Add custom base URL support for Anthropic provider (#12718)

## Summary

Addresses #8007

Adds custom base URL support for Anthropic.

- Adds a Base URL input field to the Configure Language Model Providers
modal
- Supports both the native Anthropic SDK provider and the Vercel AI SDK
provider
- Supports `ANTHROPIC_BASE_URL` environment variable for automatic
configuration
- Handles URL normalization for both SDK flavors (native SDK omits
`/v1`, Vercel SDK requires it)
- Relaxes API key format validation when a custom base URL is set
- Treats 404 from `/v1/models` as a successful connection for custom
endpoints that don't expose model listing
- Updates the auth extension's Anthropic key validator to use the
configured base URL
- Migrates Anthropic env variable authentication from Assistant to the
Authentication extension.

 @:assistant

Author: melissa-barca

extensions/authentication/package.json

@@ -65,6 +65,11 @@
 					"default": null,
 					"markdownDescription": "%configuration.aws.inferenceProfileRegion.description%"
 				},
+				"authentication.anthropic.baseUrl": {
+					"type": "string",
+					"default": "",
+					"description": "%configuration.anthropic.baseUrl.description%"
+				},
 				"authentication.foundry.baseUrl": {
 					"type": "string",
 					"default": "",

extensions/authentication/package.nls.json

@@ -1,5 +1,6 @@
 {
 	"configuration.aws.credentials.description": "Variables used to configure AWS credentials.\n\nExample: to set the AWS region and profile, add items with keys `AWS_REGION` and `AWS_PROFILE`.",
 	"configuration.aws.inferenceProfileRegion.description": "Override the inference profile region for AWS services.\n\nBy default, the inference profile region is derived from `AWS_REGION` (e.g., 'us-east-1' -> 'us'). Use this setting to explicitly specify a different region.\n\nExamples: 'global', 'us', 'eu', 'apac'.",
+	"configuration.anthropic.baseUrl.description": "Custom Anthropic API base URL. Overrides the default https://api.anthropic.com endpoint. Also set automatically from the ANTHROPIC_BASE_URL environment variable.",
 	"configuration.foundry.baseUrl.description": "Microsoft Foundry endpoint URL."
 }

extensions/authentication/src/authProvider.ts

@@ -31,6 +31,12 @@ export interface WorkbenchCredentialConfig {
 export interface CredentialChainConfig {
 	readonly resolve: () => Promise<string>;
 	readonly refreshIntervalMs?: number;
+	/**
+	 * When true, prevents the user from signing out while the chain
+	 * can still resolve. Use for static env var credentials that will
+	 * just reappear immediately after removal.
+	 */
+	readonly preventSignOut?: boolean;
 }
 
 /**
@@ -60,6 +66,11 @@ export class AuthProvider
 		private readonly credentialChain?: CredentialChainConfig,
 	) { }
 
+	/** Whether this provider blocks sign-out for chain sessions. */
+	get chainPreventsSignOut(): boolean {
+		return !!this.credentialChain?.preventSignOut;
+	}
+
 	/** Expose session-change events to subclasses. */
 	protected fireSessionsChanged(
 		event: vscode.AuthenticationProviderAuthenticationSessionsChangeEvent
@@ -199,6 +210,33 @@ export class AuthProvider
 
 	async removeSession(sessionId: string): Promise<void> {
 		if (this._chainSession?.id === sessionId) {
+			// If the chain can still resolve, re-resolve immediately
+			// instead of leaving an inconsistent state where the
+			// session is gone but registered models still work.
+			if (this.credentialChain?.preventSignOut) {
+				try {
+					const token = await this.credentialChain.resolve();
+					if (token) {
+						log.info(
+							`[${this.displayName}] Chain session ` +
+							`removal blocked -- credentials still ` +
+							`available from environment`
+						);
+						vscode.window.showInformationMessage(
+							vscode.l10n.t(
+								'{0} credentials are configured via ' +
+								'environment variable and cannot be ' +
+								'signed out.',
+								this.displayName
+							)
+						);
+						return;
+					}
+				} catch {
+					// Chain can no longer resolve; allow removal.
+				}
+			}
+
 			this.stopRefreshTimer();
 			const removed = this._chainSession;
 			this._chainSession = undefined;

extensions/authentication/src/configDialog.ts

@@ -257,8 +257,23 @@ async function handleDelete(
 		return;
 	}
 	const sessions = await provider.getSessions();
-	log.info(`Deleting ${sessions.length} session(s) for provider "${config.provider}"`);
-	for (const session of sessions) {
+	// Credential-chain sessions (e.g. env var credentials) use the
+	// provider ID as their session ID. These cannot be removed via the
+	// UI -- the user must unset the environment variable and restart.
+	const deletable = provider.chainPreventsSignOut
+		? sessions.filter(s => s.id !== config.provider)
+		: sessions;
+	if (deletable.length === 0 && sessions.length > 0) {
+		throw new Error(
+			vscode.l10n.t(
+				'This credential was configured via an environment variable ' +
+				'and cannot be removed from the UI. Unset the environment ' +
+				'variable and restart Positron.'
+			)
+		);
+	}
+	log.info(`Deleting ${deletable.length} session(s) for provider "${config.provider}"`);
+	for (const session of deletable) {
 		await provider.removeSession(session.id);
 	}
 }

extensions/authentication/src/constants.ts

@@ -8,7 +8,6 @@ import * as vscode from 'vscode';
 export const IS_RUNNING_ON_PWB =
 	!!process.env.RS_SERVER_URL && vscode.env.uiKind === vscode.UIKind.Web;
 
-export const ANTHROPIC_MODELS_ENDPOINT = 'https://api.anthropic.com/v1/models';
 export const ANTHROPIC_API_VERSION = '2023-06-01';
 export const KEY_VALIDATION_TIMEOUT_MS = 5000;
 export const CREDENTIAL_REFRESH_INTERVAL_MS = 10 * 60 * 1000;

extensions/authentication/src/extension.ts

@@ -19,7 +19,7 @@ import { registerMigrateApiKeyCommand } from './migration/apiKey';
 export async function activate(context: vscode.ExtensionContext) {
 	context.subscriptions.push(log);
 
-	registerAnthropicProvider(context);
+	await registerAnthropicProvider(context);
 	registerPositAIProvider(context);
 	registerFoundryProvider(context);
 
@@ -45,9 +45,46 @@ export async function activate(context: vscode.ExtensionContext) {
 	registerMigrateApiKeyCommand(context);
 }
 
-function registerAnthropicProvider(context: vscode.ExtensionContext): void {
+async function registerAnthropicProvider(
+	context: vscode.ExtensionContext
+): Promise<void> {
+	// Sync ANTHROPIC_BASE_URL env var to the config setting before
+	// chain resolution so validation uses the correct endpoint.
+	const envBaseUrl = process.env.ANTHROPIC_BASE_URL;
+	if (envBaseUrl) {
+		await vscode.workspace
+			.getConfiguration('authentication.anthropic')
+			.update(
+				'baseUrl', envBaseUrl,
+				vscode.ConfigurationTarget.Global
+			).then(undefined, err =>
+				log.error(`Failed to sync Anthropic base URL: ${err}`)
+			);
+	}
+
 	const provider = new AuthProvider(
-		ANTHROPIC_AUTH_PROVIDER_ID, 'Anthropic', context
+		ANTHROPIC_AUTH_PROVIDER_ID, 'Anthropic', context,
+		undefined,
+		{
+			resolve: async () => {
+				const apiKey = process.env.ANTHROPIC_API_KEY;
+				if (!apiKey) {
+					throw new Error('ANTHROPIC_API_KEY not set');
+				}
+				const baseUrl = vscode.workspace
+					.getConfiguration('authentication.anthropic')
+					.get<string>('baseUrl') || undefined;
+				await validateAnthropicApiKey(apiKey, {
+					provider: ANTHROPIC_AUTH_PROVIDER_ID,
+					name: 'Anthropic',
+					model: '',
+					type: positron.PositronLanguageModelType.Chat,
+					...(baseUrl && { baseUrl }),
+				});
+				return apiKey;
+			},
+			preventSignOut: true,
+		}
 	);
 	context.subscriptions.push(
 		vscode.authentication.registerAuthenticationProvider(
@@ -58,7 +95,24 @@ function registerAnthropicProvider(context: vscode.ExtensionContext): void {
 	);
 	registerAuthProvider(ANTHROPIC_AUTH_PROVIDER_ID, provider, {
 		validateApiKey: validateAnthropicApiKey,
+		onSave: async (config) => {
+			if (config.baseUrl) {
+				await vscode.workspace
+					.getConfiguration('authentication.anthropic')
+					.update(
+						'baseUrl', config.baseUrl,
+						vscode.ConfigurationTarget.Global
+					);
+			}
+		},
 	});
+
+	// Eagerly resolve env var credentials so the session is
+	// available before positron-assistant registers models.
+	await provider.resolveChainCredentials().catch(err =>
+		log.debug(`[Anthropic] Initial credential resolution: ${err}`)
+	);
+
 	log.info(`Registered auth provider: ${ANTHROPIC_AUTH_PROVIDER_ID}`);
 }
 

extensions/authentication/src/test/authProvider.test.ts

@@ -191,7 +191,7 @@ suite('AuthProvider (credential chain)', () => {
 		assert.strictEqual(event.added!.length, 1);
 	});
 
-	test('removeSession clears chain session and fires removed event', async () => {
+	test('removeSession clears chain session by default', async () => {
 		await chainProvider.resolveChainCredentials();
 
 		const eventPromise = new Promise<vscode.AuthenticationProviderAuthenticationSessionsChangeEvent>(
@@ -206,6 +206,49 @@ suite('AuthProvider (credential chain)', () => {
 		await chainProvider.removeSession('test-chain');
 		const event = await eventPromise;
 
+		assert.strictEqual(event.removed!.length, 1);
+		const sessions = await chainProvider.getSessions();
+		assert.strictEqual(sessions.length, 0);
+	});
+
+	test('removeSession is blocked when preventSignOut is set and chain resolves', async () => {
+		const protectedProvider = new AuthProvider(
+			'test-protected', 'Test Protected', createMockContext(),
+			undefined,
+			{
+				resolve: async () => resolveResult,
+				preventSignOut: true,
+			}
+		);
+		await protectedProvider.resolveChainCredentials();
+
+		await protectedProvider.removeSession('test-protected');
+
+		// Session should still exist because preventSignOut is set
+		const sessions = await protectedProvider.getSessions();
+		assert.strictEqual(sessions.length, 1);
+		assert.strictEqual(sessions[0].id, 'test-protected');
+		protectedProvider.dispose();
+	});
+
+	test('removeSession clears chain session when chain fails', async () => {
+		await chainProvider.resolveChainCredentials();
+
+		// Make the chain fail so removal is allowed
+		resolveShouldFail = true;
+
+		const eventPromise = new Promise<vscode.AuthenticationProviderAuthenticationSessionsChangeEvent>(
+			resolve => {
+				const disposable = chainProvider.onDidChangeSessions(e => {
+					disposable.dispose();
+					resolve(e);
+				});
+			}
+		);
+
+		await chainProvider.removeSession('test-chain');
+		const event = await eventPromise;
+
 		assert.strictEqual(event.removed!.length, 1);
 		assert.strictEqual(event.removed![0].id, 'test-chain');
 

extensions/authentication/src/test/configDialog.test.ts

@@ -43,7 +43,7 @@ suite('configDialog', () => {
 		} as unknown as vscode.ExtensionContext;
 		provider = new AuthProvider('anthropic-api', 'Anthropic', mockContext);
 		registerAuthProvider('anthropic-api', provider, {
-			validateApiKey: async (apiKey) => validateAnthropicApiKey(apiKey),
+			validateApiKey: async (apiKey, config) => validateAnthropicApiKey(apiKey, config),
 		});
 	});
 
@@ -125,6 +125,53 @@ suite('configDialog', () => {
 		assert.strictEqual(stored, false);
 	});
 
+	test('delete rejects when only chain session exists', async () => {
+		const chainProvider = new AuthProvider(
+			'anthropic-api', 'Anthropic',
+			{
+				secrets: {
+					get: () => Promise.resolve(undefined),
+					store: () => Promise.resolve(),
+					delete: () => Promise.resolve(),
+				},
+				globalState: {
+					get: () => undefined,
+					update: () => Promise.resolve(),
+				},
+			} as unknown as vscode.ExtensionContext,
+			undefined,
+			{
+				resolve: async () => 'sk-ant-test-key',
+				preventSignOut: true,
+			}
+		);
+		authProviders.clear();
+		registerAuthProvider('anthropic-api', chainProvider);
+		await chainProvider.resolveChainCredentials();
+
+		const source = {
+			type: positron.PositronLanguageModelType.Chat,
+			provider: { id: 'anthropic-api', displayName: 'Anthropic', settingName: 'anthropic-api' },
+			signedIn: true,
+			defaults: { name: 'Anthropic', model: 'claude-sonnet-4-0' },
+			supportedOptions: [],
+		} as unknown as positron.ai.LanguageModelSource;
+
+		positron.ai.showLanguageModelConfig = async (_sources, onAction) => {
+			await onAction({ provider: 'anthropic-api', type: positron.PositronLanguageModelType.Chat, name: 'Anthropic', model: 'claude-sonnet-4-0' }, 'delete');
+		};
+
+		await assert.rejects(
+			showConfigurationDialog([source]),
+			(error: Error) => error.message.includes('environment variable')
+		);
+
+		// Chain session should still exist
+		const sessions = await chainProvider.getSessions();
+		assert.strictEqual(sessions.length, 1);
+		chainProvider.dispose();
+	});
+
 	test('save without apiKey calls createSession for chain provider', async () => {
 		const chainProvider = new AuthProvider(
 			'test-chain', 'Test Chain',

extensions/authentication/src/validation/anthropic.ts

@@ -4,7 +4,8 @@
  *--------------------------------------------------------------------------------------------*/
 
 import * as vscode from 'vscode';
-import { ANTHROPIC_API_VERSION, ANTHROPIC_MODELS_ENDPOINT, KEY_VALIDATION_TIMEOUT_MS } from '../constants';
+import * as positron from 'positron';
+import { ANTHROPIC_API_VERSION, KEY_VALIDATION_TIMEOUT_MS } from '../constants';
 
 class ApiKeyValidationError extends Error {
 	constructor(message: string) {
@@ -13,11 +14,16 @@ class ApiKeyValidationError extends Error {
 	}
 }
 
-export async function validateAnthropicApiKey(apiKey: string): Promise<void> {
+export async function validateAnthropicApiKey(apiKey: string, config: positron.ai.LanguageModelConfig): Promise<void> {
+	const rawBaseUrl = (config.baseUrl ?? 'https://api.anthropic.com')
+		.replace(/\/v1\/?$/, '')
+		.replace(/\/+$/, '');
+	const modelsEndpoint = `${rawBaseUrl}/v1/models`;
+
 	const controller = new AbortController();
 	const timeout = setTimeout(() => controller.abort(), KEY_VALIDATION_TIMEOUT_MS);
 	try {
-		const response = await fetch(ANTHROPIC_MODELS_ENDPOINT, {
+		const response = await fetch(modelsEndpoint, {
 			method: 'GET',
 			headers: {
 				'x-api-key': apiKey,

extensions/positron-assistant/src/config.ts

@@ -128,13 +128,38 @@ export async function showConfigurationDialog(
 					// Resolve environment variables
 					if (source.defaults.autoconfigure.type === positron.ai.LanguageModelAutoconfigureType.EnvVariable) {
 						const envVarName = source.defaults.autoconfigure.key;
-						const envVarValue = process.env[envVarName];
+						const providerId = source.provider.id;
+
+						// For providers migrated to the auth extension,
+						// check for a credential chain session.
+						let signedIn = false;
+						let baseUrlValue: string | undefined;
+						if (isAuthExtProvider(providerId)) {
+							try {
+								const session = await vscode.authentication.getSession(
+									providerId, [], { silent: true }
+								);
+								signedIn = !!session?.accessToken
+									&& session.id === providerId;
+							} catch {
+								signedIn = false;
+							}
+							const configKey = providerId.replace(/-.*$/, '');
+							baseUrlValue = vscode.workspace
+								.getConfiguration(`authentication.${configKey}`)
+								.get<string>('baseUrl') || undefined;
+						} else {
+							signedIn = !!process.env[envVarName];
+							const baseUrlEnvVar = `${envVarName.replace(/_API_KEY$/, '')}_BASE_URL`;
+							baseUrlValue = process.env[baseUrlEnvVar];
+						}
 
 						return {
 							...source,
 							defaults: {
 								...source.defaults,
-								autoconfigure: { type: positron.ai.LanguageModelAutoconfigureType.EnvVariable, key: envVarName, signedIn: !!envVarValue }
+								...(baseUrlValue && { baseUrl: baseUrlValue }),
+								autoconfigure: { type: positron.ai.LanguageModelAutoconfigureType.EnvVariable, key: envVarName, signedIn }
 							},
 						};
 					} else if (source.defaults.autoconfigure.type === positron.ai.LanguageModelAutoconfigureType.Custom) {