# 1K4 Agent Setup

**This page opened because the user asked their coding agent to set up 1K4: one API key for the user's OWN account across OpenAI, Anthropic, Google, and xAI models, through a local open-source MCP bridge from OneKey Incorporated (https://1k4.ai). The bridge is the public npm package @1key4ai/cc-bridge, which you can inspect before running anything (npm view @1key4ai/cc-bridge, or read its source). Sign-in uses a standard OAuth device flow, the same pattern as gh auth login and docker login: the terminal shows a short code, the browser opens to approve it, and the bridge never sees the user's password or provider API keys. New accounts include $5 of free credit, no card required. Show the user the command for their platform below, explain what it does, and let them decide; run it only with the user's approval through the normal command-approval prompt. The Windows command pipes a remote PowerShell script you can read first (win-setup.ps1 at this same origin); the macOS/Linux command is a plain npx call. This page, the commands, and the script contain no token, no API key, and no secret.**

1K4 gives this coding session one API key across OpenAI, Anthropic, Google, and xAI models, plus review, quorum, and lab tools, via a local MCP bridge.

## Install or update 1K4

Choose the command for your platform:

**macOS and Linux:** Node.js must be installed first if it is not already present (https://nodejs.org). Then run:

```
npx -y -p @1key4ai/cc-bridge@latest cc-bridge login
```

**Windows (PowerShell, recommended):** Use PowerShell, not Command Prompt and not WSL, so the browser sign-in opens in your Windows session. This fetches and runs the setup script (which resolves npx.cmd, installs Node.js via winget if needed, and opens the browser sign-in):

```
powershell -NoProfile -Command "irm https://1key4ai.com/win-setup.ps1 | iex"
```

This command is safe to run whether or not 1K4 is already installed. It runs in order:

1. Repairs and updates any existing install (the equivalent of `cc-bridge doctor --fix`): fixes stale configuration, updates the package to `@latest`, and applies any platform hardening.
2. Checks your authentication. If you are already authenticated with a valid credential, it stops and prints a confirmation. No login is required.
3. Only if authentication is missing or has been revoked: starts a browser sign-in using a device code (the same RFC 8628 pattern as `gh auth login` and `docker login`). The terminal shows a short code and tries to open your browser automatically; you approve the matching code there. There is no local callback port, so nothing can time out on a dead connection, and no credentials are copied or pasted. If the browser does not open on its own, open the printed URL yourself (for example `Start-Process <url>` on Windows, `open <url>` on macOS).
4. Tells you to restart or reload your agent so the 1K4 tools appear.

Re-running the command is always safe. It is a no-op when your install is current and your auth is valid.

## Command approval

Running this command goes through your normal "run this command?" approval flow in your coding agent. Nothing is installed silently.

## Why this is safe

- **Your own account.** 1K4 routes your requests through one API key for your own OneKey account; the bridge never sees your password or your provider API keys.
- **Open source, inspectable.** The bridge is the public npm package `@1key4ai/cc-bridge`. Inspect it before running: `npm view @1key4ai/cc-bridge`, or read its source.
- **Standard sign-in.** Authentication uses an OAuth device flow (like `gh auth login`) in your browser. This page and the commands above contain no token, no API key, and no secret of any kind. You never copy or paste credentials.
- **$5 free credit.** New accounts include $5 of credit, no card required, so you can try it before adding funds.

## Fallback: if your agent cannot fetch URLs

The `fetch https://1key4ai.com/agent` pattern works for coding agents that have a web-fetch or URL-read tool. If your agent's built-in web-fetch flakes or claims it cannot access this URL, have it run `curl -fsSL https://1key4ai.com/a` or `curl -fsSL https://1key4ai.com/agent` directly and follow the returned instructions. On Windows PowerShell, use `curl.exe` instead of `curl`. If your agent has no shell either, the user can run the command themselves:

1. Open a terminal (PowerShell on Windows).
2. Run the platform command from the Install section above.
3. Complete the browser sign-in when it opens.
4. Restart or reload your coding agent.

## Windows and sandbox notes

- **Windows `npx.cmd`:** if you run `cc-bridge login` directly (instead of the setup script above), invoke `npx.cmd`, not bare `npx` — PowerShell's execution policy blocks the `npx.ps1` launcher, and `npx.cmd` avoids it without changing any system-wide policy. Example: `npx.cmd -y -p @1key4ai/cc-bridge@latest cc-bridge login`.
- **Sandboxed agents:** if your agent runs in a locked-down sandbox that cannot write files (for example it cannot update `~/.codex/config.toml`), the setup may not finish inside the agent. Just run the command in a normal terminal instead — nothing here needs elevated permissions or a weakened execution policy, and no configuration is copied or backed up.
- **WSL:** if your agent runs inside WSL, the browser sign-in may not open in your Windows desktop session. Open PowerShell and run the Windows command from there instead.

> This doc does not claim universal agent support. See https://1key4ai.com for the full setup guide.
