Bring-your-own-Key (BYOK)

The AI Kit talks to model providers using your API keys, not ours. This page explains what that means in practice — for cost, for control, and for security.

What BYOK means

When you connect, for example, OpenAI to your workspace, you enter an OpenAI API key that belongs to you. From that moment on:

The AI Kit forwards every model request to OpenAI using your key.
OpenAI bills your account for each token, not ours.
The AI Kit does not see what OpenAI bills you. To track usage and cost from your side, use Metrics.

The same applies to Anthropic, Mistral, and any other commercial provider.

Why BYOK

Cost transparency. You see the provider's invoice directly, item by item.
Control. You can rotate the key, revoke it, set spend limits, switch billing accounts — all without involving us.
Compliance. Some organizations require that all third-party services run under contracts they control. BYOK keeps the contractual relationship between you and the model provider intact.
Choice. You can use providers we may not officially support yet, as long as they speak the same protocol as one we do support.

Why not BYOK

For self-hosted Ollama, BYOK does not apply: you run the model yourself, there is no third party, and there are no per-token charges. See Ollama (Self-hosted).

Where the key is stored

API keys go into a secured field when you create the model. The platform encrypts the value with a workspace-specific key before writing it to disk. After saving, the value is not shown again in the user interface — you can only replace it, never read it back.

If you need to rotate a key, simply edit the model and paste the new key into the field.

Limiting exposure

A few simple precautions reduce the risk of an exposed key:

Create a dedicated key per workspace. This keeps the blast radius small if you ever need to revoke one.
Set spend limits on the provider's side wherever possible. OpenAI, Anthropic, and Mistral all let you cap monthly spend per key.
Rotate keys periodically. Once or twice a year is plenty for most organizations.
Monitor usage in Metrics. Anomalies (sudden spikes, unexpected models being called) often point to a misconfigured automation rather than a leaked key, but it pays to look.

Costs you cannot control with BYOK

The provider sets the per-token price. Some things to keep in mind:

Input tokens cost less than output tokens on most providers.
System instructions count as input tokens on every call. Long system prompts are expensive in the long run.
Knowledge retrieval adds input tokens. A bigger knowledge result means more tokens going in.
Agents (in the AI Agent sense, or full conversational agents) can iterate. Cost scales with iterations.

Metrics helps you see which automation is driving cost. Tuning prompts or switching to a smaller model is usually cheaper than negotiating a discount with the provider.

What to do next

Create a New Model — the generic flow.
Provider pages with key-generation links: OpenAI · Anthropic · Mistral.
Metrics → Consumption — verify what your keys are paying for.

What BYOK means​

Why BYOK​

Why not BYOK​

Where the key is stored​

Limiting exposure​

Costs you cannot control with BYOK​

What to do next​