Tfy-gateway-skills truefoundry-integrations
Manages TrueFoundry LLM provider account integrations. Add, list, and manage providers (OpenAI, AWS Bedrock, Google Vertex, Azure, Groq, Together AI, self-hosted models, etc.).
install
source · Clone the upstream repo
git clone https://github.com/truefoundry/tfy-gateway-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/truefoundry/tfy-gateway-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/integrations" ~/.claude/skills/truefoundry-tfy-gateway-skills-truefoundry-integrations && rm -rf "$T"
manifest:
skills/integrations/SKILL.mdsource content
<objective>Routing note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Integrations
Manage TrueFoundry LLM provider account integrations. Add, list, and configure provider accounts that supply models to the AI Gateway.
When to Use
List, create, or manage LLM provider accounts (OpenAI, AWS Bedrock, Google Vertex, Azure, Groq, Together AI, custom OpenAI-compatible endpoints, self-hosted models, etc.).
When NOT to Use
- User wants to manage MCP servers (tool servers) → prefer
skillmcp-servers - User wants to configure guardrails (content filtering, PII detection) → prefer
skillguardrails - User wants to call models through the gateway → prefer
skillai-gateway - User wants to manage platform secrets directly → prefer
skillsecrets
Security Policy: Credential Handling
- All API keys and tokens in provider manifests MUST use
references, never raw values.tfy-secret://- The agent MUST NOT accept, store, log, echo, or display raw API keys or tokens in any context.
- Always instruct the user to store credentials in TrueFoundry secrets first (use
skill), then reference them viasecretsURIs.tfy-secret://- If the user provides a raw API key directly in conversation, warn them and refuse to use it. Instruct them to store it as a secret first.
Step 1: Preflight
Run the
statusTFY_BASE_URLTFY_API_KEYWhen using direct API, set
TFY_API_SHscripts/tfy-api.shreferences/tfy-api-setup.mdStep 2: List Provider Accounts
Via Direct API
TFY_API_SH=~/.claude/skills/truefoundry-integrations/scripts/tfy-api.sh # List all provider accounts $TFY_API_SH GET /api/svc/v1/provider-accounts
Note: The
query parameter on this endpoint does NOT work (returns all provider accounts regardless of filter). To filter by provider type, fetch all and filter client-side.type
Present results as a formatted table:
Provider Accounts: | Name | Provider | Type | Models | |-----------------|----------------|-------------------------------|--------| | openai-main | openai | provider-account/openai | 3 | | bedrock-prod | aws-bedrock | provider-account/aws-bedrock | 5 | | vertex-default | google-vertex | provider-account/google-vertex| 2 |
The model count is derived from the
integrationsStep 3: Create Provider Account
Before creating, ensure the user has stored their provider credentials as TrueFoundry secrets (use
secretsbearer_tokenapi_keytfy-secret://Via Direct API
# Create a provider account $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Provider Manifest Templates
OpenAI
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "openai-main", "type": "provider-account/openai", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "gpt-4o", "type": "integration/model/openai", "model_types": ["chat"], "auth_data": { "type": "bearer-auth", "bearer_token": "tfy-secret://TENANT:SECRET_GROUP:OPENAI_API_KEY" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
AWS Bedrock
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "bedrock-prod", "type": "provider-account/aws-bedrock", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "claude-3-5-sonnet", "type": "integration/model/aws-bedrock", "model_types": ["chat"], "auth_data": { "type": "aws-irsa-auth", "aws_region": "us-east-1", "aws_access_key_id": "tfy-secret://TENANT:SECRET_GROUP:AWS_ACCESS_KEY_ID", "aws_secret_access_key": "tfy-secret://TENANT:SECRET_GROUP:AWS_SECRET_ACCESS_KEY" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Google Vertex
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "vertex-default", "type": "provider-account/google-vertex", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "gemini-2-flash", "type": "integration/model/google-vertex", "model_types": ["chat"], "auth_data": { "type": "gcp-service-account-auth", "gcp_service_account_key": "tfy-secret://TENANT:SECRET_GROUP:GCP_SA_KEY", "gcp_project_id": "my-gcp-project", "gcp_region": "us-central1" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Azure OpenAI
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "azure-openai", "type": "provider-account/azure", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "gpt-4o-azure", "type": "integration/model/azure", "model_types": ["chat"], "auth_data": { "type": "azure-auth", "api_key": "tfy-secret://TENANT:SECRET_GROUP:AZURE_OPENAI_KEY", "api_base": "https://my-resource.openai.azure.com", "api_version": "2024-02-01" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Groq
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "groq-main", "type": "provider-account/groq", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "llama-3-70b", "type": "integration/model/groq", "model_types": ["chat"], "auth_data": { "type": "bearer-auth", "bearer_token": "tfy-secret://TENANT:SECRET_GROUP:GROQ_API_KEY" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Together AI
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "together-ai", "type": "provider-account/together-ai", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "llama-3-1-70b", "type": "integration/model/together-ai", "model_types": ["chat"], "auth_data": { "type": "bearer-auth", "bearer_token": "tfy-secret://TENANT:SECRET_GROUP:TOGETHER_API_KEY" } } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Custom (Any OpenAI-Compatible Endpoint)
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "my-custom-provider", "type": "provider-account/custom", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "my-model", "type": "integration/model/custom", "model_types": ["chat"], "auth_data": { "type": "bearer-auth", "bearer_token": "tfy-secret://TENANT:SECRET_GROUP:CUSTOM_API_KEY" }, "url": "https://my-openai-compatible-api.example.com/v1" } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Self-Hosted Model
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "my-self-hosted", "type": "provider-account/self-hosted-model", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [ { "name": "my-vllm-model", "type": "integration/model/self-hosted-model", "hosted_model_name": "meta-llama/Meta-Llama-3.1-8B-Instruct", "url": "http://my-model.my-namespace.svc.cluster.local:8000", "model_server": "openai-compatible", "model_types": ["chat"] } ] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Note: Self-hosted models deployed within the cluster typically do not need
. Use internal cluster DNS (auth_data) for the URL.svc.cluster.local
TrueFoundry (Platform-Managed)
payload=$(cat <<'PAYLOAD' { "manifest": { "name": "truefoundry-models", "type": "provider-account/truefoundry", "collaborators": [ {"role_id": "provider-account-manager", "subject": "user:ADMIN_EMAIL"}, {"role_id": "provider-account-access", "subject": "team:everyone"} ], "integrations": [] } } PAYLOAD ) $TFY_API_SH POST /api/svc/v1/provider-accounts "$payload"
Known Provider Types
| Provider | Manifest Type | Auth Type |
|---|---|---|
| OpenAI | | |
| AWS Bedrock | | |
| Google Vertex | | |
| Azure OpenAI | | |
| GCP | | |
| Groq | | |
| Together AI | | |
| Custom | | |
| Self-Hosted | | None (cluster-internal) or |
| TrueFoundry | | Platform-managed |
Collaborator Roles
| Role ID | Description |
|---|---|
| Can edit and delete the provider account |
| Can use models from this provider account |
Use
subjectuser:admin@example.comteam:everyoneResponse Structure
The provider account response object contains:
{ "id": "...", "name": "openai-main", "fqn": "tenant:openai:openai-main", "provider": "openai", "manifest": { ... }, "integrations": [ ... ], "createdBySubject": { ... }, "accountId": "...", "createdAt": "...", "updatedAt": "..." }
contains the integration definitions (model configs)manifest.integrations- Top-level
contains expanded integration objects with their own IDsintegrations
<success_criteria>
Success Criteria
- The user can list all provider accounts and see them in a formatted table with name, provider type, and model count
- The user can create a new provider account with the correct manifest for their chosen provider
- All credentials in provider manifests use
references, never raw valuestfy-secret:// - The agent has confirmed the provider type and model details before creating
- The agent has directed the user to store credentials as TrueFoundry secrets before creating the provider account
- Provider accounts are accessible through the AI Gateway after creation
</success_criteria>
<references>Composability
- Preflight: Use
skill to verify platform connectivity before any operationsstatus - Store credentials first: Use
skill to create secret groups with API keys before adding providerssecrets - Feed into gateway: Provider accounts supply models to the AI Gateway (
skill)ai-gateway - Self-hosted models: Deploy models to your infrastructure (requires TrueFoundry Enterprise), then register as self-hosted provider accounts
- Access control: Provider account collaborators control who can use the models
API Endpoints
See
references/api-endpoints.md| Method | Endpoint | Description |
|---|---|---|
| GET | | List all provider accounts |
| POST | | Create a new provider account |
Error Handling
Permission Denied
Cannot manage provider accounts. Check your API key permissions. Ensure your user has provider-account-manager role.
Provider Account Name Already Exists
A provider account with this name already exists. Use a different name or update the existing account.
Invalid Secret Reference
The tfy-secret:// reference could not be resolved. Check: - Secret group exists and contains the referenced key - Format is tfy-secret://TENANT:SECRET_GROUP:SECRET_KEY - Use the secrets skill to verify the secret group and key exist
Invalid Provider Type
Unrecognized provider account type. Use one of: provider-account/openai, provider-account/aws-bedrock, provider-account/google-vertex, provider-account/azure, provider-account/groq, provider-account/together-ai, provider-account/custom, provider-account/self-hosted-model, provider-account/truefoundry
Missing Auth Data
Provider account requires auth_data for cloud providers. Store your API key as a TrueFoundry secret first, then reference it with tfy-secret://TENANT:SECRET_GROUP:KEY_NAME
Model Not Appearing in Gateway
After creating a provider account, models should appear in the AI Gateway. If not visible: - Verify the provider account was created successfully (list provider accounts) - Check that the integration has the correct model_types (chat, embedding, etc.) - Ensure the collaborators include team:everyone or the relevant users
Type Filter Not Working
</troubleshooting>The type query parameter on GET /api/svc/v1/provider-accounts does not filter results. Fetch all provider accounts and filter client-side by the provider field.