Providers
Updated
A provider is an upstream LLM service that NetBird routes requests to. Connecting one stores its API key server-side and exposes it through your keyless, tunnel-only agent network endpoint, so agents never hold a provider key.

Supported Providers
When you connect a provider, the picker groups the catalog into first-party AI Providers, multi-provider AI Gateways, and a Custom catch-all.
AI Providers
First-party vendor APIs:
- OpenAI
- Anthropic
- Azure OpenAI
- AWS Bedrock
- Google Vertex AI
- Mistral
AI Gateways
Routing and aggregation layers that sit in front of multiple providers. NetBird can also forward the calling agent's identity to these so the gateway can apply its own attribution and budgets (see How It Works):
- LiteLLM Proxy
- Portkey AI Gateway
- Bifrost
- Cloudflare AI Gateway
- Vercel AI Gateway
- OpenRouter
Custom
- Custom / Self-hosted — any OpenAI-compatible endpoint, including local models served by Ollama, vLLM, or a private GPU host.
Connect a Provider
- Go to Agent Network → Providers and click Connect Provider.
- Select the provider or gateway. NetBird pre-fills the upstream URL and the correct auth header for that vendor.
- Paste the provider's API key. It is stored encrypted server-side and never sent to callers.
- (Optional) Restrict the allowed models and set per-model pricing used for cost estimates in usage and logs.
- (Optional, gateways) Fill any gateway-specific fields (for example a Portkey config ID) and the identity headers used for attribution.
- Save the provider.

Custom & Self-hosted Providers
Pick Custom / Self-hosted for any OpenAI-compatible endpoint that isn't a first-party vendor or a named gateway — a private inference server, an on-prem deployment, or a local model runtime like Ollama or vLLM (vLLM also has its own named entry). NetBird talks to it the same way it talks to OpenAI: you provide the Upstream URL where requests are forwarded and, if the endpoint requires one, an API key sent as a bearer token.

Skip TLS Verification
Self-hosted endpoints often serve HTTPS with a self-signed or otherwise untrusted certificate, which makes the proxy reject the connection with an unknown-certificate error. Enable Skip TLS Verification on a custom provider to disable upstream TLS certificate validation so requests go through anyway.
This turns off certificate checks for that provider's upstream traffic, which removes protection against man-in-the-middle attacks. Use it only for quick testing. For anything beyond that, mount your CA / trusted certificates on your proxy instances instead of skipping verification.
The switch appears only for custom (self-hosted) providers and is off by default.
Models and Pricing
Each provider carries a list of models it serves. Leaving the list empty makes the provider a catch-all that accepts any model (typical for gateways); listing specific models restricts routing to them. Per-model input/output prices drive the cost figures shown in Usage & Logs; adjust them if your negotiated rates differ from the catalog defaults.
The Keyless Endpoint
All connected providers share a single account endpoint, generated when you connect your first provider and reachable only over the NetBird overlay.

Agents send normal provider requests to the endpoint without an API key; which identities may reach which providers is governed by Policies.

