Skip to content

feat: add z-ai provider with secure JWT authentication#2069

Closed
kamail12 wants to merge 1 commit intostackblitz-labs:mainfrom
kamail12:z-ai-provider
Closed

feat: add z-ai provider with secure JWT authentication#2069
kamail12 wants to merge 1 commit intostackblitz-labs:mainfrom
kamail12:z-ai-provider

Conversation

@kamail12
Copy link

@kamail12 kamail12 commented Dec 4, 2025

What's Added

  • New Z-AI provider supporting GLM-4.6, GLM-4.5, GLM-4.5-flash models
  • Secure JWT authentication with token generation/validation
  • Dynamic model discovery from Z-AI API

@kamail12 kamail12 changed the title feat: Add Z.ai provider with secure JWT authentication (GLM Models) feat: add z-ai provider with secure JWT authentication Dec 4, 2025
@therry47
Copy link

therry47 commented Jan 27, 2026

@kamail12 maybe add the new model Glm 4.7 and Glm 4.7 flash ?

@Stijnus Stijnus self-assigned this Feb 5, 2026
@Stijnus
Copy link
Collaborator

Stijnus commented Feb 5, 2026

Code review

Found 5 issues that should be addressed before merging:

  1. Node.js crypto import incompatible with edge/browser environments

The use of import crypto from 'node:crypto' will fail in Cloudflare Workers and browser contexts. This code is imported in client-side components through the provider registry.

bolt.diy/app/lib/modules/llm/providers/z-ai.ts

Lines 5 to 6 in 25b7ce7

import { createOpenAI } from '@ai-sdk/openai';
import crypto from 'node:crypto';

Suggested fix: Use Web Crypto API instead:
```typescript
// Replace crypto import with Web Crypto API
const encoder = new TextEncoder();
const keyData = encoder.encode(secret);
const key = await crypto.subtle.importKey(
'raw',
keyData,
{ name: 'HMAC', hash: 'SHA-256' },
false,
['sign']
);
const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(payload));
const base64Signature = btoa(String.fromCharCode(...new Uint8Array(signature)));
```

  1. Missing .env.example configuration

All other providers document their API keys in .env.example. Users won't know what environment variables to configure.

Suggested fix: Add to .env.example:
```env

Z.AI (GLM models)

Get your API key from: https://open.bigmodel.cn/usercenter/apikeys

ZAI_API_KEY=your_zai_api_key_here
ZAI_BASE_URL=https://api.z.ai/api/coding/paas/v4
```

  1. Missing CloudProvidersTab UI integration

The provider backend is added but won't appear in the settings UI. TypeScript will error when the provider appears in settings.

bolt.diy/app/lib/modules/llm/providers/z-ai.ts

Lines 8 to 9 in 25b7ce7

export default class ZaiProvider extends BaseProvider {
name = 'Z.ai';

Suggested fix: Update app/components/@settings/tabs/providers/cloud/CloudProvidersTab.tsx:
```typescript
type ProviderName = 'Anthropic' | 'OpenAI' | ... | 'Zai';

const PROVIDER_ICONS = {
...
Zai: TbBrain,
};

const PROVIDER_DESCRIPTIONS = {
...
Zai: 'Access GLM-4.6 and other Z.AI models',
};
```

  1. Breaking configuration key change

Changed from ZAI_API_BASE_URL to ZAI_BASE_URL without backwards compatibility. Consider keeping the original key name or adding migration logic.

bolt.diy/app/lib/modules/llm/providers/z-ai.ts

Lines 13 to 14 in 25b7ce7

baseUrlKey: 'ZAI_BASE_URL',
apiTokenKey: 'ZAI_API_KEY',

  1. API endpoint verification needed

Uses /api/coding/paas/v4 endpoint - please verify this is the correct endpoint for general Z.AI usage vs the standard /api/paas/v4 endpoint.

bolt.diy/app/lib/modules/llm/providers/z-ai.ts

Line 15 in 25b7ce7

baseUrl: 'https://api.z.ai/api/coding/paas/v4', //Dedicated endpoint for Coding Plan

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

Stijnus added a commit to Stijnus/bolt.diy that referenced this pull request Feb 5, 2026
@Stijnus @claude
feat: add Z.AI provider with GLM models and JWT authentication
dbcd774 
Merged changes from PR stackblitz-labs#2069 to add Z.AI provider:
- Added GLM-4.6 (200K), GLM-4.5 (128K), and GLM-4.5 Flash models
- Implemented secure JWT token generation with HMAC-SHA256 signing
- Added dynamic model discovery from Z.AI API
- Included proper error handling and token validation
- GLM-4.6 achieves 73.8% on SWE-bench coding benchmarks

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Stijnus added a commit that referenced this pull request Feb 7, 2026
@Stijnus @claude
feat: add Cerebras and Fireworks AI LLM providers (#2113)
b7ef224 
* fix: improve local model provider robustness and UX

- Extract shared Docker URL rewriting and env conversion into BaseProvider
  to eliminate 4x duplicated code across Ollama and LMStudio
- Add error handling and 5s timeouts to all model-listing fetches so one
  unreachable provider doesn't block the entire model list
- Fix Ollama using createOllama() instead of mutating provider internals
- Fix LLMManager singleton ignoring env updates on subsequent requests
- Narrow cache key to only include provider-relevant env vars instead of
  the entire server environment
- Fix 'as any' casts in LMStudio and OpenAILike by using shared
  convertEnvToRecord helper
- Replace console.log/error with structured logger in OpenAILike
- Fix typo: filteredStaticModesl -> filteredStaticModels in manager
- Add connection status indicator (green/red dot) for local providers
  in the ModelSelector dropdown
- Show helpful "is X running?" message when local provider has no models

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add Cerebras LLM provider

- Add Cerebras provider with 8 models (Llama, GPT OSS, Qwen, ZAI GLM)
- Integrate @ai-sdk/cerebras@0.2.16 for compatibility
- Add CEREBRAS_API_KEY to environment configuration
- Register provider in LLMManager registry

Models included:
- llama3.1-8b, llama-3.3-70b
- gpt-oss-120b (reasoning)
- qwen-3-32b, qwen-3-235b variants
- zai-glm-4.6, zai-glm-4.7 (reasoning)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add Fireworks AI LLM provider

- Add Fireworks provider with 6 popular models
- Integrate @ai-sdk/fireworks@0.2.16 for compatibility
- Add FIREWORKS_API_KEY to environment configuration
- Register provider in LLMManager registry

Models included:
- Llama 3.1 variants (405B, 70B, 8B Instruct)
- DeepSeek R1 (reasoning model)
- Qwen 2.5 72B Instruct
- FireFunction V2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add coding-specific models to existing providers

Enhanced providers with state-of-the-art coding models:

**DeepSeek Provider:**
+ DeepSeek V3.2 (integrates thinking + tool-use)
+ DeepSeek V3.2-Speciale (high-compute variant, beats GPT-5)

**Fireworks Provider:**
+ Qwen3-Coder 480B (262K context, best for coding)
+ Qwen3-Coder 30B (fast coding specialist)

**Cerebras Provider:**
+ Qwen3-Coder 480B (2000 tokens/sec!)
- Removed deprecated models (qwen-3-32b, llama-3.3-70b)

Total new models: 4
Total coding models across all providers: 12+

Performance highlights:
- Qwen3-Coder: State-of-the-art coding performance
- DeepSeek V3.2: Integrates thinking directly into tool-use
- ZAI GLM 4.6: 73.8% SWE-bench score
- Ultra-fast inference: 2000 tok/s on Cerebras

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add dynamic model discovery to providers

Implemented getDynamicModels() for automatic model discovery:

**DeepSeek Provider:**
- Fetches models from https://api.deepseek.com/models
- Automatically discovers new models as DeepSeek adds them
- Filters out static models to avoid duplicates

**Cerebras Provider:**
- Fetches models from https://api.cerebras.ai/v1/models
- Auto-discovers new Cerebras models
- Keeps UI up-to-date with latest offerings

**Fireworks Provider:**
- Fetches from https://api.fireworks.ai/v1/accounts/fireworks/models
- Includes context_length from API response
- Discovers new Qwen-Coder and other models automatically

**Moonshot Provider:**
- Fetches from https://api.moonshot.ai/v1/models
- OpenAI-compatible endpoint
- Auto-discovers new Kimi models

Benefits:
- ✅ No manual updates needed when providers add new models
- ✅ Users always have access to latest models
- ✅ Graceful fallback to static models if API fails
- ✅ 5-second timeout prevents hanging
- ✅ Caching system built into BaseProvider

Technical details:
- Uses BaseProvider's built-in caching system
- Cache invalidates when API keys change
- Failed API calls fallback to static models
- All endpoints have 5-second timeout protection

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add Z.AI provider with GLM models and JWT authentication

Merged changes from PR #2069 to add Z.AI provider:
- Added GLM-4.6 (200K), GLM-4.5 (128K), and GLM-4.5 Flash models
- Implemented secure JWT token generation with HMAC-SHA256 signing
- Added dynamic model discovery from Z.AI API
- Included proper error handling and token validation
- GLM-4.6 achieves 73.8% on SWE-bench coding benchmarks

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@Stijnus
Copy link
Collaborator

Stijnus commented Feb 7, 2026

merged in a new PR and pushed

@Stijnus Stijnus closed this Feb 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@initinnagpal2024 initinnagpal2024 initinnagpal2024 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Stijnus Stijnus

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kamail12 @therry47 @Stijnus @initinnagpal2024