LLM Client Providers

vertex-ai

The vertex-ai provider is used to interact with the Google Vertex AI services.

As of BAML 0.85.0, vertex-ai now supports Anthropic models!

Example using a Vertex API Key (Express Mode):

BAML
1client<llm> MyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1 // or "global"
6    project_id my-project-id
7    query_params {
8      key env.VERTEX_API_KEY
9    }
10  }
11}

Authentication

Using a Vertex API Key (Express Mode)

To get started quickly, we recommend using Express Mode with a Vertex API Key. This avoids service account setup and works well for prototyping.

See Google’s guide: Use Vertex API keys (Express Mode).

See also Express mode overview.

When using a Vertex API Key, set the key query parameter and specify your project_id and location:

BAML
1client<llm> VertexApiKeyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1 // you can also use "global"
6    project_id my-project-id
7    query_params {
8      key env.VERTEX_API_KEY
9    }
10  }
11}

When in doubt, check the ‘cURL’ tab in the playground to see the exact request being sent!

Notes:

  • project_id cannot be inferred when using an API key; set it explicitly.
  • Keep credentials unset when using an API key, so BAML does not prefer service account auth.

Using a Vertex API Key in the playground

You should see the VERTEX_API_KEY environment variable in the playground API Keys dialog. You can set it there and you’re all set!

Using Google Application Credentials

If no vertex api key is set, BAML will by default try to authenticate using application default credentials

client<llm> MyClient {
  provider vertex-ai
  options {
    model gemini-2.5-pro
    location us-central1
    project_id my-project-id
    // we will by default try to use this form of authentication.
    credentials env.MY_APPLICATION_CREDENTIALS_CONTENT
  }
}

This is what the MY_APPLICATION_CREDENTIALS_CONTENT environment variable looks like:

1MY_APPLICATION_CREDENTIALS_CONTENT={
2  "type": "service_account",
3  "project_id": "my-project-id",
4  "private_key_id": "string",
5  "private_key": "-----BEGIN PRIVATE KEY-----string\n-----END PRIVATE KEY-----\n"
6  ...other fields...
7}

BAML accepts this blob as a string, a path to a file, or a JSON object.

More details on Google Application Credentials

Here is the order of authentication:

  • If GOOGLE_APPLICATION_CREDENTIALS environment variable is set, it will use the specified service account
  • If you have run gcloud auth application-default login, it will find the credentials generated by gcloud by the path convention. Note that you will still need to set either options.project_id or the GOOGLE_CLOUD_PROJECT environment variable.
  • If running in GCP, it will query the metadata server to use the attached service account
  • If gcloud is available on the PATH, it will use gcloud auth print-access-token

Requirements

You need to use an account with a ProjectID that has been authorized to use Vertex. When administering your Google Cloud account, be sure to enable Vertex, and set up ADC:

$gcloud auth application-default login

If you’re using Google Cloud application default credentials, you can expect authentication to work out of the box.

Setting options.credentials will take precedence and force vertex-ai to load service account credentials from that file path.

Playground

To use a vertex-ai client in the playground, you need to run gcloud auth application-default login in the terminal and set the GOOGLE_CLOUD_PROJECT environment variable in the “API Keys” dialog. The playground will then use these credentials to auth all Vertex API calls.

Debugging

If you’re having issues with vertex-ai authentication, you can try setting BAML_INTERNAL_LOG=debug to see more detailed logs.

To understand these logs, it’ll help to understand the auth implementation of the vertex-ai provider.

The vertex-ai provider uses one of 3 strategies to authenticate with Google Cloud:

  • AuthStrategy::JsonString(value: String) - parse value as a JSON object, and use that to resolve a service account
  • AuthStrategy::JsonFile(path: String) - read the file at path (relative to the process’ current working directory), parse it as a JSON object, and use that to resolve a service account
  • AuthStrategy::SystemDefault - try 3 strategies in order:
    • resolve credentials from .config/gcloud/application_default_credentials.json; else
    • use the service account from the GCP compute environment by querying the metadata server; else
    • check if gcloud is available on the PATH and if so, use gcloud auth print-access-token

We choose one of the three strategies based on the following rules, in order:

  1. Is credentials provided?
    • If so, and it’s a string containing a JSON object, we use AuthStrategy::JsonString with credentials.
    • If so, and it’s a JSON object, we use AuthStrategy::JsonObject with credentials (this is probably only relevant if you’re using the ClientRegistry API in baml_client).
    • If so, but it’s just a regular string, use AuthStrategy::JsonFile with credentials.
  2. Is GOOGLE_APPLICATION_CREDENTIALS set?
    • If so, and it looks like a JSON object, we use AuthStrategy::JsonString with GOOGLE_APPLICATION_CREDENTIALS
    • If so, but it’s just a regular string, use AuthStrategy::JsonFile with GOOGLE_APPLICATION_CREDENTIALS
  3. Else, we use AuthStrategy::SystemDefault

We use the REST API to send requests to Vertex AI, and you can debug these using the BAML playground and switch from showing “Prompt Preview” to “Raw cURL”, which will show you the exact request the BAML runtime will construct and send.

Non-streaming requests will use {base_url}:generateContent:

https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/publishers/google/models/${MODEL_ID}:generateContent

Streaming requests will use {base_url}:streamGenerateContent?alt=sse:

https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/publishers/google/models/${MODEL_ID}:streamGenerateContent

BAML-specific request options

These unique parameters (aka options) modify the API request sent to the provider.

You can use this to modify the headers and base_url for example.

base_url
string

The base URL for the API.

Default: inferred from the project_id and location using the following format:

https://{LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/{LOCATION}/publishers/google/models/

If the location is global, the base URL will be:

https://aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/global/publishers/google/models/

Can be used in lieu of the project_id and location fields, to manually set the request URL.

project_id
string

The Google Cloud project ID hosting the Vertex AI service you want to call.

Default: inferred from the provided credentials (see Authentication).

location
stringRequired

Vertex requires you to specify the location you want to serve your models from. Some models may only be available in certain locations.

Common locations include:

  • us-central1
  • us-west1
  • us-east1
  • us-south1

See the Vertex AI docs for all locations and supported models.

credentials
string | object

This field supports any of 3 formats:

  • A string containing service account credentials in JSON format.
  • Path to a file containing service account credentials in JSON format.
  • A JSON object containing service account credentials.

See Authentication and Debugging for more information.

Default: env.GOOGLE_APPLICATION_CREDENTIALS

BAML
1client<llm> Vertex {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1
6    // credentials can be a block string containing service account credentials in JSON format
7    credentials #"
8      {
9        "type": "service_account",
10        "project_id": "my-project-id",
11        "private_key_id": "string",
12        "private_key": "-----BEGIN PRIVATE KEY-----string\n-----END PRIVATE KEY-----\n",
13        "client_email": "john_doe@gmail.com",
14        "client_id": "123456",
15        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
16        "token_uri": "https://oauth2.googleapis.com/token",
17        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
18        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/...",
19        "universe_domain": "googleapis.com"
20      }
21    "#
22  }
23}

In this case, the path is resolved relative to the CWD of your process.

BAML
1client<llm> Vertex {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1
6    credentials "path/to/credentials.json"
7  }
8}
BAML
1client<llm> Vertex {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1
6    // credentials can be a block string containing service account credentials in JSON format
7    credentials {
8      type "service_account",
9      project_id "my-project-id",
10      private_key_id "string",
11      private_key "-----BEGIN PRIVATE KEY-----string\n-----END PRIVATE KEY-----\n",
12      client_email "john_doe@gmail.com",
13      client_id "123456",
14      auth_uri "https://accounts.google.com/o/oauth2/auth",
15      token_uri "https://oauth2.googleapis.com/token",
16      auth_provider_x509_cert_url "https://www.googleapis.com/oauth2/v1/certs",
17      client_x509_cert_url "https://www.googleapis.com/robot/v1/metadata/...",
18      universe_domain "googleapis.com"
19    }
20  }
21}
credentials_content
string

Since the BAML playground now allows using gcloud auth application-default login, to authenticate wih GCP, we will soon be deprecating credentials_content.

A string containing service account credentials in JSON format.

See Authentication and Debugging for more information.

Default: env.GOOGLE_APPLICATION_CREDENTIALS_CONTENT

BAML
1client<llm> Vertex {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    location us-central1
6    // credentials_content is a block string containing service account credentials in JSON format
7    credentials_content #"
8      {
9        "type": "service_account",
10        "project_id": "my-project-id",
11        "private_key_id": "string",
12        "private_key": "-----BEGIN PRIVATE KEY-----string\n-----END PRIVATE KEY-----\n",
13        "client_email": "john_doe@gmail.com",
14        "client_id": "123456",
15        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
16        "token_uri": "https://oauth2.googleapis.com/token",
17        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
18        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/...",
19        "universe_domain": "googleapis.com"
20      }
21    "#
22  }
23}
model
stringRequired

The Google model to use for the request.

ModelInput(s)Optimized for
gemini-2.5-proAudio, images, videos, and textComplex reasoning tasks such as code and text generation, text editing, problem solving, data extraction and generation
gemini-2.5-flashAudio, images, videos, and textFast and versatile performance across a diverse variety of tasks
gemini-1.0-proTextNatural language tasks, multi-turn text and code chat, and code generation

See the Google Model Docs for the latest models.

headers
object

Additional headers to send with the request.

Example:

BAML
1client<llm> MyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    project_id my-project-id
6    location us-central1
7    // Additional headers
8    headers {
9      "X-My-Header" "my-value"
10    }
11  }
12}
query_params
object

Query string parameters appended to the request URL.

Example (use a Vertex API Key with Express Mode):

BAML
1client<llm> MyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    project_id my-project-id
6    location us-central1
7    query_params {
8      key env.VERTEX_API_KEY
9    }
10  }
11}

When using an API key, omit credentials and set project_id explicitly.

default_role
string

The role to use if the role is not in the allowed_roles. Default: "user" usually, but some models like OpenAI’s gpt-5 will use "system"

Picked the first role in allowed_roles if not “user”, otherwise “user”.

allowed_roles
string[]

Which roles should we forward to the API? Default: ["system", "user", "assistant"] usually, but some models like OpenAI’s o1-mini will use ["user", "assistant"]

When building prompts, any role not in this list will be set to the default_role.

remap_roles
map<string, string>

A mapping to transform role names before sending to the API. Default: {} (no remapping)

For google-ai provider, the default is: { "assistant": "model" }

This allows you to use standard role names in your prompts (like “user”, “assistant”, “system”) but send different role names to the API. The remapping happens after role validation and default role assignment.

Example:

1{
2  "user": "human",
3  "assistant": "ai",
4}

With this configuration, {{ _.role("user") }} in your prompt will result in a message with role “human” being sent to the API.

allowed_role_metadata
string[]

Which role metadata should we forward to the API? Default: []

For example you can set this to ["foo", "bar"] to forward the cache policy to the API.

If you do not set allowed_role_metadata, we will not forward any role metadata to the API even if it is set in the prompt.

Then in your prompt you can use something like:

1client<llm> Foo {
2  provider openai
3  options {
4    allowed_role_metadata: ["foo", "bar"]
5  }
6}
7
8client<llm> FooWithout {
9  provider openai
10  options {
11  }
12}
13template_string Foo() #"
14  {{ _.role('user', foo={"type": "ephemeral"}, bar="1", cat=True) }}
15  This will be have foo and bar, but not cat metadata. But only for Foo, not FooWithout.
16  {{ _.role('user') }}
17  This will have none of the role metadata for Foo or FooWithout.
18"#

You can use the playground to see the raw curl request to see what is being sent to the API.

supports_streaming
boolean

Whether the internal LLM client should use the streaming API. Default: true

Then in your prompt you can use something like:

1client<llm> MyClientWithoutStreaming {
2  provider anthropic
3  options {
4    model claude-3-5-haiku-20241022
5    api_key env.ANTHROPIC_API_KEY
6    max_tokens 1000
7    supports_streaming false
8  }
9}
10
11function MyFunction() -> string {
12  client MyClientWithoutStreaming
13  prompt #"Write a short story"#
14}
1# This will be streamed from your python code perspective, 
2# but under the hood it will call the non-streaming HTTP API
3# and then return a streamable response with a single event
4b.stream.MyFunction()
5
6# This will work exactly the same as before
7b.MyFunction()
finish_reason_allow_list
string[]

Which finish reasons are allowed? Default: null

version 0.73.0 onwards: This is case insensitive.

Will raise a BamlClientFinishReasonError if the finish reason is not in the allow list. See Exceptions for more details.

Note, only one of finish_reason_allow_list or finish_reason_deny_list can be set.

For example you can set this to ["stop"] to only allow the stop finish reason, all other finish reasons (e.g. length) will treated as failures that PREVENT fallbacks and retries (similar to parsing errors).

Then in your code you can use something like:

1client<llm> MyClient {
2  provider "openai"
3  options {
4    model "gpt-5-mini"
5    api_key env.OPENAI_API_KEY
6    // Finish reason allow list will only allow the stop finish reason
7    finish_reason_allow_list ["stop"]
8  }
9}
finish_reason_deny_list
string[]

Which finish reasons are denied? Default: null

version 0.73.0 onwards: This is case insensitive.

Will raise a BamlClientFinishReasonError if the finish reason is in the deny list. See Exceptions for more details.

Note, only one of finish_reason_allow_list or finish_reason_deny_list can be set.

For example you can set this to ["length"] to stop the function from continuing if the finish reason is length. (e.g. LLM was cut off because it was too long).

Then in your code you can use something like:

1client<llm> MyClient {
2  provider "openai"
3  options {
4    model "gpt-5-mini"
5    api_key env.OPENAI_API_KEY
6    // Finish reason deny list will allow all finish reasons except length
7    finish_reason_deny_list ["length"]
8  }
9}

media_url_handler

Controls how media URLs are processed before sending to the provider. This allows you to override the default behavior for handling images, audio, PDFs, and videos.

1client<llm> MyClient {
2  provider openai
3  options {
4    media_url_handler {
5      image "send_base64"                    // Options: send_base64 | send_url | send_url_add_mime_type | send_base64_unless_google_url
6      audio "send_url"
7      pdf "send_url_add_mime_type"
8      video "send_url"
9    }
10  }
11}

Options

Each media type can be configured with one of these modes:

  • send_base64 - Always download URLs and convert to base64 data URIs
  • send_url - Pass URLs through unchanged to the provider
  • send_url_add_mime_type - Ensure MIME type is present (may require downloading to detect)
  • send_base64_unless_google_url - Only process non-gs:// URLs (keep Google Cloud Storage URLs as-is)

Provider Defaults

If not specified, each provider uses these defaults:

ProviderImageAudioPDFVideo
OpenAIsend_urlsend_base64send_urlsend_url
Anthropicsend_urlsend_urlsend_base64send_url
Google AIsend_base64_unless_google_urlsend_urlsend_urlsend_url
Vertex AIsend_url_add_mime_typesend_url_add_mime_typesend_urlsend_url
AWS Bedrocksend_base64send_base64send_base64send_url
Azure OpenAIsend_urlsend_base64send_urlsend_url

When to Use

  • Use send_base64 when your provider doesn’t support external URLs and you need to embed media content
  • Use send_url when your provider handles URL fetching and you want to avoid the overhead of base64 conversion
  • Use send_url_add_mime_type when your provider requires MIME type information (e.g., Vertex AI)
  • Use send_base64_unless_google_url when working with Google Cloud Storage and want to preserve gs:// URLs

URL fetching happens at request time and may add latency. Consider caching or pre-converting frequently used media when using send_base64 mode.

Vertex AI uses send_url_add_mime_type by default for images and audio, which ensures MIME type information is included. This may require downloading the content to detect the MIME type if not provided.

Provider request parameters

These are other parameters that are passed through to the provider, without modification by BAML. For example if the request has a temperature field, you can define it in the client here so every call has that set.

Consult the specific provider’s documentation for more information.

safetySettings
object

Safety settings to apply to the request. You can stack different safety settings with a new safetySettings header for each one. See the Google Vertex API Request Docs for more information on what safety settings can be set.

BAML
1client<llm> MyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    project_id my-project-id
6    location us-central1
7
8    safetySettings {
9      category HARM_CATEGORY_HATE_SPEECH
10      threshold BLOCK_LOW_AND_ABOVE
11      method SEVERITY
12    }
13  }
14}
generationConfig
object

Generation configurations to apply to the request. See the Google Vertex API Request Docs for more information on what properties can be set.

BAML
1client<llm> MyClient {
2  provider vertex-ai
3  options {
4    model gemini-2.5-pro
5    project_id my-project-id
6    location us-central1
7
8    generationConfig {
9      maxOutputTokens 100
10      temperature 1
11    }
12  }
13}

For all other options, see the official Vertex AI documentation.

Publishers Other Than Google

If you are using models from publishers other than Google, such as Llama from Meta, use your project endpoint as the base_url in BAML:

1client<llm> VertexLlama {
2  provider vertex-ai
3  options {
4    base_url "https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/endpoints/"
5    location us-central1
6  }
7}

For anthropic

1client<llm> VertexClaudeSonnet {
2  provider vertex-ai
3  options {
4    model "claude-sonnet-4"
5    anthropic_version "${ANTHROPIC_VERSION}"
6    base_url "https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/publishers/anthropic/models"
7  }
8}