From 81948e1f0366632add30045275a4512b4762eaa6 Mon Sep 17 00:00:00 2001
From: Charles Howard <96023061+charlesrhoward@users.noreply.github.com>
Date: Mon, 18 May 2026 15:18:19 -0400
Subject: [PATCH] docs: align access docs with managed billing

---
 content/docs/cli/automation/headless-runs.mdx |  2 +-
 content/docs/cli/concepts/attach.mdx          |  2 +-
 content/docs/cli/guides/authentication.mdx    | 59 ++++++-------
 .../cli/guides/configuration-and-flags.mdx    | 10 ++-
 content/docs/cli/guides/index.mdx             |  2 +-
 content/docs/cli/index.mdx                    |  2 +-
 content/docs/cli/installation.mdx             |  6 +-
 content/docs/cli/quickstart.mdx               |  8 +-
 content/docs/cli/skills/mogplex-auth.mdx      | 43 +++-------
 content/docs/cli/skills/using-mogplex-cli.mdx |  2 +-
 .../connections-and-mcp.mdx                   |  2 +-
 content/docs/configure-and-extend/index.mdx   | 12 +--
 .../repo-instructions.mdx                     |  2 +-
 content/docs/guides/common-use-cases.mdx      |  2 +-
 content/docs/guides/index.mdx                 |  4 +-
 .../docs/guides/model-selection-and-cost.mdx  | 13 +--
 content/docs/guides/observability-runbook.mdx | 17 ++--
 .../docs/guides/sandbox-setup-checklist.mdx   |  9 +-
 content/docs/guides/troubleshooting.mdx       | 11 +--
 content/docs/index.mdx                        |  6 +-
 content/docs/integrations/index.mdx           |  9 +-
 content/docs/integrations/vercel.mdx          | 39 ++++-----
 content/docs/plans-and-billing.mdx            | 16 ++--
 content/docs/platform/app.mdx                 |  4 +-
 .../platform/how-mogplex-fits-together.mdx    |  2 +-
 content/docs/platform/index.mdx               |  2 +-
 .../docs/platform/projects-and-sandboxes.mdx  | 11 +--
 content/docs/quickstart.mdx                   |  8 +-
 content/docs/reference/glossary.mdx           |  4 +-
 content/docs/reference/index.mdx              |  2 +-
 .../reference/security-and-data-handling.mdx  | 35 +++-----
 content/docs/support.mdx                      |  2 +-
 content/docs/web/api/quickstart.mdx           |  4 +-
 content/docs/web/api/route-families.mdx       |  2 +-
 content/docs/web/api/working-requests.mdx     | 13 ++-
 content/docs/web/guides/project-workflow.mdx  | 21 ++---
 content/docs/web/index.mdx                    |  8 +-
 content/docs/web/models.mdx                   | 19 ++---
 content/docs/web/observability.mdx            |  6 +-
 content/docs/web/settings.mdx                 | 82 ++++++-------------
 content/docs/web/spaces.mdx                   |  9 +-
 41 files changed, 221 insertions(+), 291 deletions(-)

diff --git a/content/docs/cli/automation/headless-runs.mdx b/content/docs/cli/automation/headless-runs.mdx
index c9e0ecd..8bb6567 100644
--- a/content/docs/cli/automation/headless-runs.mdx
+++ b/content/docs/cli/automation/headless-runs.mdx
@@ -166,7 +166,7 @@ final line is `{"runId":"...","status":"success"}`. Perfect for piping into
 <Callout>
 The events feed is sanitized server-side: sensitive payload keys are redacted,
 strings/arrays/objects are capped. Safe to dump into a public CI log without
-leaking provider keys or session tokens.
+leaking credentials or session tokens.
 </Callout>
 
 ## Cancel a run
diff --git a/content/docs/cli/concepts/attach.mdx b/content/docs/cli/concepts/attach.mdx
index a4c7508..a5eec7a 100644
--- a/content/docs/cli/concepts/attach.mdx
+++ b/content/docs/cli/concepts/attach.mdx
@@ -50,7 +50,7 @@ You're a real operator on the run, not a read-only observer.
 
 ## Auth and permissions
 
-Attach uses your local Mogplex token (or provider key) the same way as any other session. Permission mode is still respected — if you attach in `approval` mode and the run produces a gated action, the Approval drawer surfaces it for **you** to decide.
+Attach uses your local Mogplex token the same way as any other session. Permission mode is still respected — if you attach in `approval` mode and the run produces a gated action, the Approval drawer surfaces it for **you** to decide.
 
 ## Detach without killing the run
 
diff --git a/content/docs/cli/guides/authentication.mdx b/content/docs/cli/guides/authentication.mdx
index 86e36fc..94b37fa 100644
--- a/content/docs/cli/guides/authentication.mdx
+++ b/content/docs/cli/guides/authentication.mdx
@@ -1,6 +1,6 @@
 ---
 title: Authentication
-description: In-app login, credential precedence, browser sign-in, stored provider keys, and what `/login` and `/logout` actually change.
+description: In-app login, credential precedence, browser sign-in, account-backed access, and what `/login` and `/logout` actually change.
 ---
 
 import { Callout } from 'fumadocs-ui/components/callout';
@@ -9,22 +9,12 @@ The CLI ships to end users — auth is in-app. You do **not** need to set enviro
 
 ## Resolution order
 
-When the CLI starts up, it resolves credentials in this order:
+When the CLI starts up, it resolves credentials in this order. The normal
+customer path is account-backed login; provider env vars are compatibility and
+development overrides.
 
-1. **Provider env var in the current shell.** If set, it wins — no matter what is stored on disk.
-
-   | Provider   | Environment variable           |
-   | ---------- | ------------------------------ |
-   | Mogplex    | `MOGPLEX_API_KEY`              |
-   | Anthropic  | `ANTHROPIC_API_KEY`            |
-   | OpenAI     | `OPENAI_API_KEY`               |
-   | Google     | `GOOGLE_GENERATIVE_AI_API_KEY` |
-   | Groq       | `GROQ_API_KEY`                 |
-   | Mistral    | `MISTRAL_API_KEY`              |
-   | DeepSeek   | `DEEPSEEK_API_KEY`             |
-   | xAI        | `XAI_API_KEY`                  |
-   | Cohere     | `COHERE_API_KEY`               |
-   | Vercel     | `VERCEL_API_TOKEN`             |
+1. **Auth env var in the current shell.** `MOGPLEX_API_KEY` and legacy local
+   provider env vars can override what is stored on disk.
 
 2. **Stored credentials** in `~/.mogplex/auth.json` (mode `0600`). If you previously used Codex and have `CODEX_HOME` set, the CLI still honors it but it is deprecated — set `MOGPLEX_HOME` instead. See [Configuration and Flags → Storage](/cli/guides/configuration-and-flags#storage).
 
@@ -34,10 +24,11 @@ The practical rule: shell env vars outrank everything else.
 
 ## In-app login
 
-On first run, the login screen offers two paths:
+On first run, use the Mogplex account path:
 
 - **Sign in with Mogplex** — opens a browser flow for account-backed login. The CLI listens on a local callback and stores a Mogplex token. Recommended.
-- **Use a provider API key** — store an Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, or Vercel AI Gateway key locally.
+
+Account-backed login is the product path for normal use.
 
 You can re-open the login screen later from the composer:
 
@@ -47,26 +38,26 @@ You can re-open the login screen later from the composer:
 
 ## What account-backed login means
 
-Browser login is not the same thing as storing a direct provider key.
-
-When you sign in with Mogplex, the CLI stores a `mogplex` credential in `~/.mogplex/auth.json` and can reuse hosted state:
+When you sign in with Mogplex, the CLI stores a `mogplex` credential in
+`~/.mogplex/auth.json` and can reuse hosted state:
 
 - synced model catalog
 - remote MCP server definitions
-- account-backed model access configured for your Mogplex user
+- plan-backed model access configured for your Mogplex user
 
-If account login succeeds but prompts fail, the hosted account usually does not have usable model access yet. Add a provider key in [Web Settings](/web/settings).
+If account login succeeds but prompts fail, the hosted account usually does not
+have usable model access yet. Check [Available Models](/web/models) and
+[Plans & Billing](/plans-and-billing).
 
-## Provider keys (env or stored)
+## Provider env vars
 
-Direct provider credentials still work and still take precedence over the account login path. This is the preferred pattern for CI and ephemeral shells.
-
-```bash
-export OPENAI_API_KEY=sk-...
-mogplex
-```
+Direct provider environment variables are a compatibility and development
+escape hatch, not the product setup path for billed Mogplex accounts. They
+still take precedence over the account login path when they are present, so
+unset them before debugging billed account behavior.
 
-If both a stored credential and an env var exist for the same provider, the env var wins.
+If both a stored credential and an env var exist for the same provider, the env
+var wins.
 
 ## `/logout`
 
@@ -74,7 +65,7 @@ If both a stored credential and an env var exist for the same provider, the env
 /logout
 ```
 
-Clears the Mogplex token (and provider key, if stored) from `~/.mogplex/auth.json`. Three things to remember:
+Clears the Mogplex token from `~/.mogplex/auth.json`. Three things to remember:
 
 - **Env vars still win.** If the matching env var is set, the next session will still authenticate through it.
 - **Restart for certainty.** The current process may still hold the old adapter. Quit (`/quit`) and relaunch if you need an immediate clean slate.
@@ -94,8 +85,8 @@ mogplex --attach run_abc123 --logout
 
 ## Common outcomes
 
-- The login screen appears at startup → no credentials anywhere; sign in or store a provider key.
-- Login succeeds but prompts fail → account login is active but the hosted account lacks model access. Fix in [Web Settings](/web/settings).
+- The login screen appears at startup → no Mogplex credential is available; sign in.
+- Login succeeds but prompts fail → account login is active but the hosted account lacks model access. Check [Available Models](/web/models) and [Plans & Billing](/plans-and-billing).
 - The CLI behaves differently than the in-app login implies → check env vars first; they outrank stored auth.
 
 ## See also
diff --git a/content/docs/cli/guides/configuration-and-flags.mdx b/content/docs/cli/guides/configuration-and-flags.mdx
index ce482f0..cad6ed4 100644
--- a/content/docs/cli/guides/configuration-and-flags.mdx
+++ b/content/docs/cli/guides/configuration-and-flags.mdx
@@ -28,9 +28,11 @@ the login screen, model picker, and permissions picker.
 
 ## Environment variables
 
-### Auth (provider keys)
+### Auth escape hatches
 
-See the table in [Authentication → Resolution order](/cli/guides/authentication#resolution-order). Setting any provider env var overrides stored credentials for that provider.
+See the table in [Authentication → Resolution order](/cli/guides/authentication#resolution-order).
+Provider env vars are compatibility and development escape hatches; normal
+Mogplex usage should start with account-backed login.
 
 ### Transport selection
 
@@ -65,7 +67,7 @@ The runtime loader merges built-in defaults, user config, project config,
 environment-derived values, and launcher overrides. In normal interactive use,
 prefer the visible cockpit controls first:
 
-- `/login` and the login screen for account and provider credentials
+- `/login` and the login screen for account credentials
 - `/permissions` for permission mode
 - `/model` for current model selection
 - `/mcp` for MCP inspection and sync actions
@@ -77,7 +79,7 @@ better owned by the current session UI.
 
 | Path | Contents |
 | --- | --- |
-| `~/.mogplex/auth.json` | Mogplex token and provider credentials (mode `0600`). |
+| `~/.mogplex/auth.json` | Mogplex token and compatibility auth state (mode `0600`). |
 | `~/.mogplex/config.toml` | User-level advanced config. |
 | `~/.mogplex/permissions.json` | Global permission mode and rules. |
 | `./.mogplex/config.toml` | Project-level advanced config. |
diff --git a/content/docs/cli/guides/index.mdx b/content/docs/cli/guides/index.mdx
index 8abee57..33f3c31 100644
--- a/content/docs/cli/guides/index.mdx
+++ b/content/docs/cli/guides/index.mdx
@@ -30,7 +30,7 @@ Use these pages when you want behavior and decision-making, not just syntax.
 
 ## Pick a guide by question
 
-- "Why is the CLI choosing this provider or model?" → [Authentication](/cli/guides/authentication)
+- "Why is the CLI choosing this auth state or model?" → [Authentication](/cli/guides/authentication)
 - "Where does this default live and which env var overrides it?" → [Configuration and Flags](/cli/guides/configuration-and-flags)
 - "How do I drive a run from the composer?" → [Slash Commands](/cli/guides/slash-commands)
 - "How do I make Mogplex behave like part of this repo?" → [Project Commands](/cli/guides/project-commands)
diff --git a/content/docs/cli/index.mdx b/content/docs/cli/index.mdx
index d15d8b4..498c114 100644
--- a/content/docs/cli/index.mdx
+++ b/content/docs/cli/index.mdx
@@ -54,7 +54,7 @@ See [Reference → Panels](/cli/reference/panels) and [Reference → Drawers](/c
 
 ## Files the CLI reads
 
-- `~/.mogplex/auth.json` — Mogplex token and provider credentials.
+- `~/.mogplex/auth.json` — Mogplex token and compatibility auth state.
 - `~/.mogplex/permissions.json` — global permission mode and rules.
 - `~/.mogplex/projects/<repo-slug>/permissions.json` — project-level overrides.
 - `~/.mogplex/logs/` — structured session logs (secrets redacted).
diff --git a/content/docs/cli/installation.mdx b/content/docs/cli/installation.mdx
index 0039868..8a53c64 100644
--- a/content/docs/cli/installation.mdx
+++ b/content/docs/cli/installation.mdx
@@ -85,7 +85,8 @@ exec zsh -l
 mogplex
 ```
 
-The first launch opens the in-app login screen. Sign in with your Mogplex account or store a provider key locally — Mogplex never requires environment variables for normal use.
+The first launch opens the in-app login screen. Sign in with your Mogplex
+account. Mogplex never requires environment variables for normal use.
 
 For the full first-run flow, continue with [Quickstart](/cli/quickstart).
 
@@ -98,7 +99,8 @@ Re-run the installer. It detects the existing install and replaces the binary in
 - `mogplex: command not found` — the install succeeded but your shell has not picked up the updated `PATH`. Rehash or open a new shell.
 - The installer downloads but fails before extraction — confirm your machine has the right extractor (`tar` for `.tar.gz`, `unzip` or `ditto` for `.zip`).
 - You pinned `MOGPLEX_BASE_URL` and the script exits immediately — the installer rejects non-HTTPS hosts.
-- Login succeeds but prompts fail — your account probably lacks model access. Add a provider key in [Web Settings](/web/settings).
+- Login succeeds but prompts fail — your account probably lacks model access.
+  Check [Available Models](/web/models) and [Plans & Billing](/plans-and-billing).
 
 ## Uninstall
 
diff --git a/content/docs/cli/quickstart.mdx b/content/docs/cli/quickstart.mdx
index d49fc96..8f15ae4 100644
--- a/content/docs/cli/quickstart.mdx
+++ b/content/docs/cli/quickstart.mdx
@@ -25,8 +25,9 @@ mogplex
 
 If you are not authenticated, the in-app login screen appears. Pick one:
 
-- **Sign in with Mogplex** — opens a browser for account-backed login. Recommended; reuses synced model catalog and remote MCP definitions.
-- **Use a provider API key** — store an Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, or Vercel AI Gateway key locally.
+- **Sign in with Mogplex** — opens a browser for account-backed login. This
+  reuses your plan-backed model access, synced model catalog, and remote MCP
+  definitions.
 
 Stored credentials live in `~/.mogplex/auth.json` (file mode `0600`).
 
@@ -87,7 +88,8 @@ See [Concepts → Attach](/cli/concepts/attach).
 
 ## Common first-run issues
 
-- Login succeeds but no models available — add a provider key in [Web Settings](/web/settings) (account-backed login inherits hosted model access).
+- Login succeeds but no models available — check [Available Models](/web/models)
+  and the account plan. Account-backed login inherits managed hosted access.
 - Header says `transport: offline` — core is unreachable. Check network and retry; the daemon transport surfaces a reconnect banner.
 - A slash command "doesn't work" — check `/help` for the actual registry.
 
diff --git a/content/docs/cli/skills/mogplex-auth.mdx b/content/docs/cli/skills/mogplex-auth.mdx
index 799e431..9fc6b33 100644
--- a/content/docs/cli/skills/mogplex-auth.mdx
+++ b/content/docs/cli/skills/mogplex-auth.mdx
@@ -11,7 +11,7 @@ This page mirrors the canonical `SKILL.md` at [`skills/mogplex-auth/SKILL.md`](h
 
 ```yaml
 name: mogplex-auth
-description: Guides the user through the Mogplex CLI's in-app login flow, credential precedence, and troubleshooting. Use when the user asks to sign in, switch accounts, store a provider key, or when a Mogplex command fails with an auth error.
+description: Guides the user through the Mogplex CLI's in-app login flow, credential precedence, and troubleshooting. Use when the user asks to sign in, switch accounts, debug env-var overrides, or when a Mogplex command fails with an auth error.
 ```
 
 ## Body
@@ -22,20 +22,8 @@ The Mogplex CLI authenticates **in-app**. There is no `mogplex login status` sub
 
 The cockpit picks credentials in a fixed order:
 
-1. **Provider env var in the current shell.** If set, it wins — no matter what is stored on disk.
-
-   | Provider | Env var |
-   | --- | --- |
-   | Mogplex | `MOGPLEX_API_KEY` |
-   | Anthropic | `ANTHROPIC_API_KEY` |
-   | OpenAI | `OPENAI_API_KEY` |
-   | Google | `GOOGLE_GENERATIVE_AI_API_KEY` |
-   | Groq | `GROQ_API_KEY` |
-   | Mistral | `MISTRAL_API_KEY` |
-   | DeepSeek | `DEEPSEEK_API_KEY` |
-   | xAI | `XAI_API_KEY` |
-   | Cohere | `COHERE_API_KEY` |
-   | Vercel | `VERCEL_API_TOKEN` |
+1. **Auth env var in the current shell.** `MOGPLEX_API_KEY` and legacy local
+   provider env vars can override what is stored on disk.
 
 2. **Stored credentials** in `~/.mogplex/auth.json` (mode `0600`).
 3. **No credentials** → the cockpit's in-app login screen appears.
@@ -55,24 +43,17 @@ mogplex
 
 A browser flow opens; the cockpit listens on a local callback and stores the token in `~/.mogplex/auth.json`. The user does the click-through; you do not drive the browser.
 
-Account-backed login unlocks synced model catalog, remote MCP server definitions, and hosted model access.
+Account-backed login unlocks synced model catalog, remote MCP server
+definitions, and plan-backed hosted model access.
 
-### Alternative: store a provider key in-app
+### Compatibility: provider env var
 
-In the login screen (or via `/login` in the composer), the user can pick **Use a provider API key** and paste a key. Stored in `~/.mogplex/auth.json` with mode `0600`.
+Provider env vars are compatibility and development escape hatches. They are
+not the normal customer setup path for billed Mogplex accounts.
 
-Supported providers: Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, xAI, Cohere, Vercel AI Gateway.
-
-### Alternative: provider env var
-
-For CI or ephemeral shells:
-
-```bash
-export OPENAI_API_KEY=sk-...
-mogplex
-```
-
-Do not write keys into shell rc files on the user's behalf. Suggest it; let them do it.
+Do not write keys into shell rc files on the user's behalf. If a user is
+explicitly working in a development or compatibility flow, describe the env-var
+override and let them set it themselves.
 
 ## Sanity-check env vars (advisory)
 
@@ -89,7 +70,7 @@ Never echo a raw key.
 | Symptom | What to recommend |
 | --- | --- |
 | Login screen appears at every launch | No credential stored and no env var set. Pick a path on the login screen. |
-| Login succeeds but prompts fail with "no model access" | Account-backed login is active but the hosted account lacks model access. Direct the user to [Web Settings](https://www.mogplex.com/web/settings) to add a provider key. |
+| Login succeeds but prompts fail with "no model access" | Account-backed login is active but the hosted account lacks model access. Direct the user to [Available Models](https://www.mogplex.com/web/models) and [Plans & Billing](https://www.mogplex.com/plans-and-billing). |
 | Cockpit behaves differently than expected after `/login` | An env var is overriding the stored credential. Have the user `unset` it and relaunch. |
 | User wants to switch accounts | Type `/logout` in the composer, then `/login` (or relaunch). |
 
diff --git a/content/docs/cli/skills/using-mogplex-cli.mdx b/content/docs/cli/skills/using-mogplex-cli.mdx
index c267f22..f54d5e4 100644
--- a/content/docs/cli/skills/using-mogplex-cli.mdx
+++ b/content/docs/cli/skills/using-mogplex-cli.mdx
@@ -84,7 +84,7 @@ is it a config / file change?
 
 - Author `AGENTS.md` at the repo root with stable repo guidance (build commands, conventions, layout).
 - Author `~/.mogplex/projects/<repo-slug>/permissions.json` with `allow` / `deny` / `ask` rules — see [Permissions](https://www.mogplex.com/cli/concepts/permissions) for the schema.
-- Recommend env-var escape hatches (`MOGPLEX_TRANSPORT`, `MOGPLEX_ATTACH_RUN_ID`, provider keys) — see [Configuration and Flags](https://www.mogplex.com/cli/guides/configuration-and-flags).
+- Recommend env-var escape hatches (`MOGPLEX_TRANSPORT`, `MOGPLEX_ATTACH_RUN_ID`) only when they fit CI, attach, or development workflows — see [Configuration and Flags](https://www.mogplex.com/cli/guides/configuration-and-flags).
 
 ### Safety
 
diff --git a/content/docs/configure-and-extend/connections-and-mcp.mdx b/content/docs/configure-and-extend/connections-and-mcp.mdx
index 2c8a7ed..91233e3 100644
--- a/content/docs/configure-and-extend/connections-and-mcp.mdx
+++ b/content/docs/configure-and-extend/connections-and-mcp.mdx
@@ -5,7 +5,7 @@ description: Configure REST and MCP connections, understand scope resolution, sy
 
 Connections are how Mogplex agents reach external systems.
 
-They are separate from provider model keys, GitHub App coverage, Slack channel
+They are separate from managed model access, GitHub App coverage, Slack channel
 links, and the preview path where other MCP clients call into Mogplex.
 
 ## Direction matters
diff --git a/content/docs/configure-and-extend/index.mdx b/content/docs/configure-and-extend/index.mdx
index 0b9f750..c97bb85 100644
--- a/content/docs/configure-and-extend/index.mdx
+++ b/content/docs/configure-and-extend/index.mdx
@@ -10,12 +10,12 @@ team, or local workflow needs.
   <Card
     title="Settings"
     href="/web/settings"
-    description="GitHub identity, App coverage, Personal Vercel, connections, provider keys, CLI tokens, models, and shared preferences."
+    description="GitHub identity, App coverage, billing access, connections, access tokens, models, and shared preferences."
   />
   <Card
     title="Available Models"
     href="/web/models"
-    description="Live model catalog, enabled models, defaults, provider access, CLI sync, and repo-level exclusions."
+    description="Live model catalog, enabled models, defaults, plan access, CLI sync, and repo-level exclusions."
   />
   <Card
     title="Agent Authoring"
@@ -45,7 +45,7 @@ team, or local workflow needs.
   <Card
     title="Security and Data Handling"
     href="/reference/security-and-data-handling"
-    description="Identity, tokens, provider keys, connection secrets, webhooks, event data, sandboxes, and safe support artifacts."
+    description="Identity, tokens, managed model access, connection secrets, webhooks, event data, sandboxes, and safe support artifacts."
   />
   <Card
     title="Installations"
@@ -81,7 +81,7 @@ team, or local workflow needs.
 
 ## Common configuration paths
 
-- Model or provider issue: start with [Available Models](/web/models), then
+- Model or account-access issue: start with [Available Models](/web/models), then
   check [Model Selection and Cost](/guides/model-selection-and-cost) and
   [Settings](/web/settings).
 - Durable worker behavior is hard to reuse: start with
@@ -96,8 +96,8 @@ team, or local workflow needs.
   [Connection Scope and Overrides](/web/guides/connection-scope-and-overrides).
 - Repo is visible but cannot trigger hosted work: start with
   [GitHub](/integrations/github) and [Installations](/web/installations).
-- Sandbox launch depends on a user-billed project: start with
-  [Vercel](/integrations/vercel), then confirm repo settings in
+- Sandbox launch reports missing access: start with
+  [Plans & Billing](/plans-and-billing), then confirm repo settings in
   [Projects](/web/spaces).
 - CLI asks for permission unexpectedly: start with
   [Permissions](/cli/concepts/permissions) and
diff --git a/content/docs/configure-and-extend/repo-instructions.mdx b/content/docs/configure-and-extend/repo-instructions.mdx
index 00bb0cf..7aace37 100644
--- a/content/docs/configure-and-extend/repo-instructions.mdx
+++ b/content/docs/configure-and-extend/repo-instructions.mdx
@@ -126,7 +126,7 @@ The current schema accepts:
 Use `system_prompt_suffix` only for short, durable behavior that belongs after
 the markdown instructions.
 
-For model routing, provider access, and tool policy, prefer the first-class
+For model routing, managed access, and tool policy, prefer the first-class
 Mogplex controls unless the specific surface you are using documents that it
 honors the `agent.json` field.
 
diff --git a/content/docs/guides/common-use-cases.mdx b/content/docs/guides/common-use-cases.mdx
index 08d21a9..eafa38d 100644
--- a/content/docs/guides/common-use-cases.mdx
+++ b/content/docs/guides/common-use-cases.mdx
@@ -153,7 +153,7 @@ Read next: [Agent Authoring](/configure-and-extend/agent-authoring).
 Start with [Projects](/web/spaces) when the repo is the unit of work.
 
 Use [Vercel](/integrations/vercel) when sandbox or preview behavior depends on
-a user-billed Vercel project, repository linkage, or environment synchronization.
+repository linkage, project metadata, or environment synchronization.
 
 Use [Sandboxes](/web/sandboxes) when you need to inspect live, pending, pinned,
 or stale sandbox state.
diff --git a/content/docs/guides/index.mdx b/content/docs/guides/index.mdx
index eb9325e..e9020f7 100644
--- a/content/docs/guides/index.mdx
+++ b/content/docs/guides/index.mdx
@@ -25,7 +25,7 @@ known, but the sequence still matters.
   <Card
     title="Sandbox Setup Checklist"
     href="/guides/sandbox-setup-checklist"
-    description="Configure root directory, commands, ports, env, branch intent, Vercel linkage, and preview expectations before debugging runs."
+    description="Configure root directory, commands, ports, env, branch intent, managed access, and preview expectations before debugging runs."
   />
   <Card
     title="Model Selection and Cost"
@@ -75,7 +75,7 @@ known, but the sequence still matters.
   <Card
     title="Configuration and Flags"
     href="/cli/guides/configuration-and-flags"
-    description="CLI flags, environment variables, storage paths, provider keys, and synced MCP behavior."
+    description="CLI flags, environment variables, storage paths, auth escape hatches, and synced MCP behavior."
   />
   <Card
     title="Slash Commands"
diff --git a/content/docs/guides/model-selection-and-cost.mdx b/content/docs/guides/model-selection-and-cost.mdx
index 0bc1a3b..b0fde19 100644
--- a/content/docs/guides/model-selection-and-cost.mdx
+++ b/content/docs/guides/model-selection-and-cost.mdx
@@ -33,7 +33,7 @@ Model configuration appears in several places:
 | Surface | What it controls |
 | --- | --- |
 | [Settings -> Models](/web/models) | Enabled models, disabled models, and the default model for new work |
-| [Settings -> API Keys](/web/settings) | Provider access for hosted work when platform AI is not enough |
+| [Plans & Billing](/plans-and-billing) | Account-level managed access for hosted model usage |
 | [Agents](/web/agents) | The default model for that reusable agent |
 | [Automations](/web/automations) | Node-level model overrides inside one workflow draft |
 | [Repo settings](/web/spaces) | Repo-specific exclusions from the globally enabled model set |
@@ -47,13 +47,14 @@ automation node, assignment, or repo rule.
 
 1. Open [Available Models](/web/models) and make sure the account has at least
    one enabled model.
-2. Set a default model that is safe for ordinary new work.
-3. Give specialized agents explicit models when the job needs it.
-4. Use automation node overrides only when one node differs from the base
+2. Confirm the plan includes the level of model usage the workflow needs.
+3. Set a default model that is safe for ordinary new work.
+4. Give specialized agents explicit models when the job needs it.
+5. Use automation node overrides only when one node differs from the base
    agent on purpose.
-5. Add repo-specific exclusions when a codebase should not use a model family,
+6. Add repo-specific exclusions when a codebase should not use a model family,
    provider, or cost profile.
-6. Review [Observability](/web/observability) and [Cost & Usage](/cli/reference/cost-and-usage)
+7. Review [Observability](/web/observability) and [Cost & Usage](/cli/reference/cost-and-usage)
    after real runs, not just after setup.
 
 ## When to override the default
diff --git a/content/docs/guides/observability-runbook.mdx b/content/docs/guides/observability-runbook.mdx
index 3d7193a..8cfaf06 100644
--- a/content/docs/guides/observability-runbook.mdx
+++ b/content/docs/guides/observability-runbook.mdx
@@ -98,22 +98,21 @@ When a run exists but stays pending:
 1. Check summary cards for stale pending work or start failures.
 2. Open the run row and inspect the first event.
 3. Check sandbox allocation state if the run needs a sandbox.
-4. Check provider access if the run never reaches a model call.
+4. Check managed model access if the run never reaches a model call.
 5. Check whether the source surface is repeatedly re-enqueuing the same work.
 
 If the run came from the public API, use
 `GET /api/v1/mogplex/runs/{runId}` and
 `GET /api/v1/mogplex/runs/{runId}/events` to compare API state with the UI.
 
-## Model Or Provider Failure
+## Model Or Access Failure
 
-For provider errors:
+For model access errors:
 
 1. Confirm the model exists in [Available Models](/web/models).
-2. Confirm the user or team has provider access.
-3. Confirm a stored provider key is valid if platform AI is not enabled.
-4. Check whether the agent, repo, or route excludes the model.
-5. Compare token and cost fields to see whether the call reached the provider.
+2. Confirm the user or team plan includes access to hosted model usage.
+3. Check whether the agent, repo, or route excludes the model.
+4. Compare token and cost fields to see whether the call reached execution.
 
 Use [Model Selection and Cost](/guides/model-selection-and-cost) when the model
 is available but the default, route, or cost policy is unclear.
@@ -137,7 +136,7 @@ For sandbox-backed failures:
 
 1. Open the linked sandbox from the Activity row when available.
 2. Check root directory, install command, dev command, dev port, and env source.
-3. Check Vercel project or platform sandbox entitlement.
+3. Check managed sandbox access and optional Vercel project metadata.
 4. Check branch and preview URL.
 5. Stop, restart, or delete only after capturing the first failure event.
 
@@ -172,7 +171,7 @@ When handing the issue to another person, include:
 - sandbox ID or preview URL if applicable
 - what changed immediately before the failure
 
-Leave out raw provider keys, `mog_...` tokens, Slack link URLs, decrypted MCP
+Leave out raw credentials, `mog_...` tokens, Slack link URLs, decrypted MCP
 config, and full `.env` files. See
 [Security and Data Handling](/reference/security-and-data-handling) for the
 safe-sharing checklist.
diff --git a/content/docs/guides/sandbox-setup-checklist.mdx b/content/docs/guides/sandbox-setup-checklist.mdx
index 0b6f285..652f750 100644
--- a/content/docs/guides/sandbox-setup-checklist.mdx
+++ b/content/docs/guides/sandbox-setup-checklist.mdx
@@ -1,6 +1,6 @@
 ---
 title: Sandbox Setup Checklist
-description: Configure repo, branch, root directory, commands, ports, env, Vercel linkage, and preview expectations before debugging sandbox runs.
+description: Configure repo, branch, root directory, commands, ports, env, managed access, and preview expectations before debugging sandbox runs.
 ---
 
 Use this checklist when a workspace, preview, or cloud run depends on a Mogplex
@@ -20,7 +20,8 @@ contract before changing agents, prompts, routes, or models.
 | Dev command | The preview process must start the actual app or service |
 | Dev port | The preview router needs the port the app listens on |
 | Environment variables | Missing secrets usually look like app boot or preview health failures |
-| Vercel linkage | User-billed preview behavior can depend on linked Vercel project state |
+| Managed sandbox access | Workspace launch depends on the account plan including sandbox access |
+| Vercel project metadata | Optional env sync and preview settings can depend on linked Vercel project state |
 | Branch intent | Decide whether the sandbox should work on default branch, an existing branch, or a new branch |
 | Timeout and idle behavior | Long-running previews need realistic timeout expectations |
 
@@ -31,8 +32,8 @@ contract before changing agents, prompts, routes, or models.
 3. Set `root_directory` for monorepos.
 4. Set install command, dev command, and dev port.
 5. Add required env vars or secrets.
-6. Link or confirm Vercel state when the repo relies on Vercel-backed preview
-   behavior.
+6. Confirm managed sandbox access, and only then check optional Vercel-linked
+   preview metadata if the repo uses it.
 7. Launch one workspace manually before adding triggers or automations.
 
 If the manual workspace launch fails, fix the project settings before debugging
diff --git a/content/docs/guides/troubleshooting.mdx b/content/docs/guides/troubleshooting.mdx
index 4f5e094..e5c3334 100644
--- a/content/docs/guides/troubleshooting.mdx
+++ b/content/docs/guides/troubleshooting.mdx
@@ -19,13 +19,13 @@ work started.
 | Slack mention replies but does not start repo work | Slack channel link, user mapping, repo-agent enabled state, or workspace limits |
 | Route exists but no run appears | route source, coverage, enabled state, or published automation |
 | Run appears but fails | runtime, model, tool, connection, sandbox, or prompt |
-| Preview is unhealthy | repo settings, Vercel linkage, sandbox state, or dev command |
-| Model is missing from a picker | model catalog, provider access, default model, or repo exclusion |
+| Preview is unhealthy | repo settings, managed sandbox access, optional Vercel metadata, sandbox state, or dev command |
+| Model is missing from a picker | model catalog, plan access, default model, or repo exclusion |
 | CLI signs in but state looks wrong | CLI auth, account state, local config, or synced hosted state |
 
 ## Debug order
 
-1. Check [Settings](/web/settings) for identity, provider access, model
+1. Check [Settings](/web/settings) for identity, account access, model
    defaults, CLI tokens, connections, and GitHub account state.
 2. Check [Installations](/web/installations) for GitHub App coverage.
 3. Check [Projects](/web/spaces) for repo visibility, repo settings, and
@@ -101,7 +101,7 @@ Check:
 
 - whether the model is visible in the live catalog
 - whether the model is enabled for the account
-- whether provider access or bring-your-own-key state is required
+- whether the account plan includes access to that model
 - whether the agent is pinned to a hidden legacy model
 - whether a repo or route excludes the model
 - whether the CLI has synced the expected hosted state
@@ -142,7 +142,8 @@ Check:
 - dev command
 - dev port
 - environment mapping
-- linked Vercel team and project
+- managed sandbox access
+- optional linked Vercel team and project metadata
 - sandbox timeout
 - active branch and preview URL
 
diff --git a/content/docs/index.mdx b/content/docs/index.mdx
index 468983b..0e52618 100644
--- a/content/docs/index.mdx
+++ b/content/docs/index.mdx
@@ -60,7 +60,7 @@ finish, then drill into the product surface that owns it.
   <Card
     title="Available Models"
     href="/web/models"
-    description="Understand the live model catalog, enabled models, defaults, provider access, CLI sync, and repo-level exclusions."
+    description="Understand the live model catalog, enabled models, defaults, plan access, CLI sync, and repo-level exclusions."
   />
   <Card
     title="Model Selection and Cost"
@@ -170,12 +170,12 @@ finish, then drill into the product surface that owns it.
   <Card
     title="Settings"
     href="/web/settings"
-    description="Manage GitHub identity, App coverage, provider keys, CLI tokens, models, shared preferences, and connections."
+    description="Manage GitHub identity, App coverage, billing access, access tokens, models, shared preferences, and connections."
   />
   <Card
     title="Available Models"
     href="/web/models"
-    description="Understand the live model catalog, enabled models, defaults, provider access, CLI sync, and repo-level exclusions."
+    description="Understand the live model catalog, enabled models, defaults, plan access, CLI sync, and repo-level exclusions."
   />
   <Card
     title="Installations"
diff --git a/content/docs/integrations/index.mdx b/content/docs/integrations/index.mdx
index 712e5db..9bf7420 100644
--- a/content/docs/integrations/index.mdx
+++ b/content/docs/integrations/index.mdx
@@ -15,7 +15,7 @@ runtime credentials, automation, and external tools.
   <Card
     title="Vercel"
     href="/integrations/vercel"
-    description="Understand Personal Vercel, repo-linked projects, sandbox billing, env sync, and preview troubleshooting."
+    description="Understand repo-linked Vercel project metadata, env sync, and preview troubleshooting."
   />
   <Card
     title="Slack"
@@ -56,6 +56,7 @@ runtime credentials, automation, and external tools.
 
 ## Integration order
 
-Start with GitHub identity and GitHub App coverage before debugging webhook
-routing. Add provider keys, Vercel, Slack, MCP servers, and CI entry points
-only after the account can see and cover the repo that should run.
+Start with GitHub identity, GitHub App coverage, and managed account access
+before debugging webhook routing. Add optional Vercel metadata, Slack, MCP
+servers, and CI entry points only after the account can see and cover the repo
+that should run.
diff --git a/content/docs/integrations/vercel.mdx b/content/docs/integrations/vercel.mdx
index 4cebfb8..b39119a 100644
--- a/content/docs/integrations/vercel.mdx
+++ b/content/docs/integrations/vercel.mdx
@@ -1,20 +1,19 @@
 ---
 title: Vercel
-description: Configure Personal Vercel, repo-linked projects, sandbox billing, environment sync, and preview troubleshooting for Mogplex.
+description: Configure repo-linked Vercel project metadata, environment sync, and preview troubleshooting for Mogplex.
 ---
 
-Vercel is optional for some Mogplex accounts and required for others.
+Vercel is optional integration metadata for repos that need project-aware
+preview settings.
 
-Use it when sandbox-backed workspace sessions should run against your own
-Vercel project instead of Mogplex-managed platform sandbox billing, or when a
-repo needs Vercel-linked project settings for previews and environment sync.
+Mogplex-managed billing owns sandbox access. Use the Vercel integration when a
+repo needs Vercel-linked project settings for previews, root directories, and
+environment sync. Do not use it as an external sandbox account path.
 
 ## Where Vercel is configured
 
-Vercel setup is split across account and repo state:
+Vercel setup is primarily repo state:
 
-- [Settings](/web/settings#personal-vercel) links Personal Vercel for the
-  account.
 - [Projects](/web/spaces) owns repo-specific Vercel team, project, root
   directory, env mapping, install command, dev command, port, and timeout
   settings.
@@ -23,17 +22,15 @@ Vercel setup is split across account and repo state:
 - [Observability](/web/observability) shows the call, job, sandbox, model, and
   cost trail after work starts.
 
-## Billing modes
+## Billing model
 
-Repo settings can use either Mogplex-managed sandbox billing or a linked Vercel
-project, depending on what the account supports.
+Sandbox usage is billed through Mogplex. A linked Vercel project can provide
+preview metadata and environment sync, but it is not the billing source for
+Mogplex sandboxes.
 
-If platform sandbox billing is not enabled for the account, Mogplex can require
-Personal Vercel before sandbox-backed workspace work starts.
-
-That does not mean every routing setup needs Vercel first. You can still
-configure GitHub coverage, repo import, agents, triggers, assignments, and
-automations before finishing the sandbox path.
+That means you can configure GitHub coverage, repo import, agents, triggers,
+assignments, and automations without asking users to attach their own sandbox
+account.
 
 ## Repo-linked project settings
 
@@ -72,12 +69,12 @@ Start from the surface that owns the failure:
 - Repo configuration problem: [Projects](/web/spaces)
 - Runtime already exists but looks stuck: [Sandboxes](/web/sandboxes)
 - Need the call or job trail behind the runtime: [Observability](/web/observability)
-- Account-level Vercel connection missing: [Settings](/web/settings#personal-vercel)
+- Account lacks managed sandbox access: [Plans & Billing](/plans-and-billing)
 
 Common failure modes:
 
-- **Sandbox launch asks for Personal Vercel**: the account or repo is on a
-  user-billed sandbox path and Personal Vercel is not linked yet.
+- **Sandbox launch says access is unavailable**: the account plan may not
+  include managed sandbox access yet.
 - **Preview opens the wrong app**: set the repo root directory, install
   command, dev command, and dev port explicitly.
 - **Env values are missing**: inspect env mapping mode, linked Vercel project
@@ -88,7 +85,7 @@ Common failure modes:
 ## Read next
 
 <Cards>
-  <Card title="Settings" href="/web/settings#personal-vercel" />
+  <Card title="Plans & Billing" href="/plans-and-billing" />
   <Card title="Projects" href="/web/spaces" />
   <Card title="Sandboxes" href="/web/sandboxes" />
   <Card title="Observability" href="/web/observability" />
diff --git a/content/docs/plans-and-billing.mdx b/content/docs/plans-and-billing.mdx
index 879f44c..b251cbc 100644
--- a/content/docs/plans-and-billing.mdx
+++ b/content/docs/plans-and-billing.mdx
@@ -11,26 +11,30 @@ This page is a placeholder so pricing, entitlement, usage-limit, invoice, and
 billing setup links have a stable home while the billing surface ships.
 
 <Callout title="Coming soon">
-  Detailed plan comparison, account billing, included usage, usage limits,
-  invoices, payment method management, and team billing controls will be
-  documented here when they are available.
+  Detailed plan comparison, account billing, included model usage, managed
+  sandbox access, usage limits, invoices, payment method management, and team
+  billing controls will be documented here when they are available.
 </Callout>
 
+Mogplex is moving to managed billing for hosted work. That means hosted model
+access and sandbox access come from the Mogplex account plan rather than
+external model credentials or external sandbox accounts.
+
 ## What will live here
 
 - plan tiers and included usage
 - how hosted runs, CLI runs, and account usage are counted
 - where admins manage payment methods and invoices
 - how usage limits and overages behave
-- how provider keys and Mogplex-managed access interact
+- how managed model and sandbox access are included in each plan
 - which roles can view or change billing state
 
 ## What to use today
 
-- Use [Settings](/web/settings) for account setup, provider keys, CLI tokens,
+- Use [Settings](/web/settings) for account setup, access tokens,
   connections, and shared preferences.
 - Use [Available Models](/web/models) for model availability, enabled models,
-  defaults, provider access, and CLI sync behavior.
+  defaults, account access, and CLI sync behavior.
 - Use [Observability](/web/observability) to inspect run health, model calls,
   tokens, and estimated cost.
 - Use [CLI Cost & Usage](/cli/reference/cost-and-usage) for local cockpit
diff --git a/content/docs/platform/app.mdx b/content/docs/platform/app.mdx
index 68ff891..0068808 100644
--- a/content/docs/platform/app.mdx
+++ b/content/docs/platform/app.mdx
@@ -16,7 +16,7 @@ that other surfaces consume.
 
 | Area | What it controls |
 | --- | --- |
-| [Settings](/web/settings) | GitHub identity, App coverage, provider keys, CLI tokens, connections, model defaults, and preferences |
+| [Settings](/web/settings) | GitHub identity, App coverage, managed access, access tokens, connections, model defaults, and preferences |
 | [Projects](/web/spaces) | Repo import, workspace launch, repo settings, sandbox startup, monorepo entries, assignments, and cron setup |
 | [Agents](/web/agents) | Reusable agents, preset forks, categories, slugs, model choice, skills, rules, and context |
 | [Triggers](/web/triggers) | One GitHub event routed directly to one agent |
@@ -38,7 +38,7 @@ that other surfaces consume.
 
 For a new account or new repo, use the app in this order:
 
-1. Connect GitHub and provider state in [Settings](/web/settings).
+1. Connect GitHub and confirm managed account access in [Settings](/web/settings).
 2. Confirm App-backed repo coverage in [Installations](/web/installations).
 3. Sync and open the target repo in [Projects](/web/spaces).
 4. Check reusable behavior in [Agents](/web/agents).
diff --git a/content/docs/platform/how-mogplex-fits-together.mdx b/content/docs/platform/how-mogplex-fits-together.mdx
index 3d7fa50..a687ad0 100644
--- a/content/docs/platform/how-mogplex-fits-together.mdx
+++ b/content/docs/platform/how-mogplex-fits-together.mdx
@@ -19,7 +19,7 @@ Each object answers a different question.
 
 | Object | Owns | Start here when |
 | --- | --- | --- |
-| Account state | Identity, provider access, CLI tokens, model defaults, Slack installs, connections, MCP definitions | sign-in, model, provider, token, Slack, or connection state looks wrong |
+| Account state | Identity, managed model and sandbox access, CLI tokens, model defaults, Slack installs, connections, MCP definitions | sign-in, model, billing, token, Slack, or connection state looks wrong |
 | GitHub installation | App-backed coverage for one GitHub user or org | repos are visible but GitHub events do not trigger work |
 | Repo | Imported repository state and repo-specific settings | the target repo is missing, duplicated, hidden, or needs runtime settings |
 | Agent | Reusable behavior, slug, prompt, model, skills, rules, and context | the worker itself behaves wrong or a mention slug does not resolve |
diff --git a/content/docs/platform/index.mdx b/content/docs/platform/index.mdx
index 9184325..640bf6e 100644
--- a/content/docs/platform/index.mdx
+++ b/content/docs/platform/index.mdx
@@ -38,7 +38,7 @@ Start here when you need to understand where work should happen.
   <Card
     title="Sandbox Setup Checklist"
     href="/guides/sandbox-setup-checklist"
-    description="Confirm root directory, commands, ports, env, branch intent, Vercel linkage, and preview expectations before debugging runs."
+    description="Confirm root directory, commands, ports, env, branch intent, managed access, and preview expectations before debugging runs."
   />
   <Card
     title="Hosted API"
diff --git a/content/docs/platform/projects-and-sandboxes.mdx b/content/docs/platform/projects-and-sandboxes.mdx
index 6580dfa..ac2a89f 100644
--- a/content/docs/platform/projects-and-sandboxes.mdx
+++ b/content/docs/platform/projects-and-sandboxes.mdx
@@ -53,7 +53,7 @@ Sandboxes is the operational runtime list. It answers:
 
 1. Confirm GitHub coverage in [Installations](/web/installations).
 2. Sync and find the repo in [Projects](/web/spaces).
-3. Set root directory, dev command, preview port, Vercel linkage, or env
+3. Set root directory, dev command, preview port, optional Vercel metadata, or env
    mapping if needed.
 4. Open the workspace or start preview from the repo card.
 
@@ -71,11 +71,12 @@ Use Projects to create sub-project entries or set `root_directory`,
 `dev_command`, and `dev_port` explicitly. Do not rely on one repo root when the
 actual app lives under a package or app directory.
 
-## Vercel relationship
+## Billing and Vercel relationship
 
-Sandbox and preview behavior can depend on linked Vercel state, especially when
-the repo uses a user-billed project. If sandbox launch fails after repo setup,
-read [Vercel](/integrations/vercel) before editing routing or agent behavior.
+Sandbox access is billed through Mogplex. Optional linked Vercel project
+metadata can still matter for preview env sync or project-specific settings. If
+sandbox launch fails after repo setup, confirm [Plans & Billing](/plans-and-billing)
+and [Vercel](/integrations/vercel) before editing routing or agent behavior.
 
 ## Read next
 
diff --git a/content/docs/quickstart.mdx b/content/docs/quickstart.mdx
index 73d260b..a12e277 100644
--- a/content/docs/quickstart.mdx
+++ b/content/docs/quickstart.mdx
@@ -16,7 +16,8 @@ needs before it can do useful work:
 
 - GitHub identity
 - GitHub App coverage for the user or org that owns the repo
-- provider keys or platform model access
+- plan-backed model access
+- managed sandbox access when the repo needs previews or workspaces
 - CLI access tokens if you plan to use the terminal cockpit
 - Slack workspace and channel links if work should start from Slack
 - shared connections and MCP definitions, if the repo needs external tools
@@ -32,9 +33,8 @@ Go to [Projects](/web/spaces), sync repos, and open the target repo.
 
 That repo surface is where hosted work starts. From there, check that the repo
 appears once, belongs to the expected owner, and has the coverage state you
-expect. If the repo needs sandbox-backed previews through a user-billed
-project, configure the [Vercel integration](/integrations/vercel) before
-debugging workspace launch.
+expect. If the repo needs sandbox-backed previews, confirm the account plan has
+managed sandbox access before debugging workspace launch.
 
 ## 3. Check agents and models
 
diff --git a/content/docs/reference/glossary.mdx b/content/docs/reference/glossary.mdx
index fa2b995..0214870 100644
--- a/content/docs/reference/glossary.mdx
+++ b/content/docs/reference/glossary.mdx
@@ -11,7 +11,7 @@ short version before reading the full guide or reference page.
 Shared state attached to the signed-in Mogplex account.
 
 Account state includes GitHub identity, GitHub App coverage, Slack installs,
-provider keys, CLI tokens, model access, shared connections, and MCP
+access tokens, managed model access, shared connections, and MCP
 definitions. Start with [Settings](/web/settings) when account state looks
 wrong.
 
@@ -189,7 +189,7 @@ An isolated runtime or preview workspace associated with hosted work.
 
 Use Sandboxes to inspect live and pending preview runtimes, pinned workspaces,
 and stale sandbox cleanup paths. Use Vercel docs when sandbox behavior depends
-on repo-linked projects, billing, or environment sync.
+on repo-linked project metadata or environment sync.
 
 Read next: [Sandboxes](/web/sandboxes) and [Vercel](/integrations/vercel).
 
diff --git a/content/docs/reference/index.mdx b/content/docs/reference/index.mdx
index 5cc79aa..d165d13 100644
--- a/content/docs/reference/index.mdx
+++ b/content/docs/reference/index.mdx
@@ -51,7 +51,7 @@ and export formats.
   <Card
     title="Security and Data Handling"
     href="/reference/security-and-data-handling"
-    description="Identity, tokens, provider keys, connection secrets, webhooks, run events, sandboxes, and safe support artifacts."
+    description="Identity, tokens, managed model access, connection secrets, webhooks, run events, sandboxes, and safe support artifacts."
   />
   <Card
     title="Keybindings"
diff --git a/content/docs/reference/security-and-data-handling.mdx b/content/docs/reference/security-and-data-handling.mdx
index d0308c5..69df2dc 100644
--- a/content/docs/reference/security-and-data-handling.mdx
+++ b/content/docs/reference/security-and-data-handling.mdx
@@ -1,6 +1,6 @@
 ---
 title: Security and Data Handling
-description: Understand how Mogplex handles identity, tokens, provider keys, connection secrets, webhooks, API events, sandboxes, and support data.
+description: Understand how Mogplex handles identity, tokens, managed model access, connection secrets, webhooks, API events, sandboxes, and support data.
 ---
 
 This page is the practical trust reference for Mogplex.
@@ -15,8 +15,8 @@ Mogplex crosses several systems:
 
 - GitHub OAuth and the Mogplex GitHub App for identity, repo discovery, and
   webhook-backed routing
-- Vercel OAuth or platform sandbox access for preview runtimes
-- provider keys for hosted model execution
+- managed sandbox access for preview runtimes
+- managed model access for hosted execution
 - Slack OAuth and webhooks for Slack conversations and repo-agent starts
 - REST and MCP connections for tools agents can call
 - personal access tokens for CLI, scripts, and the public v1 API
@@ -44,25 +44,13 @@ per key before route handlers proceed.
 Use [API Authentication](/web/api/authentication) for request examples and
 scope behavior.
 
-## Provider Keys
+## Managed Model Access
 
-Provider keys in Settings are for hosted Mogplex execution, not local shell
-environment variables.
+Hosted model execution is billed and authorized through Mogplex account access.
 
-The Settings key surface currently covers:
-
-- AI Gateway
-- OpenAI
-- Anthropic
-- OpenRouter
-
-These keys are stored as secrets and used when hosted work needs provider
-access. The UI shows whether a key exists, when it was added, and whether a
-verification check passed. It does not display the raw key after save.
-
-Local CLI provider env vars remain local runtime state. Do not assume setting a
-local `OPENAI_API_KEY` or `ANTHROPIC_API_KEY` updates hosted Mogplex provider
-state.
+Users do not need external model credentials for hosted runs. If a model cannot
+be used, debug the account plan, model catalog, and entitlement state instead
+of rotating local shell credentials.
 
 ## Connections And MCP Secrets
 
@@ -108,7 +96,7 @@ or oversized payloads are capped so event data is useful without becoming a raw
 secret dump.
 
 Team audit payloads also redact fields whose names look like prompts, tokens,
-API keys, credentials, passwords, provider keys, or secrets.
+API keys, credentials, passwords, or secrets.
 
 Even with those controls, support requests should include identifiers and the
 first error string, not raw credentials, full env dumps, or full private prompts.
@@ -124,7 +112,8 @@ Before starting sandbox work, confirm:
 - the repo and branch are correct
 - root directory, install command, dev command, and port are correct
 - the environment source is intentional
-- the linked Vercel project or platform sandbox entitlement is expected
+- managed sandbox access is available for the account
+- optional linked Vercel project metadata is intentional when used
 - Slack or GitHub routing is starting work under the user you intend
 
 Use [Sandbox Setup Checklist](/guides/sandbox-setup-checklist) before treating a
@@ -145,7 +134,6 @@ Good support artifacts:
 
 Avoid sharing:
 
-- provider API keys
 - `mog_...` tokens
 - Slack account-link URLs
 - decrypted MCP server config
@@ -160,7 +148,6 @@ Rotate or revoke the smallest credential that matches the risk:
 - Revoke a Mogplex PAT when API or CLI access is exposed.
 - Reconnect GitHub or Slack when OAuth state is wrong or the workspace owner
   changes.
-- Rotate provider keys when hosted model credentials were exposed.
 - Recreate a connection when an external REST or MCP credential was exposed.
 - Stop or delete a sandbox when runtime state may contain sensitive files.
 
diff --git a/content/docs/support.mdx b/content/docs/support.mdx
index 3c64d78..f73637a 100644
--- a/content/docs/support.mdx
+++ b/content/docs/support.mdx
@@ -30,7 +30,7 @@ For a longer decision tree, use [Troubleshooting](/guides/troubleshooting).
 
 Before changing routing or agent configuration, check these in order:
 
-1. [Settings](/web/settings): GitHub identity, App coverage, provider keys,
+1. [Settings](/web/settings): GitHub identity, App coverage, managed access,
    CLI tokens, and shared connections.
 2. [Installations](/web/installations): whether the repo owner has App-backed
    coverage.
diff --git a/content/docs/web/api/quickstart.mdx b/content/docs/web/api/quickstart.mdx
index fd680dd..165ea44 100644
--- a/content/docs/web/api/quickstart.mdx
+++ b/content/docs/web/api/quickstart.mdx
@@ -36,7 +36,7 @@ Every request below uses the same bearer header:
 ## 1. Verify the account
 
 Start with account state. This tells you whether the token works and whether
-GitHub, platform AI, sandbox, and Vercel state look ready.
+GitHub, managed model access, and managed sandbox access look ready.
 
 ```bash
 curl -sS \
@@ -206,7 +206,7 @@ resume, or delete belong in the web UI until the lifecycle routes are exposed.
 | `409 IDEMPOTENCY_CONFLICT` | Same idempotency key was reused with a different body |
 | `429 RATE_LIMITED` | Respect `Retry-After` and reduce request or run-start rate |
 | No repo appears | Fix GitHub App coverage or repo import before API work |
-| No model is usable | Check [Available Models](/web/models) and provider keys |
+| No model is usable | Check [Available Models](/web/models) and plan-backed model access |
 
 ## Read next
 
diff --git a/content/docs/web/api/route-families.mdx b/content/docs/web/api/route-families.mdx
index c62e058..653972c 100644
--- a/content/docs/web/api/route-families.mdx
+++ b/content/docs/web/api/route-families.mdx
@@ -58,7 +58,7 @@ These routes answer questions like:
 
 - who is the current user in Mogplex terms?
 - what GitHub/App/Vercel setup state should the UI show?
-- what provider keys, CLI tokens, defaults, and models are available?
+- what access tokens, defaults, managed access, and models are available?
 
 One important implementation detail:
 
diff --git a/content/docs/web/api/working-requests.mdx b/content/docs/web/api/working-requests.mdx
index b732376..7ba8c1b 100644
--- a/content/docs/web/api/working-requests.mdx
+++ b/content/docs/web/api/working-requests.mdx
@@ -53,15 +53,14 @@ Representative response:
     "github_state": "app_installed_with_synced_repos",
     "github_installation_count": 2,
     "github_covered_repo_count": 8,
-    "platform_access": {
-      "allowPlatformAi": true,
-      "allowPlatformSandbox": false
+    "managed_access": {
+      "allowModels": true,
+      "allowSandboxes": false
     },
     "vercel": {
       "platformState": "ready",
-      "personalState": "linked",
       "linkedProjectState": "repo",
-      "statusLabel": "Platform ready"
+      "statusLabel": "Project metadata ready"
     }
   }
 }
@@ -71,8 +70,8 @@ Use this call to answer:
 
 - is the caller authenticated?
 - is GitHub only OAuth-connected, install-pending, or fully App-covered?
-- does the account have platform AI or sandbox access?
-- is Personal Vercel linked and already attached to a repo or project?
+- does the account have managed model and sandbox access?
+- is optional Vercel project metadata already attached to a repo or project?
 
 ## 2. Read or update shared defaults with `/api/settings`
 
diff --git a/content/docs/web/guides/project-workflow.mdx b/content/docs/web/guides/project-workflow.mdx
index 754db58..e0ad74d 100644
--- a/content/docs/web/guides/project-workflow.mdx
+++ b/content/docs/web/guides/project-workflow.mdx
@@ -87,21 +87,16 @@ Two practical nuances matter here:
 - Once installation-backed sync is active, covered repos become the preferred
   source of truth in Projects, which helps avoid stale OAuth-only duplicates.
 
-## 5. Set up sandbox billing if you plan to launch workspaces
+## 5. Confirm managed sandbox access if you plan to launch workspaces
 
-Repo import and routing setup do not require Vercel, but sandbox-backed
-workspace sessions do.
+Repo import and routing setup do not require sandbox access, but
+sandbox-backed workspace sessions do.
 
-Mogplex supports two main paths:
+Hosted sandbox access is billed through Mogplex. Users do not need to attach an
+external sandbox account for workspace sessions.
 
-- Mogplex-managed platform sandbox access for accounts that have it enabled
-- your own Vercel billing project linked through [Settings](/web/settings)
-
-If Vercel is connected but you have not selected a billing project yet,
-Projects will push you toward creating a project with Vercel billing attached.
-
-If you only want to configure routing first, you can do that before you finish
-the sandbox path.
+If you only want to configure routing first, you can do that before the account
+has managed sandbox access.
 
 ## 6. Open a workspace
 
@@ -153,7 +148,7 @@ If you want the shortest version:
 1. Connect GitHub in [Settings](/web/settings)
 2. Install the GitHub App for the repo owner
 3. Open [Projects](/web/spaces) and import or create the repo
-4. Link Vercel billing if you need sandbox-backed workspaces
+4. Confirm managed sandbox access if you need sandbox-backed workspaces
 5. Open a workspace
 6. Add a Trigger, Assignment, or Automation
 7. Test the exact GitHub event you expect, then confirm it in
diff --git a/content/docs/web/index.mdx b/content/docs/web/index.mdx
index 46d9469..70ead8d 100644
--- a/content/docs/web/index.mdx
+++ b/content/docs/web/index.mdx
@@ -40,10 +40,10 @@ behavior, or why something ran the way it did, the answer usually starts here.
   cron, and triage work.
 - **Observability** tracks runs, pressure, failures, model calls, tool usage,
   and sandbox-linked activity.
-- **Settings** manages GitHub identity, App coverage, connections, provider
-  keys, CLI tokens, models, preferences, and synced MCP definitions.
+- **Settings** manages GitHub identity, App coverage, connections, access
+  tokens, models, preferences, billing access, and synced MCP definitions.
 - **Available Models** explains the live model catalog, enabled-state rules,
-  default-model behavior, provider access, CLI sync, and repo-level exclusions.
+  default-model behavior, plan access, CLI sync, and repo-level exclusions.
 
 ## The clean mental model
 
@@ -144,7 +144,7 @@ For the full redirect map, use [Legacy Routes](/web/guides/legacy-routes).
   webhook coverage are separate concerns. Projects can show synced repos before
   they are fully triggerable.
 - **Where do I set up models and external tools?** Use
-  [Settings](/web/settings) for provider keys and connections, and
+  [Settings](/web/settings) for account access and connections, and
   [Available Models](/web/models) for model availability, defaults, and enabled
   state. Agent behavior belongs in [Agents](/web/agents).
 - **Where do I manually stop or inspect previews across repos?** Use
diff --git a/content/docs/web/models.mdx b/content/docs/web/models.mdx
index 5b94088..5be7445 100644
--- a/content/docs/web/models.mdx
+++ b/content/docs/web/models.mdx
@@ -8,7 +8,7 @@ table.
 
 That is intentional. Model availability, pricing, context length, provider
 reachability, recommendations, and enabled state can change by account, team,
-provider keys, and sync state. Use this page to understand how to read the
+plan, entitlement, and sync state. Use this page to understand how to read the
 catalog and where model choices take effect.
 
 ## Where to see models
@@ -50,15 +50,14 @@ rewrite of every saved configuration.
 For a model to be useful, two things must line up:
 
 1. the model must be visible and available in the catalog
-2. the account or team must have a provider path that can reach it
+2. the account or team must have plan-backed access to use it
 
-Mogplex supports hosted provider access through Settings API keys and platform
-access. The Settings **API Keys** section stores encrypted keys for provider
-access such as AI Gateway, OpenAI, and Anthropic. The runtime uses that provider
-access when it resolves a selected model for hosted work.
+Mogplex-hosted model access is managed by the account plan. Settings can show
+which models are enabled for the account, but users do not need external model
+credentials for hosted runs.
 
-If platform AI is not enabled for an account, add a supported provider key in
-[Settings](/web/settings) before debugging agents, flows, or CLI login.
+If no usable model is available, check the account plan or entitlement state
+before debugging agents, flows, or CLI login.
 
 ## Enabled models vs hidden models
 
@@ -120,14 +119,14 @@ That scope split is:
 | Symptom | Check |
 | --- | --- |
 | No models appear in an agent picker | Open Settings → Models and confirm at least one model is enabled. |
-| A model appears but a run fails with provider access errors | Add or verify provider keys in Settings → API Keys. |
+| A model appears but a run fails with access errors | Check the account plan, entitlement state, and model availability. |
 | The CLI signs in but no shared model list appears | Confirm the web account has model access and that the CLI is using account-backed login. |
 | A saved agent references a hidden or stale model | Move it to a visible enabled model in the agent editor. |
 | A repo cannot use a globally enabled model | Check repo settings for a repo-specific model exclusion. |
 
 ## Read next
 
-- [Settings](/web/settings) for account-level API keys, preferences, and models
+- [Settings](/web/settings) for account preferences, access tokens, and models
 - [API → Models](/web/api/models) for the route contract behind the catalog
 - [Agents](/web/agents) for model choice on reusable agents
 - [CLI → Authentication](/cli/guides/authentication) for account-backed model
diff --git a/content/docs/web/observability.mdx b/content/docs/web/observability.mdx
index abb9f67..8957cab 100644
--- a/content/docs/web/observability.mdx
+++ b/content/docs/web/observability.mdx
@@ -97,8 +97,8 @@ can include:
 
 - a GitHub deep link when the source metadata maps back to a PR, issue, or
   related event
-- sandbox billing information, linked Vercel project or team, sandbox record
-  ID, preview URL, and runtime ID
+- managed sandbox access details, optional linked Vercel project metadata,
+  sandbox record ID, preview URL, and runtime ID
 - a shortcut to open sandbox health directly
 - runtime command ID when the call came from the CLI path
 - the error string, if the call failed
@@ -115,7 +115,7 @@ this call come from?”
 ### A sandbox-backed run looks unhealthy
 
 1. Open the relevant call row.
-2. Inspect sandbox billing and preview metadata.
+2. Inspect managed sandbox access and preview metadata.
 3. Jump straight to sandbox health from the row instead of debugging the model
    call in isolation.
 
diff --git a/content/docs/web/settings.mdx b/content/docs/web/settings.mdx
index 8558f0f..d539f81 100644
--- a/content/docs/web/settings.mdx
+++ b/content/docs/web/settings.mdx
@@ -1,6 +1,6 @@
 ---
 title: Settings
-description: Manage GitHub identity, App coverage, Personal Vercel, connections, provider keys, CLI tokens, models, and shared preferences.
+description: Manage GitHub identity, App coverage, connections, access tokens, models, account billing state, and shared preferences.
 ---
 
 Settings is the account-level control plane for Mogplex.
@@ -13,9 +13,8 @@ CLI sync looks wrong, this is the first page to inspect.
 Settings is where you answer questions like:
 
 - can Mogplex actually act on behalf of this GitHub user or org?
-- do I have hosted model access for the account?
+- does the account plan include hosted model and sandbox access?
 - are the shared MCP or REST connections healthy?
-- is sandbox billing coming from Mogplex or my own Vercel project?
 - why did the CLI sign in, but not inherit the hosted state I expected?
 
 If the question is “what should run for this repo?”, use
@@ -29,11 +28,9 @@ For a new account, the most reliable order is:
 1. connect GitHub
 2. install the Mogplex GitHub App for the personal account or orgs that own the
    repos you want to use
-3. add model access through AI Gateway, OpenAI, or Anthropic keys if platform AI
-   is not already enabled for your account
-4. link Personal Vercel only if you want user-billed sandboxes
-5. add shared connections or MCP servers after the account basics are working
-6. generate CLI access tokens only when the CLI or scripts need to
+3. confirm the account plan includes the model and sandbox access you need
+4. add shared connections or MCP servers after the account basics are working
+5. generate CLI or API access tokens only when the CLI or scripts need to
    authenticate as Mogplex itself
 
 That order keeps you from debugging downstream surfaces before the account can
@@ -43,13 +40,12 @@ actually support them.
 
 Settings currently groups together:
 
-- **Account** state for GitHub identity, GitHub App coverage, and Personal
-  Vercel linkage
+- **Account** state for GitHub identity, GitHub App coverage, and account
+  readiness
 - **Connections** for REST APIs and MCP servers your agents can use
 - **Slack** for workspace install, channel-to-repo links, and repo-agent
   controls
-- **API Keys** for encrypted hosted model-provider credentials
-- **CLI Access Tokens** for CLI and script authentication
+- **Access Tokens** for CLI, API, and script authentication
 - **Preferences** for theme and default model
 - **Models** for the hosted model catalog your account can actually use
 
@@ -68,7 +64,7 @@ It is the part of the product that tells you:
 - whether GitHub is connected at all
 - whether the GitHub App is installed on the right owner
 - whether synced repos exist yet
-- whether Personal Vercel still needs action
+- whether billing, model access, or sandbox access still needs action
 - what the next most likely setup step is
 
 Treat that top block as the “what is missing?” answer before you debug any
@@ -84,7 +80,7 @@ It shows:
 - GitHub App coverage and synced repo counts
 - the next recommended setup step, such as connecting GitHub, finishing App
   install, or syncing repos into Projects
-- Personal Vercel state for user-billed sandbox flows
+- account access state for hosted model and sandbox work
 
 Two distinctions matter here:
 
@@ -96,23 +92,16 @@ If a repo shows up in [Projects](/web/spaces) but still cannot participate in
 [Triggers](/web/triggers) or automation, the usual cause is missing App
 coverage for that owner.
 
-## Personal Vercel
+## Billing and Access
 
-Personal Vercel is optional.
+Hosted model calls and sandbox usage are billed through Mogplex.
 
-Link it when you want sandbox usage to bill against your own Vercel project
-instead of Mogplex-managed platform billing.
+Users do not need external model credentials or external sandbox accounts for
+normal hosted work. If a model picker is empty or a sandbox cannot launch
+because access is missing, check the account plan or entitlement state before
+editing agents, prompts, or repo launch settings.
 
-If your account does not have platform sandbox billing enabled, this section is
-also where Mogplex tells you that Personal Vercel is required before sandbox
-work can start.
-
-This means sandbox launch failures are often one of two things:
-
-- the repo is configured for user-billed sandbox work, but Personal Vercel is
-  not linked yet
-- Personal Vercel is linked, but the repo-specific project or team mapping is
-  still wrong in [Projects](/web/spaces)
+See [Plans & Billing](/plans-and-billing) for the stable billing entry point.
 
 ## GitHub App coverage details
 
@@ -208,30 +197,10 @@ reply conversationally. In a linked channel, a real instruction after
 
 For the full Slack model, see [Slack](/integrations/slack).
 
-## API Keys
-
-The **API Keys** section stores encrypted hosted credentials for:
-
-- AI Gateway
-- OpenAI
-- Anthropic
-- OpenRouter
-
-These keys are for hosted Mogplex execution, not for local shell env vars.
-
-The page can verify whether a stored key is valid, show when it was added, and
-delete it if needed. If platform AI is not enabled for the account, this
-section is where Mogplex pushes you to bring your own provider key.
-
-That split matters:
-
-- if the problem is hosted execution, this section is relevant
-- if the problem is only your local shell session, use local env vars or CLI
-  auth instead
-
-## CLI Access Tokens
+## Access Tokens
 
-**CLI Access Tokens** are separate from provider API keys.
+Access tokens are for authenticating Mogplex clients and scripts. They are not
+model-provider credentials.
 
 Use them when the CLI or another Mogplex-aware script needs to authenticate as
 you against Mogplex itself.
@@ -245,8 +214,8 @@ The section supports:
 - last-used metadata
 - revocation
 
-If you only need provider model access for hosted runs, use **API Keys**
-instead.
+Hosted model and sandbox access comes from the account plan, not from
+user-supplied provider or sandbox credentials.
 
 ## Preferences and Models
 
@@ -262,7 +231,7 @@ If an agent cannot select the model you expect, check **Models** before you
 edit the agent itself.
 
 Use [Available Models](/web/models) when you need the fuller model-access
-mental model: enabled state, defaults, provider access, CLI sync, hidden legacy
+mental model: enabled state, defaults, plan access, CLI sync, hidden legacy
 models, and repo-level exclusions.
 
 ## Fast troubleshooting map
@@ -277,9 +246,8 @@ models, and repo-level exclusions.
 - **Slack replies but does not start repo work**: check channel-to-repo links,
   repo-agent enabled state, Slack user mapping, and monthly/user limits in the
   Slack section.
-- **Sandbox launch asks for Personal Vercel**: that setup is optional overall,
-  but required for user-billed sandbox flows when platform sandbox billing is
-  unavailable.
+- **Sandbox launch says access is unavailable**: check the account plan and
+  entitlement state before changing repo settings.
 - **The repo is visible, but webhook-backed work still does not fire**:
   visibility and App-backed coverage are different states. Check the
   installation list here first.
diff --git a/content/docs/web/spaces.mdx b/content/docs/web/spaces.mdx
index 77fbc46..7e10d7a 100644
--- a/content/docs/web/spaces.mdx
+++ b/content/docs/web/spaces.mdx
@@ -60,7 +60,7 @@ The repo settings dialog has three tabs.
 
 General settings are where you control the runtime shape for that repo:
 
-- sandbox billing mode: Mogplex billing or your linked Vercel project
+- managed sandbox access state for hosted workspace launches
 - repo-linked Vercel team and Vercel project
 - env mapping mode: sandbox only, sandbox + preview conventions, or sync from a
   linked Vercel project
@@ -86,7 +86,7 @@ work.
    [Installations](/web/installations).
 3. Sync repos and find the target repo in Projects.
 4. Open repo settings if you need to set a root directory, dev command, preview
-   port, or Vercel linkage before boot.
+   port, or optional Vercel metadata before boot.
 5. Open the workspace. If no sandbox is running yet, Mogplex can launch it as
    part of that action.
 6. From the repo card, choose the next layer:
@@ -123,9 +123,8 @@ sandbox instead of going through the repo card.
   missing.
 - **Open workspace feels slow the first time**:
   the repo probably needs its sandbox created or installed first.
-- **User-billed sandbox launch fails**:
-  the repo is set to use your Vercel project, but the linked team or project is
-  missing or invalid.
+- **Sandbox launch says access is unavailable**:
+  the account plan may not include managed sandbox access yet.
 - **Preview opens the wrong app in a monorepo**:
   create a sub-project repo or set `root_directory`, `dev_command`, and
   `dev_port` explicitly.