+
+	store := sdkAuth.GetTokenStore()
+	if setter, okSetter := store.(interface{ SetBaseDir(string) }); okSetter && cfg != nil {
+		setter.SetBaseDir(cfg.AuthDir)
+	}
+
+	savedPath, errSave := store.Save(ctx, record)
+	if errSave != nil {
+		log.Fatalf("Failed to save token to file: %v", errSave)
 		return
 	}
 
@@ -67,3 +133,257 @@ func DoLogin(cfg *config.Config, projectID string, options *LoginOptions) {
 
 	fmt.Println("Gemini authentication successful!")
 }
+
+func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage *gemini.GeminiTokenStorage, requestedProject string) error {
+	metadata := map[string]string{
+		"ideType":    "IDE_UNSPECIFIED",
+		"platform":   "PLATFORM_UNSPECIFIED",
+		"pluginType": "GEMINI",
+	}
+
+	loadReqBody := map[string]any{
+		"metadata": metadata,
+	}
+	if requestedProject != "" {
+		loadReqBody["cloudaicompanionProject"] = requestedProject
+	}
+
+	var loadResp map[string]any
+	if errLoad := callGeminiCLI(ctx, httpClient, "loadCodeAssist", loadReqBody, &loadResp); errLoad != nil {
+		return fmt.Errorf("load code assist: %w", errLoad)
+	}
+
+	tierID := "legacy-tier"
+	if tiers, okTiers := loadResp["allowedTiers"].([]any); okTiers {
+		for _, rawTier := range tiers {
+			tier, okTier := rawTier.(map[string]any)
+			if !okTier {
+				continue
+			}
+			if isDefault, okDefault := tier["isDefault"].(bool); okDefault && isDefault {
+				if id, okID := tier["id"].(string); okID && strings.TrimSpace(id) != "" {
+					tierID = strings.TrimSpace(id)
+					break
+				}
+			}
+		}
+	}
+
+	projectID := strings.TrimSpace(requestedProject)
+	if projectID == "" {
+		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
+			projectID = strings.TrimSpace(id)
+		}
+	}
+	if projectID == "" {
+		return &projectSelectionRequiredError{}
+	}
+
+	onboardReqBody := map[string]any{
+		"tierId":                  tierID,
+		"metadata":                metadata,
+		"cloudaicompanionProject": projectID,
+	}
+
+	// Store the requested project as a fallback in case the response omits it.
+	storage.ProjectID = projectID
+
+	for {
+		var onboardResp map[string]any
+		if errOnboard := callGeminiCLI(ctx, httpClient, "onboardUser", onboardReqBody, &onboardResp); errOnboard != nil {
+			return fmt.Errorf("onboard user: %w", errOnboard)
+		}
+
+		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
+				if project, okProject := resp["cloudaicompanionProject"].(map[string]any); okProject {
+					if id, okID := project["id"].(string); okID && strings.TrimSpace(id) != "" {
+						storage.ProjectID = strings.TrimSpace(id)
+					}
+				}
+			}
+			storage.ProjectID = strings.TrimSpace(storage.ProjectID)
+			if storage.ProjectID == "" {
+				storage.ProjectID = projectID
+			}
+			if storage.ProjectID == "" {
+				return fmt.Errorf("onboard user completed without project id")
+			}
+			log.Infof("Onboarding complete. Using Project ID: %s", storage.ProjectID)
+			return nil
+		}
+
+		log.Println("Onboarding in progress, waiting 5 seconds...")
+		time.Sleep(5 * time.Second)
+	}
+}
+
+func callGeminiCLI(ctx context.Context, httpClient *http.Client, endpoint string, body any, result any) error {
+	url := fmt.Sprintf("%s/%s:%s", geminiCLIEndpoint, geminiCLIVersion, endpoint)
+	if strings.HasPrefix(endpoint, "operations/") {
+		url = fmt.Sprintf("%s/%s", geminiCLIEndpoint, endpoint)
+	}
+
+	var reader io.Reader
+	if body != nil {
+		rawBody, errMarshal := json.Marshal(body)
+		if errMarshal != nil {
+			return fmt.Errorf("marshal request body: %w", errMarshal)
+		}
+		reader = bytes.NewReader(rawBody)
+	}
+
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodPost, url, reader)
+	if errRequest != nil {
+		return fmt.Errorf("create request: %w", errRequest)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", geminiCLIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", geminiCLIApiClient)
+	req.Header.Set("Client-Metadata", geminiCLIClientMetadata)
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return fmt.Errorf("execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("api request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	if result == nil {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		return nil
+	}
+
+	if errDecode := json.NewDecoder(resp.Body).Decode(result); errDecode != nil {
+		return fmt.Errorf("decode response body: %w", errDecode)
+	}
+
+	return nil
+}
+
+func fetchGCPProjects(ctx context.Context, httpClient *http.Client) ([]interfaces.GCPProjectProjects, error) {
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudresourcemanager.googleapis.com/v1/projects", nil)
+	if errRequest != nil {
+		return nil, fmt.Errorf("could not create project list request: %w", errRequest)
+	}
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return nil, fmt.Errorf("failed to execute project list request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("project list request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	var projects interfaces.GCPProject
+	if errDecode := json.NewDecoder(resp.Body).Decode(&projects); errDecode != nil {
+		return nil, fmt.Errorf("failed to unmarshal project list: %w", errDecode)
+	}
+
+	return projects.Projects, nil
+}
+
+func showProjectSelectionHelp(email string, projects []interfaces.GCPProjectProjects) {
+	if email != "" {
+		log.Infof("Your account %s needs to specify a project ID.", email)
+	} else {
+		log.Info("You need to specify a project ID.")
+	}
+
+	if len(projects) > 0 {
+		fmt.Println("========================================================================")
+		for _, p := range projects {
+			fmt.Printf("Project ID: %s\n", p.ProjectID)
+			fmt.Printf("Project Name: %s\n", p.Name)
+			fmt.Println("------------------------------------------------------------------------")
+		}
+	} else {
+		fmt.Println("No active projects were returned for this account.")
+	}
+
+	fmt.Printf("Please run this command to login again with a specific project:\n\n%s --login --project_id <project_id>\n", os.Args[0])
+}
+
+func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
+	payload := fmt.Sprintf(`{"project":"%s","request":{"contents":[{"role":"user","parts":[{"text":"Be concise. What is the capital of France?"}]}],"generationConfig":{"thinkingConfig":{"include_thoughts":false,"thinkingBudget":0}}},"model":"gemini-2.5-flash"}`, projectID)
+
+	url := fmt.Sprintf("%s/%s:%s?alt=sse", geminiCLIEndpoint, geminiCLIVersion, "streamGenerateContent")
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodPost, url, strings.NewReader(payload))
+	if errRequest != nil {
+		return false, fmt.Errorf("failed to create request: %w", errRequest)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", geminiCLIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", geminiCLIApiClient)
+	req.Header.Set("Client-Metadata", geminiCLIClientMetadata)
+	req.Header.Set("Accept", "text/event-stream")
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return false, fmt.Errorf("failed to execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		if resp.StatusCode == http.StatusForbidden {
+			activationURL := gjson.GetBytes(bodyBytes, "0.error.details.0.metadata.activationUrl").String()
+			if activationURL != "" {
+				log.Warnf("\n\nPlease activate your account with this url:\n\n%s\n\n And execute this command again:\n%s --login --project_id %s", activationURL, os.Args[0], projectID)
+				return false, nil
+			}
+			log.Warnf("\n\nPlease copy this message and create an issue.\n\n%s\n\n", strings.TrimSpace(string(bodyBytes)))
+			return false, nil
+		}
+		return false, fmt.Errorf("request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	scanner := bufio.NewScanner(resp.Body)
+	for scanner.Scan() {
+		// Consume the stream to ensure the request succeeds.
+	}
+	if errScan := scanner.Err(); errScan != nil {
+		return false, fmt.Errorf("stream read failed: %w", errScan)
+	}
+
+	return true, nil
+}
+
+func updateAuthRecord(record *cliproxyauth.Auth, storage *gemini.GeminiTokenStorage) {
+	if record == nil || storage == nil {
+		return
+	}
+
+	finalName := fmt.Sprintf("%s-%s.json", storage.Email, storage.ProjectID)
+
+	if record.Metadata == nil {
+		record.Metadata = make(map[string]any)
+	}
+	record.Metadata["email"] = storage.Email
+	record.Metadata["project_id"] = storage.ProjectID
+	record.Metadata["auto"] = storage.Auto
+	record.Metadata["checked"] = storage.Checked
+
+	record.ID = finalName
+	record.FileName = finalName
+	record.Storage = storage
+}

internal/config/config.go

@@ -8,12 +8,14 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	"golang.org/x/crypto/bcrypt"
 	"gopkg.in/yaml.v3"
 )
 
 // Config represents the application's configuration, loaded from a YAML file.
 type Config struct {
+	config.SDKConfig `yaml:",inline"`
 	// Port is the network port on which the API server will listen.
 	Port int `yaml:"port" json:"-"`
 
@@ -29,24 +31,12 @@ type Config struct {
 	// UsageStatisticsEnabled toggles in-memory usage aggregation; when false, usage data is discarded.
 	UsageStatisticsEnabled bool `yaml:"usage-statistics-enabled" json:"usage-statistics-enabled"`
 
-	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
-	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
-
-	// APIKeys is a list of keys for authenticating clients to this proxy server.
-	APIKeys []string `yaml:"api-keys" json:"api-keys"`
-
-	// Access holds request authentication provider configuration.
-	Access AccessConfig `yaml:"auth" json:"auth"`
-
 	// QuotaExceeded defines the behavior when a quota is exceeded.
 	QuotaExceeded QuotaExceeded `yaml:"quota-exceeded" json:"quota-exceeded"`
 
 	// GlAPIKey is the API key for the generative language API.
 	GlAPIKey []string `yaml:"generative-language-api-key" json:"generative-language-api-key"`
 
-	// RequestLog enables or disables detailed request logging functionality.
-	RequestLog bool `yaml:"request-log" json:"request-log"`
-
 	// RequestRetry defines the retry times when the request failed.
 	RequestRetry int `yaml:"request-retry" json:"request-retry"`
 
@@ -66,38 +56,6 @@ type Config struct {
 	GeminiWeb GeminiWebConfig `yaml:"gemini-web" json:"gemini-web"`
 }
 
-// AccessConfig groups request authentication providers.
-type AccessConfig struct {
-	// Providers lists configured authentication providers.
-	Providers []AccessProvider `yaml:"providers" json:"providers"`
-}
-
-// AccessProvider describes a request authentication provider entry.
-type AccessProvider struct {
-	// Name is the instance identifier for the provider.
-	Name string `yaml:"name" json:"name"`
-
-	// Type selects the provider implementation registered via the SDK.
-	Type string `yaml:"type" json:"type"`
-
-	// SDK optionally names a third-party SDK module providing this provider.
-	SDK string `yaml:"sdk,omitempty" json:"sdk,omitempty"`
-
-	// APIKeys lists inline keys for providers that require them.
-	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
-
-	// Config passes provider-specific options to the implementation.
-	Config map[string]any `yaml:"config,omitempty" json:"config,omitempty"`
-}
-
-const (
-	// AccessProviderTypeConfigAPIKey is the built-in provider validating inline API keys.
-	AccessProviderTypeConfigAPIKey = "config-api-key"
-
-	// DefaultAccessProviderName is applied when no provider name is supplied.
-	DefaultAccessProviderName = "config-inline"
-)
-
 // GeminiWebConfig nests Gemini Web related options under 'gemini-web'.
 type GeminiWebConfig struct {
 	// Context enables JSON-based conversation reuse.
@@ -206,23 +164,23 @@ func LoadConfig(configFile string) (*Config, error) {
 	}
 
 	// Unmarshal the YAML data into the Config struct.
-	var config Config
+	var cfg Config
 	// Set defaults before unmarshal so that absent keys keep defaults.
-	config.LoggingToFile = true
-	config.UsageStatisticsEnabled = true
-	config.GeminiWeb.Context = true
-	if err = yaml.Unmarshal(data, &config); err != nil {
+	cfg.LoggingToFile = true
+	cfg.UsageStatisticsEnabled = true
+	cfg.GeminiWeb.Context = true
+	if err = yaml.Unmarshal(data, &cfg); err != nil {
 		return nil, fmt.Errorf("failed to parse config file: %w", err)
 	}
 
 	// Hash remote management key if plaintext is detected (nested)
 	// We consider a value to be already hashed if it looks like a bcrypt hash ($2a$, $2b$, or $2y$ prefix).
-	if config.RemoteManagement.SecretKey != "" && !looksLikeBcrypt(config.RemoteManagement.SecretKey) {
-		hashed, errHash := hashSecret(config.RemoteManagement.SecretKey)
+	if cfg.RemoteManagement.SecretKey != "" && !looksLikeBcrypt(cfg.RemoteManagement.SecretKey) {
+		hashed, errHash := hashSecret(cfg.RemoteManagement.SecretKey)
 		if errHash != nil {
 			return nil, fmt.Errorf("failed to hash remote management key: %w", errHash)
 		}
-		config.RemoteManagement.SecretKey = hashed
+		cfg.RemoteManagement.SecretKey = hashed
 
 		// Persist the hashed value back to the config file to avoid re-hashing on next startup.
 		// Preserve YAML comments and ordering; update only the nested key.
@@ -230,47 +188,10 @@ func LoadConfig(configFile string) (*Config, error) {
 	}
 
 	// Sync request authentication providers with inline API keys for backwards compatibility.
-	syncInlineAccessProvider(&config)
+	syncInlineAccessProvider(&cfg)
 
 	// Return the populated configuration struct.
-	return &config, nil
-}
-
-// SyncInlineAPIKeys updates the inline API key provider and top-level APIKeys field.
-func SyncInlineAPIKeys(cfg *Config, keys []string) {
-	if cfg == nil {
-		return
-	}
-	cloned := append([]string(nil), keys...)
-	cfg.APIKeys = cloned
-	if provider := cfg.ConfigAPIKeyProvider(); provider != nil {
-		if provider.Name == "" {
-			provider.Name = DefaultAccessProviderName
-		}
-		provider.APIKeys = cloned
-		return
-	}
-	cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-		Name:    DefaultAccessProviderName,
-		Type:    AccessProviderTypeConfigAPIKey,
-		APIKeys: cloned,
-	})
-}
-
-// ConfigAPIKeyProvider returns the first inline API key provider if present.
-func (c *Config) ConfigAPIKeyProvider() *AccessProvider {
-	if c == nil {
-		return nil
-	}
-	for i := range c.Access.Providers {
-		if c.Access.Providers[i].Type == AccessProviderTypeConfigAPIKey {
-			if c.Access.Providers[i].Name == "" {
-				c.Access.Providers[i].Name = DefaultAccessProviderName
-			}
-			return &c.Access.Providers[i]
-		}
-	}
-	return nil
+	return &cfg, nil
 }
 
 func syncInlineAccessProvider(cfg *Config) {
@@ -281,9 +202,9 @@ func syncInlineAccessProvider(cfg *Config) {
 		if len(cfg.APIKeys) == 0 {
 			return
 		}
-		cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-			Name:    DefaultAccessProviderName,
-			Type:    AccessProviderTypeConfigAPIKey,
+		cfg.Access.Providers = append(cfg.Access.Providers, config.AccessProvider{
+			Name:    config.DefaultAccessProviderName,
+			Type:    config.AccessProviderTypeConfigAPIKey,
 			APIKeys: append([]string(nil), cfg.APIKeys...),
 		})
 		return
@@ -293,9 +214,9 @@ func syncInlineAccessProvider(cfg *Config) {
 		if len(cfg.APIKeys) == 0 {
 			return
 		}
-		cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
-			Name:    DefaultAccessProviderName,
-			Type:    AccessProviderTypeConfigAPIKey,
+		cfg.Access.Providers = append(cfg.Access.Providers, config.AccessProvider{
+			Name:    config.DefaultAccessProviderName,
+			Type:    config.AccessProviderTypeConfigAPIKey,
 			APIKeys: append([]string(nil), cfg.APIKeys...),
 		})
 		return

internal/misc/credentials.go

@@ -9,7 +9,7 @@ import (
 )
 
 // Separator used to visually group related log lines.
-var credentialSeparator = strings.Repeat("-", 70)
+var credentialSeparator = strings.Repeat("-", 67)
 
 // LogSavingCredentials emits a consistent log message when persisting auth material.
 func LogSavingCredentials(path string) {

internal/provider/gemini-web/state.go

@@ -88,6 +88,11 @@ func (s *GeminiWebState) Label() string {
 	if s == nil {
 		return ""
 	}
+	if s.token != nil {
+		if lbl := strings.TrimSpace(s.token.Label); lbl != "" {
+			return lbl
+		}
+	}
 	if s.storagePath != "" {
 		base := strings.TrimSuffix(filepath.Base(s.storagePath), filepath.Ext(s.storagePath))
 		if base != "" {
@@ -169,8 +174,12 @@ func (s *GeminiWebState) Refresh(ctx context.Context) error {
 			s.client.Cookies["__Secure-1PSIDTS"] = newTS
 		}
 		s.tokenMu.Unlock()
-		// Detailed debug log: provider and account.
-		log.Debugf("gemini web account %s rotated 1PSIDTS: %s", s.accountID, MaskToken28(newTS))
+		// Detailed debug log: provider and account label.
+		label := strings.TrimSpace(s.Label())
+		if label == "" {
+			label = s.accountID
+		}
+		log.Debugf("gemini web account %s rotated 1PSIDTS: %s", label, MaskToken28(newTS))
 	}
 	s.lastRefresh = time.Now()
 	return nil

internal/runtime/executor/claude_executor.go

@@ -284,6 +284,7 @@ func hasZSTDEcoding(contentEncoding string) bool {
 func applyClaudeHeaders(r *http.Request, apiKey string, stream bool) {
 	r.Header.Set("Authorization", "Bearer "+apiKey)
 	r.Header.Set("Content-Type", "application/json")
+	r.Header.Set("Anthropic-Beta", "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14")
 
 	var ginHeaders http.Header
 	if ginCtx, ok := r.Context().Value("gin").(*gin.Context); ok && ginCtx != nil && ginCtx.Request != nil {
@@ -292,7 +293,6 @@ func applyClaudeHeaders(r *http.Request, apiKey string, stream bool) {
 
 	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Version", "2023-06-01")
 	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Dangerous-Direct-Browser-Access", "true")
-	misc.EnsureHeader(r.Header, ginHeaders, "Anthropic-Beta", "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-App", "cli")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-Stainless-Helper-Method", "stream")
 	misc.EnsureHeader(r.Header, ginHeaders, "X-Stainless-Retry-Count", "0")

internal/runtime/executor/gemini_executor.go

@@ -320,7 +320,7 @@ func (e *GeminiExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (
 	conf := &oauth2.Config{ClientID: clientID, ClientSecret: clientSecret, Endpoint: endpoint}
 
 	// Ensure proxy-aware HTTP client for token refresh
-	httpClient := util.SetProxy(e.cfg, &http.Client{})
+	httpClient := util.SetProxy(&e.cfg.SDKConfig, &http.Client{})
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 
 	// Build base token

internal/runtime/executor/gemini_web_executor.go

@@ -200,7 +200,8 @@ func parseGeminiWebToken(auth *cliproxyauth.Auth) (*gemini.GeminiWebTokenStorage
 	if psid == "" || psidts == "" {
 		return nil, fmt.Errorf("gemini-web executor: incomplete cookie metadata")
 	}
-	return &gemini.GeminiWebTokenStorage{Secure1PSID: psid, Secure1PSIDTS: psidts}, nil
+	label := strings.TrimSpace(stringFromMetadata(auth.Metadata, "label"))
+	return &gemini.GeminiWebTokenStorage{Secure1PSID: psid, Secure1PSIDTS: psidts, Label: label}, nil
 }
 
 func stringFromMetadata(meta map[string]any, keys ...string) string {

internal/translator/claude/openai/responses/claude_openai-responses_response.go

@@ -32,6 +32,10 @@ type claudeToResponsesState struct {
 	ReasoningBuf       strings.Builder
 	ReasoningPartAdded bool
 	ReasoningIndex     int
+	// usage aggregation
+	InputTokens  int64
+	OutputTokens int64
+	UsageSeen    bool
 }
 
 var dataTag = []byte("data:")
@@ -77,6 +81,19 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			st.FuncArgsBuf = make(map[int]*strings.Builder)
 			st.FuncNames = make(map[int]string)
 			st.FuncCallIDs = make(map[int]string)
+			st.InputTokens = 0
+			st.OutputTokens = 0
+			st.UsageSeen = false
+			if usage := msg.Get("usage"); usage.Exists() {
+				if v := usage.Get("input_tokens"); v.Exists() {
+					st.InputTokens = v.Int()
+					st.UsageSeen = true
+				}
+				if v := usage.Get("output_tokens"); v.Exists() {
+					st.OutputTokens = v.Int()
+					st.UsageSeen = true
+				}
+			}
 			// response.created
 			created := `{"type":"response.created","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"in_progress","background":false,"error":null,"instructions":""}}`
 			created, _ = sjson.Set(created, "sequence_number", nextSeq())
@@ -227,7 +244,6 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			out = append(out, emitEvent("response.output_item.done", itemDone))
 			st.InFuncBlock = false
 		} else if st.ReasoningActive {
-			// close reasoning
 			full := st.ReasoningBuf.String()
 			textDone := `{"type":"response.reasoning_summary_text.done","sequence_number":0,"item_id":"","output_index":0,"summary_index":0,"text":""}`
 			textDone, _ = sjson.Set(textDone, "sequence_number", nextSeq())
@@ -244,7 +260,19 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 			st.ReasoningActive = false
 			st.ReasoningPartAdded = false
 		}
+	case "message_delta":
+		if usage := root.Get("usage"); usage.Exists() {
+			if v := usage.Get("output_tokens"); v.Exists() {
+				st.OutputTokens = v.Int()
+				st.UsageSeen = true
+			}
+			if v := usage.Get("input_tokens"); v.Exists() {
+				st.InputTokens = v.Int()
+				st.UsageSeen = true
+			}
+		}
 	case "message_stop":
+
 		completed := `{"type":"response.completed","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"completed","background":false,"error":null}}`
 		completed, _ = sjson.Set(completed, "sequence_number", nextSeq())
 		completed, _ = sjson.Set(completed, "response.id", st.ResponseID)
@@ -381,6 +409,24 @@ func ConvertClaudeResponseToOpenAIResponses(ctx context.Context, modelName strin
 		if len(outputs) > 0 {
 			completed, _ = sjson.Set(completed, "response.output", outputs)
 		}
+
+		reasoningTokens := int64(0)
+		if st.ReasoningBuf.Len() > 0 {
+			reasoningTokens = int64(st.ReasoningBuf.Len() / 4)
+		}
+		usagePresent := st.UsageSeen || reasoningTokens > 0
+		if usagePresent {
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens", st.InputTokens)
+			completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", 0)
+			completed, _ = sjson.Set(completed, "response.usage.output_tokens", st.OutputTokens)
+			if reasoningTokens > 0 {
+				completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", reasoningTokens)
+			}
+			total := st.InputTokens + st.OutputTokens
+			if total > 0 || st.UsageSeen {
+				completed, _ = sjson.Set(completed, "response.usage.total_tokens", total)
+			}
+		}
 		out = append(out, emitEvent("response.completed", completed))
 	}
 

internal/translator/codex/openai/responses/codex_openai-responses_request.go

@@ -17,6 +17,9 @@ func ConvertOpenAIResponsesRequestToCodex(modelName string, inputRawJSON []byte,
 	rawJSON, _ = sjson.SetBytes(rawJSON, "store", false)
 	rawJSON, _ = sjson.SetBytes(rawJSON, "parallel_tool_calls", true)
 	rawJSON, _ = sjson.SetBytes(rawJSON, "include", []string{"reasoning.encrypted_content"})
+	// Codex Responses rejects token limit fields, so strip them out before forwarding.
+	rawJSON, _ = sjson.DeleteBytes(rawJSON, "max_output_tokens")
+	rawJSON, _ = sjson.DeleteBytes(rawJSON, "max_completion_tokens")
 	rawJSON, _ = sjson.DeleteBytes(rawJSON, "temperature")
 	rawJSON, _ = sjson.DeleteBytes(rawJSON, "top_p")
 

internal/translator/gemini/openai/responses/gemini_openai-responses_response.go

@@ -78,12 +78,21 @@ func ConvertGeminiResponseToOpenAIResponses(_ context.Context, modelName string,
 		textDone, _ = sjson.Set(textDone, "output_index", st.ReasoningIndex)
 		textDone, _ = sjson.Set(textDone, "text", full)
 		out = append(out, emitEvent("response.reasoning_summary_text.done", textDone))
+
 		partDone := `{"type":"response.reasoning_summary_part.done","sequence_number":0,"item_id":"","output_index":0,"summary_index":0,"part":{"type":"summary_text","text":""}}`
 		partDone, _ = sjson.Set(partDone, "sequence_number", nextSeq())
 		partDone, _ = sjson.Set(partDone, "item_id", st.ReasoningItemID)
 		partDone, _ = sjson.Set(partDone, "output_index", st.ReasoningIndex)
 		partDone, _ = sjson.Set(partDone, "part.text", full)
 		out = append(out, emitEvent("response.reasoning_summary_part.done", partDone))
+
+		itemDone := `{"type":"response.output_item.done","sequence_number":0,"output_index":0,"item":{"id":"","type":"reasoning","encrypted_content":"","summary":[{"type":"summary_text","text":""}]}}`
+		itemDone, _ = sjson.Set(itemDone, "sequence_number", nextSeq())
+		itemDone, _ = sjson.Set(itemDone, "item.id", st.ReasoningItemID)
+		itemDone, _ = sjson.Set(itemDone, "output_index", st.ReasoningIndex)
+		itemDone, _ = sjson.Set(itemDone, "item.summary.0.text", full)
+		out = append(out, emitEvent("response.output_item.done", itemDone))
+
 		st.ReasoningClosed = true
 	}
 

internal/translator/openai/openai/responses/openai_openai-responses_response.go

@@ -32,6 +32,13 @@ type oaiToResponsesState struct {
 	// function item done state
 	FuncArgsDone map[int]bool
 	FuncItemDone map[int]bool
+	// usage aggregation
+	PromptTokens     int64
+	CachedTokens     int64
+	CompletionTokens int64
+	TotalTokens      int64
+	ReasoningTokens  int64
+	UsageSeen        bool
 }
 
 func emitRespEvent(event string, payload string) string {
@@ -66,6 +73,35 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 		return []string{}
 	}
 
+	if usage := root.Get("usage"); usage.Exists() {
+		if v := usage.Get("prompt_tokens"); v.Exists() {
+			st.PromptTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("prompt_tokens_details.cached_tokens"); v.Exists() {
+			st.CachedTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("completion_tokens"); v.Exists() {
+			st.CompletionTokens = v.Int()
+			st.UsageSeen = true
+		} else if v := usage.Get("output_tokens"); v.Exists() {
+			st.CompletionTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("output_tokens_details.reasoning_tokens"); v.Exists() {
+			st.ReasoningTokens = v.Int()
+			st.UsageSeen = true
+		} else if v := usage.Get("completion_tokens_details.reasoning_tokens"); v.Exists() {
+			st.ReasoningTokens = v.Int()
+			st.UsageSeen = true
+		}
+		if v := usage.Get("total_tokens"); v.Exists() {
+			st.TotalTokens = v.Int()
+			st.UsageSeen = true
+		}
+	}
+
 	nextSeq := func() int { st.Seq++; return st.Seq }
 	var out []string
 
@@ -85,6 +121,12 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 		st.MsgItemDone = make(map[int]bool)
 		st.FuncArgsDone = make(map[int]bool)
 		st.FuncItemDone = make(map[int]bool)
+		st.PromptTokens = 0
+		st.CachedTokens = 0
+		st.CompletionTokens = 0
+		st.TotalTokens = 0
+		st.ReasoningTokens = 0
+		st.UsageSeen = false
 		// response.created
 		created := `{"type":"response.created","sequence_number":0,"response":{"id":"","object":"response","created_at":0,"status":"in_progress","background":false,"error":null}}`
 		created, _ = sjson.Set(created, "sequence_number", nextSeq())
@@ -503,6 +545,19 @@ func ConvertOpenAIChatCompletionsResponseToOpenAIResponses(ctx context.Context,
 				if len(outputs) > 0 {
 					completed, _ = sjson.Set(completed, "response.output", outputs)
 				}
+				if st.UsageSeen {
+					completed, _ = sjson.Set(completed, "response.usage.input_tokens", st.PromptTokens)
+					completed, _ = sjson.Set(completed, "response.usage.input_tokens_details.cached_tokens", st.CachedTokens)
+					completed, _ = sjson.Set(completed, "response.usage.output_tokens", st.CompletionTokens)
+					if st.ReasoningTokens > 0 {
+						completed, _ = sjson.Set(completed, "response.usage.output_tokens_details.reasoning_tokens", st.ReasoningTokens)
+					}
+					total := st.TotalTokens
+					if total == 0 {
+						total = st.PromptTokens + st.CompletionTokens
+					}
+					completed, _ = sjson.Set(completed, "response.usage.total_tokens", total)
+				}
 				out = append(out, emitRespEvent("response.completed", completed))
 			}
 

internal/util/provider.go

@@ -26,7 +26,7 @@ import (
 //
 // Returns:
 //   - []string: All provider identifiers capable of serving the model, ordered by preference.
-func GetProviderName(modelName string, cfg *config.Config) []string {
+func GetProviderName(modelName string) []string {
 	if modelName == "" {
 		return nil
 	}

internal/util/proxy.go

@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/proxy"
 )
@@ -17,7 +17,7 @@ import (
 // SetProxy configures the provided HTTP client with proxy settings from the configuration.
 // It supports SOCKS5, HTTP, and HTTPS proxies. The function modifies the client's transport
 // to route requests through the configured proxy server.
-func SetProxy(cfg *config.Config, httpClient *http.Client) *http.Client {
+func SetProxy(cfg *config.SDKConfig, httpClient *http.Client) *http.Client {
 	var transport *http.Transport
 	// Attempt to parse the proxy URL from the configuration.
 	proxyURL, errParse := url.Parse(cfg.ProxyURL)

internal/util/util.go

@@ -4,6 +4,7 @@
 package util
 
 import (
+	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -30,23 +31,42 @@ func SetLogLevel(cfg *config.Config) {
 	}
 }
 
-// CountAuthFiles returns the number of JSON auth files located under the provided directory.
-// The function resolves leading tildes to the user's home directory and performs a case-insensitive
-// match on the ".json" suffix so that files saved with uppercase extensions are also counted.
-func CountAuthFiles(authDir string) int {
+// ResolveAuthDir normalizes the auth directory path for consistent reuse throughout the app.
+// It expands a leading tilde (~) to the user's home directory and returns a cleaned path.
+func ResolveAuthDir(authDir string) (string, error) {
 	if authDir == "" {
-		return 0
+		return "", nil
 	}
 	if strings.HasPrefix(authDir, "~") {
 		home, err := os.UserHomeDir()
 		if err != nil {
-			log.Debugf("countAuthFiles: failed to resolve home directory: %v", err)
-			return 0
+			return "", fmt.Errorf("resolve auth dir: %w", err)
 		}
-		authDir = filepath.Join(home, authDir[1:])
+		remainder := strings.TrimPrefix(authDir, "~")
+		remainder = strings.TrimLeft(remainder, "/\\")
+		if remainder == "" {
+			return filepath.Clean(home), nil
+		}
+		normalized := strings.ReplaceAll(remainder, "\\", "/")
+		return filepath.Clean(filepath.Join(home, filepath.FromSlash(normalized))), nil
+	}
+	return filepath.Clean(authDir), nil
+}
+
+// CountAuthFiles returns the number of JSON auth files located under the provided directory.
+// The function resolves leading tildes to the user's home directory and performs a case-insensitive
+// match on the ".json" suffix so that files saved with uppercase extensions are also counted.
+func CountAuthFiles(authDir string) int {
+	dir, err := ResolveAuthDir(authDir)
+	if err != nil {
+		log.Debugf("countAuthFiles: failed to resolve auth directory: %v", err)
+		return 0
+	}
+	if dir == "" {
+		return 0
 	}
 	count := 0
-	walkErr := filepath.WalkDir(authDir, func(path string, d fs.DirEntry, err error) error {
+	walkErr := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			log.Debugf("countAuthFiles: error accessing %s: %v", path, err)
 			return nil

internal/watcher/watcher.go

@@ -14,6 +14,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -145,7 +146,7 @@ func (w *Watcher) Start(ctx context.Context) error {
 	go w.processEvents(ctx)
 
 	// Perform an initial full reload based on current config and auth dir
-	w.reloadClients()
+	w.reloadClients(true)
 	return nil
 }
 
@@ -455,6 +456,7 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 
 // reloadConfig reloads the configuration and triggers a full reload
 func (w *Watcher) reloadConfig() bool {
+	log.Debug("=========================== CONFIG RELOAD ============================")
 	log.Debugf("starting config reload from: %s", w.configPath)
 
 	newConfig, errLoadConfig := config.LoadConfig(w.configPath)
@@ -463,6 +465,12 @@ func (w *Watcher) reloadConfig() bool {
 		return false
 	}
 
+	if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(newConfig.AuthDir); errResolveAuthDir != nil {
+		log.Errorf("failed to resolve auth directory from config: %v", errResolveAuthDir)
+	} else {
+		newConfig.AuthDir = resolvedAuthDir
+	}
+
 	w.clientsMutex.Lock()
 	oldConfig := w.config
 	w.config = newConfig
@@ -530,17 +538,25 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.UsageStatisticsEnabled != newConfig.UsageStatisticsEnabled {
 			log.Debugf("  usage-statistics-enabled: %t -> %t", oldConfig.UsageStatisticsEnabled, newConfig.UsageStatisticsEnabled)
 		}
+		if changes := diffOpenAICompatibility(oldConfig.OpenAICompatibility, newConfig.OpenAICompatibility); len(changes) > 0 {
+			log.Debugf("  openai-compatibility:")
+			for _, change := range changes {
+				log.Debugf("    %s", change)
+			}
+		}
 	}
 
+	authDirChanged := oldConfig == nil || oldConfig.AuthDir != newConfig.AuthDir
+
 	log.Infof("config successfully reloaded, triggering client reload")
 	// Reload clients with new config
-	w.reloadClients()
+	w.reloadClients(authDirChanged)
 	return true
 }
 
 // reloadClients performs a full scan and reload of all clients.
-func (w *Watcher) reloadClients() {
-	log.Debugf("starting full client reload process")
+func (w *Watcher) reloadClients(rescanAuth bool) {
+	log.Debugf("starting full client load process")
 
 	w.clientsMutex.RLock()
 	cfg := w.config
@@ -556,33 +572,48 @@ func (w *Watcher) reloadClients() {
 
 	// Create new API key clients based on the new config
 	glAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount := BuildAPIKeyClients(cfg)
-	log.Debugf("created %d new API key clients", 0)
+	totalAPIKeyClients := glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
+	log.Debugf("loaded %d API key clients", totalAPIKeyClients)
 
-	// Load file-based clients
-	authFileCount := w.loadFileClients(cfg)
-	log.Debugf("loaded %d new file-based clients", 0)
+	var authFileCount int
+	if rescanAuth {
+		// Load file-based clients when explicitly requested (startup or authDir change)
+		authFileCount = w.loadFileClients(cfg)
+		log.Debugf("loaded %d file-based clients", authFileCount)
+	} else {
+		// Preserve existing auth hashes and only report current known count to avoid redundant scans.
+		w.clientsMutex.RLock()
+		authFileCount = len(w.lastAuthHashes)
+		w.clientsMutex.RUnlock()
+		log.Debugf("skipping auth directory rescan; retaining %d existing auth files", authFileCount)
+	}
 
 	// no legacy file-based clients to unregister
 
 	// Update client maps
-	w.clientsMutex.Lock()
+	if rescanAuth {
+		w.clientsMutex.Lock()
 
-	// Rebuild auth file hash cache for current clients
-	w.lastAuthHashes = make(map[string]string)
-	// Recompute hashes for current auth files
-	_ = filepath.Walk(cfg.AuthDir, func(path string, info fs.FileInfo, err error) error {
-		if err != nil {
-			return nil
+		// Rebuild auth file hash cache for current clients
+		w.lastAuthHashes = make(map[string]string)
+		if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir); errResolveAuthDir != nil {
+			log.Errorf("failed to resolve auth directory for hash cache: %v", errResolveAuthDir)
+		} else if resolvedAuthDir != "" {
+			_ = filepath.Walk(resolvedAuthDir, func(path string, info fs.FileInfo, err error) error {
+				if err != nil {
+					return nil
+				}
+				if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
+					if data, errReadFile := os.ReadFile(path); errReadFile == nil && len(data) > 0 {
+						sum := sha256.Sum256(data)
+						w.lastAuthHashes[path] = hex.EncodeToString(sum[:])
+					}
+				}
+				return nil
+			})
 		}
-		if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
-			if data, errReadFile := os.ReadFile(path); errReadFile == nil && len(data) > 0 {
-				sum := sha256.Sum256(data)
-				w.lastAuthHashes[path] = hex.EncodeToString(sum[:])
-			}
-		}
-		return nil
-	})
-	w.clientsMutex.Unlock()
+		w.clientsMutex.Unlock()
+	}
 
 	totalNewClients := authFileCount + glAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
 
@@ -855,14 +886,13 @@ func (w *Watcher) loadFileClients(cfg *config.Config) int {
 	authFileCount := 0
 	successfulAuthCount := 0
 
-	authDir := cfg.AuthDir
-	if strings.HasPrefix(authDir, "~") {
-		home, err := os.UserHomeDir()
-		if err != nil {
-			log.Errorf("failed to get home directory: %v", err)
-			return 0
-		}
-		authDir = filepath.Join(home, authDir[1:])
+	authDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir)
+	if errResolveAuthDir != nil {
+		log.Errorf("failed to resolve auth directory: %v", errResolveAuthDir)
+		return 0
+	}
+	if authDir == "" {
+		return 0
 	}
 
 	errWalk := filepath.Walk(authDir, func(path string, info fs.FileInfo, err error) error {
@@ -912,3 +942,114 @@ func BuildAPIKeyClients(cfg *config.Config) (int, int, int, int) {
 	}
 	return glAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount
 }
+
+func diffOpenAICompatibility(oldList, newList []config.OpenAICompatibility) []string {
+	changes := make([]string, 0)
+	oldMap := make(map[string]config.OpenAICompatibility, len(oldList))
+	oldLabels := make(map[string]string, len(oldList))
+	for idx, entry := range oldList {
+		key, label := openAICompatKey(entry, idx)
+		oldMap[key] = entry
+		oldLabels[key] = label
+	}
+	newMap := make(map[string]config.OpenAICompatibility, len(newList))
+	newLabels := make(map[string]string, len(newList))
+	for idx, entry := range newList {
+		key, label := openAICompatKey(entry, idx)
+		newMap[key] = entry
+		newLabels[key] = label
+	}
+	keySet := make(map[string]struct{}, len(oldMap)+len(newMap))
+	for key := range oldMap {
+		keySet[key] = struct{}{}
+	}
+	for key := range newMap {
+		keySet[key] = struct{}{}
+	}
+	orderedKeys := make([]string, 0, len(keySet))
+	for key := range keySet {
+		orderedKeys = append(orderedKeys, key)
+	}
+	sort.Strings(orderedKeys)
+	for _, key := range orderedKeys {
+		oldEntry, oldOk := oldMap[key]
+		newEntry, newOk := newMap[key]
+		label := oldLabels[key]
+		if label == "" {
+			label = newLabels[key]
+		}
+		switch {
+		case !oldOk:
+			changes = append(changes, fmt.Sprintf("provider added: %s (api-keys=%d, models=%d)", label, countNonEmptyStrings(newEntry.APIKeys), countOpenAIModels(newEntry.Models)))
+		case !newOk:
+			changes = append(changes, fmt.Sprintf("provider removed: %s (api-keys=%d, models=%d)", label, countNonEmptyStrings(oldEntry.APIKeys), countOpenAIModels(oldEntry.Models)))
+		default:
+			if detail := describeOpenAICompatibilityUpdate(oldEntry, newEntry); detail != "" {
+				changes = append(changes, fmt.Sprintf("provider updated: %s %s", label, detail))
+			}
+		}
+	}
+	return changes
+}
+
+func describeOpenAICompatibilityUpdate(oldEntry, newEntry config.OpenAICompatibility) string {
+	oldKeyCount := countNonEmptyStrings(oldEntry.APIKeys)
+	newKeyCount := countNonEmptyStrings(newEntry.APIKeys)
+	oldModelCount := countOpenAIModels(oldEntry.Models)
+	newModelCount := countOpenAIModels(newEntry.Models)
+	details := make([]string, 0, 2)
+	if oldKeyCount != newKeyCount {
+		details = append(details, fmt.Sprintf("api-keys %d -> %d", oldKeyCount, newKeyCount))
+	}
+	if oldModelCount != newModelCount {
+		details = append(details, fmt.Sprintf("models %d -> %d", oldModelCount, newModelCount))
+	}
+	if len(details) == 0 {
+		return ""
+	}
+	return "(" + strings.Join(details, ", ") + ")"
+}
+
+func countNonEmptyStrings(values []string) int {
+	count := 0
+	for _, value := range values {
+		if strings.TrimSpace(value) != "" {
+			count++
+		}
+	}
+	return count
+}
+
+func countOpenAIModels(models []config.OpenAICompatibilityModel) int {
+	count := 0
+	for _, model := range models {
+		name := strings.TrimSpace(model.Name)
+		alias := strings.TrimSpace(model.Alias)
+		if name == "" && alias == "" {
+			continue
+		}
+		count++
+	}
+	return count
+}
+
+func openAICompatKey(entry config.OpenAICompatibility, index int) (string, string) {
+	name := strings.TrimSpace(entry.Name)
+	if name != "" {
+		return "name:" + name, name
+	}
+	base := strings.TrimSpace(entry.BaseURL)
+	if base != "" {
+		return "base:" + base, base
+	}
+	for _, model := range entry.Models {
+		alias := strings.TrimSpace(model.Alias)
+		if alias == "" {
+			alias = strings.TrimSpace(model.Name)
+		}
+		if alias != "" {
+			return "alias:" + alias, alias
+		}
+	}
+	return fmt.Sprintf("index:%d", index), fmt.Sprintf("entry-%d", index+1)
+}

sdk/access/registry.go

@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"sync"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 )
 
 // Provider validates credentials for incoming requests.
@@ -23,7 +23,7 @@ type Result struct {
 }
 
 // ProviderFactory builds a provider from configuration data.
-type ProviderFactory func(cfg *config.AccessProvider, root *config.Config) (Provider, error)
+type ProviderFactory func(cfg *config.AccessProvider, root *config.SDKConfig) (Provider, error)
 
 var (
 	registryMu sync.RWMutex
@@ -40,7 +40,7 @@ func RegisterProvider(typ string, factory ProviderFactory) {
 	registryMu.Unlock()
 }
 
-func buildProvider(cfg *config.AccessProvider, root *config.Config) (Provider, error) {
+func BuildProvider(cfg *config.AccessProvider, root *config.SDKConfig) (Provider, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("access: nil provider config")
 	}
@@ -58,7 +58,7 @@ func buildProvider(cfg *config.AccessProvider, root *config.Config) (Provider, e
 }
 
 // BuildProviders constructs providers declared in configuration.
-func BuildProviders(root *config.Config) ([]Provider, error) {
+func BuildProviders(root *config.SDKConfig) ([]Provider, error) {
 	if root == nil {
 		return nil, nil
 	}
@@ -68,7 +68,7 @@ func BuildProviders(root *config.Config) ([]Provider, error) {
 		if providerCfg.Type == "" {
 			continue
 		}
-		provider, err := buildProvider(providerCfg, root)
+		provider, err := BuildProvider(providerCfg, root)
 		if err != nil {
 			return nil, err
 		}
@@ -77,7 +77,7 @@ func BuildProviders(root *config.Config) ([]Provider, error) {
 	if len(providers) == 0 && len(root.APIKeys) > 0 {
 		config.SyncInlineAPIKeys(root, root.APIKeys)
 		if providerCfg := root.ConfigAPIKeyProvider(); providerCfg != nil {
-			provider, err := buildProvider(providerCfg, root)
+			provider, err := BuildProvider(providerCfg, root)
 			if err != nil {
 				return nil, err
 			}

sdk/api/handlers/claude/code_handlers.go

@@ -14,10 +14,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 )
 

sdk/api/handlers/gemini/gemini-cli_handlers.go

@@ -14,10 +14,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	log "github.com/sirupsen/logrus"
 	"github.com/tidwall/gjson"
 )

sdk/api/handlers/gemini/gemini_handlers.go

@@ -13,10 +13,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 )
 
 // GeminiAPIHandler contains the handlers for Gemini API endpoints.

sdk/api/handlers/handlers.go

@@ -8,11 +8,11 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	coreexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
 	"golang.org/x/net/context"
 )
@@ -45,7 +45,7 @@ type BaseAPIHandler struct {
 	AuthManager *coreauth.Manager
 
 	// Cfg holds the current application configuration.
-	Cfg *config.Config
+	Cfg *config.SDKConfig
 }
 
 // NewBaseAPIHandlers creates a new API handlers instance.
@@ -57,7 +57,7 @@ type BaseAPIHandler struct {
 //
 // Returns:
 //   - *BaseAPIHandler: A new API handlers instance
-func NewBaseAPIHandlers(cfg *config.Config, authManager *coreauth.Manager) *BaseAPIHandler {
+func NewBaseAPIHandlers(cfg *config.SDKConfig, authManager *coreauth.Manager) *BaseAPIHandler {
 	return &BaseAPIHandler{
 		Cfg:         cfg,
 		AuthManager: authManager,
@@ -70,7 +70,7 @@ func NewBaseAPIHandlers(cfg *config.Config, authManager *coreauth.Manager) *Base
 // Parameters:
 //   - clients: The new slice of AI service clients
 //   - cfg: The new application configuration
-func (h *BaseAPIHandler) UpdateClients(cfg *config.Config) { h.Cfg = cfg }
+func (h *BaseAPIHandler) UpdateClients(cfg *config.SDKConfig) { h.Cfg = cfg }
 
 // GetAlt extracts the 'alt' parameter from the request query string.
 // It checks both 'alt' and '$alt' parameters and returns the appropriate value.
@@ -133,7 +133,7 @@ func (h *BaseAPIHandler) GetContextWithCancel(handler interfaces.APIHandler, c *
 // ExecuteWithAuthManager executes a non-streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) ([]byte, *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		return nil, &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}
 	}
@@ -157,7 +157,7 @@ func (h *BaseAPIHandler) ExecuteWithAuthManager(ctx context.Context, handlerType
 // ExecuteCountWithAuthManager executes a non-streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteCountWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) ([]byte, *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		return nil, &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}
 	}
@@ -181,7 +181,7 @@ func (h *BaseAPIHandler) ExecuteCountWithAuthManager(ctx context.Context, handle
 // ExecuteStreamWithAuthManager executes a streaming request via the core auth manager.
 // This path is the only supported execution route.
 func (h *BaseAPIHandler) ExecuteStreamWithAuthManager(ctx context.Context, handlerType, modelName string, rawJSON []byte, alt string) (<-chan []byte, <-chan *interfaces.ErrorMessage) {
-	providers := util.GetProviderName(modelName, h.Cfg)
+	providers := util.GetProviderName(modelName)
 	if len(providers) == 0 {
 		errChan := make(chan *interfaces.ErrorMessage, 1)
 		errChan <- &interfaces.ErrorMessage{StatusCode: http.StatusBadRequest, Error: fmt.Errorf("unknown provider for model %s", modelName)}

sdk/api/handlers/openai/openai_handlers.go

@@ -14,10 +14,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
 )

sdk/api/handlers/openai/openai_responses_handlers.go

@@ -14,10 +14,10 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/api/handlers"
 	. "github.com/router-for-me/CLIProxyAPI/v6/internal/constant"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/tidwall/gjson"
 )
 

sdk/auth/claude.go

@@ -13,6 +13,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -35,7 +36,7 @@ func (a *ClaudeAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }
 
-func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -127,7 +128,7 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	}
 
 	fileName := fmt.Sprintf("claude-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}
 
@@ -136,7 +137,8 @@ func (a *ClaudeAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 		fmt.Println("Claude API key obtained and stored")
 	}
 
-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,

sdk/auth/codex.go

@@ -13,6 +13,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -35,7 +36,7 @@ func (a *CodexAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }
 
-func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -126,7 +127,7 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	}
 
 	fileName := fmt.Sprintf("codex-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}
 
@@ -135,7 +136,8 @@ func (a *CodexAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 		fmt.Println("Codex API key obtained and stored")
 	}
 
-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,

sdk/auth/filestore.go

@@ -11,7 +11,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
@@ -35,27 +34,71 @@ func (s *FileTokenStore) SetBaseDir(dir string) {
 	s.dirLock.Unlock()
 }
 
-// Save writes the token storage to the resolved file path.
-func (s *FileTokenStore) Save(ctx context.Context, cfg *config.Config, record *TokenRecord) (string, error) {
-	if record == nil || record.Storage == nil {
-		return "", fmt.Errorf("cliproxy auth: token record is incomplete")
+// Save persists token storage and metadata to the resolved auth file path.
+func (s *FileTokenStore) Save(ctx context.Context, auth *cliproxyauth.Auth) (string, error) {
+	if auth == nil {
+		return "", fmt.Errorf("auth filestore: auth is nil")
 	}
-	target := strings.TrimSpace(record.FileName)
-	if target == "" {
-		return "", fmt.Errorf("cliproxy auth: missing file name for provider %s", record.Provider)
-	}
-	if !filepath.IsAbs(target) {
-		baseDir := s.baseDirFromConfig(cfg)
-		if baseDir != "" {
-			target = filepath.Join(baseDir, target)
-		}
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if err := record.Storage.SaveTokenToFile(target); err != nil {
+
+	path, err := s.resolveAuthPath(auth)
+	if err != nil {
 		return "", err
 	}
-	return target, nil
+	if path == "" {
+		return "", fmt.Errorf("auth filestore: missing file path attribute for %s", auth.ID)
+	}
+
+	if auth.Disabled {
+		if _, statErr := os.Stat(path); os.IsNotExist(statErr) {
+			return "", nil
+		}
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if err = os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return "", fmt.Errorf("auth filestore: create dir failed: %w", err)
+	}
+
+	switch {
+	case auth.Storage != nil:
+		if err = auth.Storage.SaveTokenToFile(path); err != nil {
+			return "", err
+		}
+	case auth.Metadata != nil:
+		raw, errMarshal := json.Marshal(auth.Metadata)
+		if errMarshal != nil {
+			return "", fmt.Errorf("auth filestore: marshal metadata failed: %w", errMarshal)
+		}
+		if existing, errRead := os.ReadFile(path); errRead == nil {
+			if jsonEqual(existing, raw) {
+				return path, nil
+			}
+		} else if errRead != nil && !os.IsNotExist(errRead) {
+			return "", fmt.Errorf("auth filestore: read existing failed: %w", errRead)
+		}
+		tmp := path + ".tmp"
+		if errWrite := os.WriteFile(tmp, raw, 0o600); errWrite != nil {
+			return "", fmt.Errorf("auth filestore: write temp failed: %w", errWrite)
+		}
+		if errRename := os.Rename(tmp, path); errRename != nil {
+			return "", fmt.Errorf("auth filestore: rename failed: %w", errRename)
+		}
+	default:
+		return "", fmt.Errorf("auth filestore: nothing to persist for %s", auth.ID)
+	}
+
+	if auth.Attributes == nil {
+		auth.Attributes = make(map[string]string)
+	}
+	auth.Attributes["path"] = path
+
+	if strings.TrimSpace(auth.FileName) == "" {
+		auth.FileName = auth.ID
+	}
+
+	return path, nil
 }
 
 // List enumerates all auth JSON files under the configured directory.
@@ -90,50 +133,6 @@ func (s *FileTokenStore) List(ctx context.Context) ([]*cliproxyauth.Auth, error)
 	return entries, nil
 }
 
-// SaveAuth writes the auth metadata back to its source file location.
-func (s *FileTokenStore) SaveAuth(ctx context.Context, auth *cliproxyauth.Auth) error {
-	if auth == nil {
-		return fmt.Errorf("auth filestore: auth is nil")
-	}
-	path, err := s.resolveAuthPath(auth)
-	if err != nil {
-		return err
-	}
-	if path == "" {
-		return fmt.Errorf("auth filestore: missing file path attribute for %s", auth.ID)
-	}
-	// If the auth has been disabled and the original file was removed, avoid recreating it on disk.
-	if auth.Disabled {
-		if _, statErr := os.Stat(path); statErr != nil {
-			if os.IsNotExist(statErr) {
-				return nil
-			}
-		}
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if err = os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
-		return fmt.Errorf("auth filestore: create dir failed: %w", err)
-	}
-	raw, err := json.Marshal(auth.Metadata)
-	if err != nil {
-		return fmt.Errorf("auth filestore: marshal metadata failed: %w", err)
-	}
-	if existing, errRead := os.ReadFile(path); errRead == nil {
-		if jsonEqual(existing, raw) {
-			return nil
-		}
-	}
-	tmp := path + ".tmp"
-	if err = os.WriteFile(tmp, raw, 0o600); err != nil {
-		return fmt.Errorf("auth filestore: write temp failed: %w", err)
-	}
-	if err = os.Rename(tmp, path); err != nil {
-		return fmt.Errorf("auth filestore: rename failed: %w", err)
-	}
-	return nil
-}
-
 // Delete removes the auth file.
 func (s *FileTokenStore) Delete(ctx context.Context, id string) error {
 	id = strings.TrimSpace(id)
@@ -185,6 +184,7 @@ func (s *FileTokenStore) readAuthFile(path, baseDir string) (*cliproxyauth.Auth,
 	auth := &cliproxyauth.Auth{
 		ID:               id,
 		Provider:         provider,
+		FileName:         id,
 		Label:            s.labelFor(metadata),
 		Status:           cliproxyauth.StatusActive,
 		Attributes:       map[string]string{"path": path},
@@ -220,6 +220,15 @@ func (s *FileTokenStore) resolveAuthPath(auth *cliproxyauth.Auth) (string, error
 			return p, nil
 		}
 	}
+	if fileName := strings.TrimSpace(auth.FileName); fileName != "" {
+		if filepath.IsAbs(fileName) {
+			return fileName, nil
+		}
+		if dir := s.baseDirSnapshot(); dir != "" {
+			return filepath.Join(dir, fileName), nil
+		}
+		return fileName, nil
+	}
 	if auth.ID == "" {
 		return "", fmt.Errorf("auth filestore: missing id")
 	}
@@ -249,13 +258,6 @@ func (s *FileTokenStore) labelFor(metadata map[string]any) string {
 	return ""
 }
 
-func (s *FileTokenStore) baseDirFromConfig(cfg *config.Config) string {
-	if cfg != nil && strings.TrimSpace(cfg.AuthDir) != "" {
-		return strings.TrimSpace(cfg.AuthDir)
-	}
-	return s.baseDirSnapshot()
-}
-
 func (s *FileTokenStore) baseDirSnapshot() string {
 	s.dirLock.RLock()
 	defer s.dirLock.RUnlock()

sdk/auth/gemini-web.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
 // GeminiWebAuthenticator provides a minimal wrapper so core components can treat
@@ -16,7 +17,7 @@ func NewGeminiWebAuthenticator() *GeminiWebAuthenticator { return &GeminiWebAuth
 
 func (a *GeminiWebAuthenticator) Provider() string { return "gemini-web" }
 
-func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	_ = ctx
 	_ = cfg
 	_ = opts
@@ -24,6 +25,6 @@ func (a *GeminiWebAuthenticator) Login(ctx context.Context, cfg *config.Config,
 }
 
 func (a *GeminiWebAuthenticator) RefreshLead() *time.Duration {
-	d := 15 * time.Minute
+	d := time.Hour
 	return &d
 }

sdk/auth/gemini.go

@@ -8,6 +8,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
 	// legacy client removed
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
 // GeminiAuthenticator implements the login flow for Google Gemini CLI accounts.
@@ -26,7 +27,7 @@ func (a *GeminiAuthenticator) RefreshLead() *time.Duration {
 	return nil
 }
 
-func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -51,14 +52,15 @@ func (a *GeminiAuthenticator) Login(ctx context.Context, cfg *config.Config, opt
 	// Skip onboarding here; rely on upstream configuration
 
 	fileName := fmt.Sprintf("%s-%s.json", ts.Email, ts.ProjectID)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email":      ts.Email,
 		"project_id": ts.ProjectID,
 	}
 
 	fmt.Println("Gemini authentication successful")
 
-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  &ts,

sdk/auth/interfaces.go

@@ -5,8 +5,8 @@ import (
 	"errors"
 	"time"
 
-	baseauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
 var ErrRefreshNotSupported = errors.New("cliproxy auth: refresh not supported")
@@ -20,22 +20,9 @@ type LoginOptions struct {
 	Prompt    func(prompt string) (string, error)
 }
 
-// TokenRecord represents credential material produced by an authenticator.
-type TokenRecord struct {
-	Provider string
-	FileName string
-	Storage  baseauth.TokenStorage
-	Metadata map[string]string
-}
-
-// TokenStore persists token records.
-type TokenStore interface {
-	Save(ctx context.Context, cfg *config.Config, record *TokenRecord) (string, error)
-}
-
 // Authenticator manages login and optional refresh flows for a provider.
 type Authenticator interface {
 	Provider() string
-	Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error)
+	Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error)
 	RefreshLead() *time.Duration
 }

sdk/auth/manager.go

@@ -5,17 +5,18 @@ import (
 	"fmt"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
 
 // Manager aggregates authenticators and coordinates persistence via a token store.
 type Manager struct {
 	authenticators map[string]Authenticator
-	store          TokenStore
+	store          coreauth.Store
 }
 
 // NewManager constructs a manager with the provided token store and authenticators.
 // If store is nil, the caller must set it later using SetStore.
-func NewManager(store TokenStore, authenticators ...Authenticator) *Manager {
+func NewManager(store coreauth.Store, authenticators ...Authenticator) *Manager {
 	mgr := &Manager{
 		authenticators: make(map[string]Authenticator),
 		store:          store,
@@ -38,12 +39,12 @@ func (m *Manager) Register(a Authenticator) {
 }
 
 // SetStore updates the token store used for persistence.
-func (m *Manager) SetStore(store TokenStore) {
+func (m *Manager) SetStore(store coreauth.Store) {
 	m.store = store
 }
 
-// Login executes the provider login flow and persists the resulting token record.
-func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config, opts *LoginOptions) (*TokenRecord, string, error) {
+// Login executes the provider login flow and persists the resulting auth record.
+func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, string, error) {
 	auth, ok := m.authenticators[provider]
 	if !ok {
 		return nil, "", fmt.Errorf("cliproxy auth: authenticator %s not registered", provider)
@@ -61,7 +62,13 @@ func (m *Manager) Login(ctx context.Context, provider string, cfg *config.Config
 		return record, "", nil
 	}
 
-	savedPath, err := m.store.Save(ctx, cfg, record)
+	if cfg != nil {
+		if dirSetter, ok := m.store.(interface{ SetBaseDir(string) }); ok {
+			dirSetter.SetBaseDir(cfg.AuthDir)
+		}
+	}
+
+	savedPath, err := m.store.Save(ctx, record)
 	if err != nil {
 		return record, "", err
 	}

sdk/auth/qwen.go

@@ -10,6 +10,7 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/browser"
 	// legacy client removed
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -30,7 +31,7 @@ func (a *QwenAuthenticator) RefreshLead() *time.Duration {
 	return &d
 }
 
-func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*TokenRecord, error) {
+func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("cliproxy auth: configuration is required")
 	}
@@ -97,13 +98,14 @@ func (a *QwenAuthenticator) Login(ctx context.Context, cfg *config.Config, opts
 	// no legacy client construction
 
 	fileName := fmt.Sprintf("qwen-%s.json", tokenStorage.Email)
-	metadata := map[string]string{
+	metadata := map[string]any{
 		"email": tokenStorage.Email,
 	}
 
 	fmt.Println("Qwen authentication successful")
 
-	return &TokenRecord{
+	return &coreauth.Auth{
+		ID:       fileName,
 		Provider: a.Provider(),
 		FileName: fileName,
 		Storage:  tokenStorage,

sdk/auth/store_registry.go

@@ -1,31 +1,35 @@
 package auth
 
-import "sync"
+import (
+	"sync"
+
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
 
 var (
-	storeMu              sync.RWMutex
-	registeredTokenStore TokenStore
+	storeMu         sync.RWMutex
+	registeredStore coreauth.Store
 )
 
 // RegisterTokenStore sets the global token store used by the authentication helpers.
-func RegisterTokenStore(store TokenStore) {
+func RegisterTokenStore(store coreauth.Store) {
 	storeMu.Lock()
-	registeredTokenStore = store
+	registeredStore = store
 	storeMu.Unlock()
 }
 
 // GetTokenStore returns the globally registered token store.
-func GetTokenStore() TokenStore {
+func GetTokenStore() coreauth.Store {
 	storeMu.RLock()
-	s := registeredTokenStore
+	s := registeredStore
 	storeMu.RUnlock()
 	if s != nil {
 		return s
 	}
 	storeMu.Lock()
 	defer storeMu.Unlock()
-	if registeredTokenStore == nil {
-		registeredTokenStore = NewFileTokenStore()
+	if registeredStore == nil {
+		registeredStore = NewFileTokenStore()
 	}
-	return registeredTokenStore
+	return registeredStore
 }

sdk/cliproxy/auth/manager.go

@@ -818,7 +818,8 @@ func (m *Manager) persist(ctx context.Context, auth *Auth) error {
 	if auth.Metadata == nil {
 		return nil
 	}
-	return m.store.SaveAuth(ctx, auth)
+	_, err := m.store.Save(ctx, auth)
+	return err
 }
 
 // StartAutoRefresh launches a background loop that evaluates auth freshness

sdk/cliproxy/auth/store.go

@@ -6,8 +6,8 @@ import "context"
 type Store interface {
 	// List returns all auth records stored in the backend.
 	List(ctx context.Context) ([]*Auth, error)
-	// SaveAuth persists the provided auth record, replacing any existing one with same ID.
-	SaveAuth(ctx context.Context, auth *Auth) error
+	// Save persists the provided auth record, replacing any existing one with same ID.
+	Save(ctx context.Context, auth *Auth) (string, error)
 	// Delete removes the auth record identified by id.
 	Delete(ctx context.Context, id string) error
 }

sdk/cliproxy/auth/types.go

@@ -6,6 +6,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	baseauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth"
 )
 
 // Auth encapsulates the runtime state and metadata associated with a single credential.
@@ -14,6 +16,10 @@ type Auth struct {
 	ID string `json:"id"`
 	// Provider is the upstream provider key (e.g. "gemini", "claude").
 	Provider string `json:"provider"`
+	// FileName stores the relative or absolute path of the backing auth file.
+	FileName string `json:"-"`
+	// Storage holds the token persistence implementation used during login flows.
+	Storage baseauth.TokenStorage `json:"-"`
 	// Label is an optional human readable label for logging.
 	Label string `json:"label,omitempty"`
 	// Status is the lifecycle status managed by the AuthManager.

sdk/cliproxy/builder.go

@@ -184,7 +184,8 @@ func (b *Builder) Build() (*Service, error) {
 	if accessManager == nil {
 		accessManager = sdkaccess.NewManager()
 	}
-	providers, err := sdkaccess.BuildProviders(b.cfg)
+
+	providers, err := sdkaccess.BuildProviders(&b.cfg.SDKConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -196,11 +197,7 @@ func (b *Builder) Build() (*Service, error) {
 		if dirSetter, ok := tokenStore.(interface{ SetBaseDir(string) }); ok && b.cfg != nil {
 			dirSetter.SetBaseDir(b.cfg.AuthDir)
 		}
-		store, ok := tokenStore.(coreauth.Store)
-		if !ok {
-			return nil, fmt.Errorf("cliproxy: token store does not implement coreauth.Store")
-		}
-		coreManager = coreauth.NewManager(store, nil, nil)
+		coreManager = coreauth.NewManager(tokenStore, nil, nil)
 	}
 	// Attach a default RoundTripper provider so providers can opt-in per-auth transports.
 	coreManager.SetRoundTripperProvider(newDefaultRoundTripperProvider())

sdk/cliproxy/service.go

@@ -20,7 +20,6 @@ import (
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher"
 	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
-	_ "github.com/router-for-me/CLIProxyAPI/v6/sdk/access/providers/configapikey"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/usage"
@@ -106,29 +105,6 @@ func newDefaultAuthManager() *sdkAuth.Manager {
 	)
 }
 
-func (s *Service) refreshAccessProviders(cfg *config.Config) {
-	if s == nil || s.accessManager == nil || cfg == nil {
-		return
-	}
-	s.cfgMu.RLock()
-	oldCfg := s.cfg
-	s.cfgMu.RUnlock()
-
-	existing := s.accessManager.Providers()
-	providers, added, updated, removed, err := sdkaccess.ReconcileProviders(oldCfg, cfg, existing)
-	if err != nil {
-		log.Errorf("failed to reconcile request auth providers: %v", err)
-		return
-	}
-	s.accessManager.SetProviders(providers)
-	if len(added)+len(updated)+len(removed) > 0 {
-		log.Debugf("auth providers reconciled (added=%d updated=%d removed=%d)", len(added), len(updated), len(removed))
-		log.Debugf("auth provider changes details - added=%v updated=%v removed=%v", added, updated, removed)
-	} else {
-		log.Debug("auth providers unchanged after config reload")
-	}
-}
-
 func (s *Service) ensureAuthUpdateQueue(ctx context.Context) {
 	if s == nil {
 		return
@@ -320,7 +296,6 @@ func (s *Service) Run(ctx context.Context) error {
 	// legacy clients removed; no caches to refresh
 
 	// handlers no longer depend on legacy clients; pass nil slice initially
-	s.refreshAccessProviders(s.cfg)
 	s.server = api.NewServer(s.cfg, s.coreManager, s.accessManager, s.configPath, s.serverOptions...)
 
 	if s.authManager == nil {
@@ -357,7 +332,6 @@ func (s *Service) Run(ctx context.Context) error {
 		if newCfg == nil {
 			return
 		}
-		s.refreshAccessProviders(newCfg)
 		if s.server != nil {
 			s.server.UpdateClients(newCfg)
 		}

sdk/config/config.go

@@ -0,0 +1,89 @@
+// Package config provides configuration management for the CLI Proxy API server.
+// It handles loading and parsing YAML configuration files, and provides structured
+// access to application settings including server port, authentication directory,
+// debug settings, proxy configuration, and API keys.
+package config
+
+// SDKConfig represents the application's configuration, loaded from a YAML file.
+type SDKConfig struct {
+	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
+	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
+
+	// RequestLog enables or disables detailed request logging functionality.
+	RequestLog bool `yaml:"request-log" json:"request-log"`
+
+	// APIKeys is a list of keys for authenticating clients to this proxy server.
+	APIKeys []string `yaml:"api-keys" json:"api-keys"`
+
+	// Access holds request authentication provider configuration.
+	Access AccessConfig `yaml:"auth" json:"auth"`
+}
+
+// AccessConfig groups request authentication providers.
+type AccessConfig struct {
+	// Providers lists configured authentication providers.
+	Providers []AccessProvider `yaml:"providers" json:"providers"`
+}
+
+// AccessProvider describes a request authentication provider entry.
+type AccessProvider struct {
+	// Name is the instance identifier for the provider.
+	Name string `yaml:"name" json:"name"`
+
+	// Type selects the provider implementation registered via the SDK.
+	Type string `yaml:"type" json:"type"`
+
+	// SDK optionally names a third-party SDK module providing this provider.
+	SDK string `yaml:"sdk,omitempty" json:"sdk,omitempty"`
+
+	// APIKeys lists inline keys for providers that require them.
+	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
+
+	// Config passes provider-specific options to the implementation.
+	Config map[string]any `yaml:"config,omitempty" json:"config,omitempty"`
+}
+
+const (
+	// AccessProviderTypeConfigAPIKey is the built-in provider validating inline API keys.
+	AccessProviderTypeConfigAPIKey = "config-api-key"
+
+	// DefaultAccessProviderName is applied when no provider name is supplied.
+	DefaultAccessProviderName = "config-inline"
+)
+
+// SyncInlineAPIKeys updates the inline API key provider and top-level APIKeys field.
+func SyncInlineAPIKeys(cfg *SDKConfig, keys []string) {
+	if cfg == nil {
+		return
+	}
+	cloned := append([]string(nil), keys...)
+	cfg.APIKeys = cloned
+	if provider := cfg.ConfigAPIKeyProvider(); provider != nil {
+		if provider.Name == "" {
+			provider.Name = DefaultAccessProviderName
+		}
+		provider.APIKeys = cloned
+		return
+	}
+	cfg.Access.Providers = append(cfg.Access.Providers, AccessProvider{
+		Name:    DefaultAccessProviderName,
+		Type:    AccessProviderTypeConfigAPIKey,
+		APIKeys: cloned,
+	})
+}
+
+// ConfigAPIKeyProvider returns the first inline API key provider if present.
+func (c *SDKConfig) ConfigAPIKeyProvider() *AccessProvider {
+	if c == nil {
+		return nil
+	}
+	for i := range c.Access.Providers {
+		if c.Access.Providers[i].Type == AccessProviderTypeConfigAPIKey {
+			if c.Access.Providers[i].Name == "" {
+				c.Access.Providers[i].Name = DefaultAccessProviderName
+			}
+			return &c.Access.Providers[i]
+		}
+	}
+	return nil
+}