Feature: openai-api-key-helper config option to fetch API key dynamically per request
Problem
When using Aider through an API proxy that issues short-lived auth tokens (e.g. Azure AD OAuth tokens via az account get-access-token), the key expires ~1 hour into a session. Since Aider initializes the OpenAI client once at startup and holds the key for the lifetime of the process, the only recovery is to restart Aider with a fresh token — losing conversation context.
Static API keys (OpenAI, Anthropic direct) never expire so this doesn't affect most users, but it's a real problem for teams routing through an internal proxy with short-lived credentials.
Proposed solution
Claude Code already solves this with an apiKeyHelper field in its config that runs a shell command and uses stdout as the API key, re-evaluated on each request:
{
"apiKeyHelper": "az account get-access-token --query accessToken -o tsv"
}This works seamlessly — sessions of any length stay authenticated without restarts or manual intervention. Aider needs the same thing. An openai-api-key-helper in .aider.conf.yml following the same pattern:
openai-api-key-helper: az account get-access-token --query accessToken -o tsv
With a --openai-api-key-helper CLI flag and AIDER_OPENAI_API_KEY_HELPER env var equivalent.
Prior art
Claude Code ships apiKeyHelper today and it works exactly as needed — the command is re-evaluated on each API request so sessions of any length stay authenticated. This is a feature request to bring Aider to parity.
Alternatives considered
- Restart on 401 — loses conversation context, bad UX
- Local token relay proxy — works but adds per-developer install/maintenance burden across the team
- Long-lived proxy-issued keys — works but weakens the security model we're trying to maintain
Feature: openai-api-key-helper config option to fetch API key dynamically per request
Problem
When using Aider through an API proxy that issues short-lived auth tokens (e.g. Azure AD OAuth tokens via
az account get-access-token), the key expires ~1 hour into a session. Since Aider initializes the OpenAI client once at startup and holds the key for the lifetime of the process, the only recovery is to restart Aider with a fresh token — losing conversation context.Static API keys (OpenAI, Anthropic direct) never expire so this doesn't affect most users, but it's a real problem for teams routing through an internal proxy with short-lived credentials.
Proposed solution
Claude Code already solves this with an
apiKeyHelperfield in its config that runs a shell command and uses stdout as the API key, re-evaluated on each request:{ "apiKeyHelper": "az account get-access-token --query accessToken -o tsv" }This works seamlessly — sessions of any length stay authenticated without restarts or manual intervention. Aider needs the same thing. An
openai-api-key-helperin.aider.conf.ymlfollowing the same pattern:With a
--openai-api-key-helperCLI flag andAIDER_OPENAI_API_KEY_HELPERenv var equivalent.Prior art
Claude Code ships
apiKeyHelpertoday and it works exactly as needed — the command is re-evaluated on each API request so sessions of any length stay authenticated. This is a feature request to bring Aider to parity.Alternatives considered