Adding a credential

Settings → BYOK Vault → Add Credential. Choose provider (OpenAI, Anthropic, Google, xAI, Mistral, etc.), paste the API key, optionally set scope (which models, which capabilities, which workflows). The key is sealed inside our envelope-encryption layer immediately and the plaintext is never written to logs or persisted.

Three BYOK tiers

• KatmanA — Standard. Full platform features, full platform fee.
• KatmanB — Discounted. Reduced platform fee in exchange for routing through your provider account.
• KatmanC — Enterprise. Negotiated rates, audit retention, SOC2-aligned controls.

The active tier appears on your billing dashboard.

Per-call resolution

At call time the runtime checks your BYOK scope, decrypts the credential inside the HSM-style sidecar, injects it into the outbound HTTP client, and emits a CredentialResolutionAudit row. Plaintext never touches the application layer. Rotating a key takes effect within 60 seconds (cache TTL).

What BYOK does not change

• Acceptable Use Policy still applies.
• Moderation (PhotoDNA, NCII detection) still runs.
• BillingRecord is still emitted (with FundSource=Byok and the platform fee snapshot).
• Persona disclosure rules still apply.