diff --git a/api/migrations/versions/2025_11_18_1400-a7b4e8f2c9d1_add_enduser_authentication_provider.py b/api/migrations/versions/2025_11_18_1400-a7b4e8f2c9d1_add_enduser_authentication_provider.py
new file mode 100644
index 0000000000..bb2391d4b7
--- /dev/null
+++ b/api/migrations/versions/2025_11_18_1400-a7b4e8f2c9d1_add_enduser_authentication_provider.py
@@ -0,0 +1,94 @@
+"""add enduser authentication provider
+
+Revision ID: a7b4e8f2c9d1
+Revises: 132392a2635f
+Create Date: 2025-11-18 14:00:00.000000
+
+"""
+import models as models
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "a7b4e8f2c9d1"
+down_revision = "132392a2635f"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "tool_enduser_authentication_providers",
+        sa.Column(
+            "id",
+            models.types.StringUUID(),
+            server_default=sa.text("uuid_generate_v4()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "name",
+            sa.String(length=256),
+            server_default=sa.text("'API KEY 1'::character varying"),
+            nullable=False,
+        ),
+        sa.Column("tenant_id", models.types.StringUUID(), nullable=False),
+        sa.Column("end_user_id", models.types.StringUUID(), nullable=False),
+        sa.Column("provider", sa.String(length=256), nullable=False),
+        sa.Column("encrypted_credentials", sa.Text(), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(),
+            server_default=sa.text("CURRENT_TIMESTAMP(0)"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(),
+            server_default=sa.text("CURRENT_TIMESTAMP(0)"),
+            nullable=False,
+        ),
+        sa.Column(
+            "credential_type",
+            sa.String(length=32),
+            server_default=sa.text("'api-key'::character varying"),
+            nullable=False,
+        ),
+        sa.Column("expires_at", sa.BigInteger(), server_default=sa.text("-1"), nullable=False),
+        sa.PrimaryKeyConstraint("id", name="tool_enduser_authentication_provider_pkey"),
+        sa.UniqueConstraint(
+            "tenant_id",
+            "provider",
+            "end_user_id",
+            "name",
+            name="unique_enduser_authentication_provider",
+        ),
+    )
+    op.create_index(
+        "tool_enduser_authentication_provider_tenant_id_idx",
+        "tool_enduser_authentication_providers",
+        ["tenant_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tool_enduser_authentication_provider_end_user_id_idx",
+        "tool_enduser_authentication_providers",
+        ["end_user_id"],
+        unique=False,
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(
+        "tool_enduser_authentication_provider_end_user_id_idx",
+        table_name="tool_enduser_authentication_providers",
+    )
+    op.drop_index(
+        "tool_enduser_authentication_provider_tenant_id_idx",
+        table_name="tool_enduser_authentication_providers",
+    )
+    op.drop_table("tool_enduser_authentication_providers")
+    # ### end Alembic commands ###
+