Mercari builds LLM Key Server for secure, temporary LLM API access via OIDC and LiteLLM
LLM API keys at Mercari had no expiration date, proliferated without clear management across multiple providers, and required manual administrator registration for access, making regular access audits difficult and creating prolonged information-leakage risk if keys were compromised.
The recommended approach of accessing LLM APIs through Google Cloud or Azure using Workload Identity and cross-cloud federation was too complex to configure broadly, and many external AI and LLM products do not support these methods, necessitating an alternative. Overly strict security policies also risked being bypassed by users.
Mercari deployed the LLM Key Server, enabling users to obtain temporary API keys through their internal accounts without manual requests, and accelerating LLM adoption in CI/CD pipelines including automated code reviews, as well as in internal tools for document summarization and translation.
Frequently asked questions
What did this team achieve with this AI workflow?
Mercari deployed the LLM Key Server, enabling users to obtain temporary API keys through their internal accounts without manual requests, and accelerating LLM adoption in CI/CD pipelines including automated code revie…
What tools did this team use?
LiteLLM, GitHub Actions, Google Apps Script, Google Workspace, Google Cloud, Claude Code, OpenID Connect (OIDC).
What results were reported?
LLM adoption in CI/CD pipelines: accelerated LLM adoption in CI/CD pipelines; LLM adoption for internal document workflows: accelerated LLM adoption within the company; Information leakage risk: time-limited keys reduce information leakage risks (source-reported, not independently verified).
What failed first in this deployment?
The recommended approach of accessing LLM APIs through Google Cloud or Azure using Workload Identity and cross-cloud federation was too complex to configure broadly, and many external AI and LLM products do not suppor…
How is this it support AI workflow structured?
Obtain OIDC identity token → Key Server verifies token → Temporary API key issued → LLM access via LiteLLM → Automatic key renewal.