Applies to:
- Plan -
- Deployment -
Summary
Issue: A project-level AI provider is configured, but requests through the legacy AI proxy continue using organization-level provider credentials. The proxy logs may show a warning likeFailed to load project secrets, continuing with org secrets only with a ZodError for unrecognized metadata keys such as auth_format or auth_type.
Cause: Some legacy proxy versions validate AI provider secret metadata with a strict schema. Newer provider metadata saved by the Braintrust UI can include fields that the old proxy does not recognize. When the proxy cannot parse the project-level provider secret, it skips or fails project-secret loading and falls back to organization-level secrets.
Resolution: Upgrade the data plane/proxy where possible. As a temporary workaround on legacy proxy deployments, patch the project AI provider env var to a minimal metadata object that the old proxy can parse.
When to use this workaround
Use this only when all of the following are true:- The deployment is using the legacy AI proxy on an older data plane.
- The problem is specifically that project-level provider credentials are not being used.
- Proxy logs show project secret loading/parsing failures, especially
unrecognized_keysin providermetadata.
How project-level provider loading fails
When a proxy request includes project context, Braintrust loads AI provider secrets for that project and filters them against the requested model. A project OpenAI provider remains eligible for default OpenAI models when:secret_typeisopenaimetadata.excludeDefaultModelsis nottrue- the provider secret parses successfully
Temporary workaround
Patch the project AI provider env var and remove metadata keys that the old proxy rejects. Keep only the fields needed for routing. First, find the project-level AI provider env var:<ENV_VAR_ID> and the api_base value with the endpoint you intend to use:
auth_type and auth_format while preserving the fields the old proxy needs to route default OpenAI-model requests to the project provider.
What each metadata field does
secret_type: "openai"marks the env var as an OpenAI AI provider secret.api_basepoints the provider at the intended OpenAI-compatible endpoint.excludeDefaultModels: falsekeeps the provider eligible for normal OpenAI model routing.supportsStreaming: truemarks the provider as streaming-capable.
Verify the fix
After patching the env var:- Retry the same Playground or proxy request.
- Confirm the proxy no longer logs
Failed to load project secrets, continuing with org secrets onlyfor that project. - Confirm the request uses the expected project-level provider credentials.
- If available, check the proxy or response headers for the used provider endpoint.