What is BYO (Bring Your Own Key)?

BYO is a drop-in vault and proxy for customer-provided API keys. If you're building a SaaS that calls OpenAI, Anthropic, Google, Azure, Bedrock, Stripe, or PlanetScale on behalf of your users, BYO handles collecting, encrypting, storing, and proxying with those keys. Keys are encrypted at rest with AES-256-GCM, decrypted only in memory for the proxied call, and immediately discarded. Your backend never sees the raw key.

Which providers does BYO support?

BYO supports OpenAI (including any OpenAI-compatible endpoint like vLLM, OpenRouter, Ollama, and Together AI), Anthropic, Google AI Studio (Gemini), Azure OpenAI, AWS Bedrock, Stripe (full API surface via typed CRUD and passthrough), and PlanetScale (parameterized SQL queries).

Yes. BYO is open source and fully self-hostable. Run it on your own infrastructure so no third-party SaaS ever has access to your customers' keys.

How do I integrate BYO into my app?

Use the byo-connect web component on the frontend to collect keys, and the byo-sdk (TypeScript or Python) on the backend to proxy API calls. Integration takes minutes, not weeks.

Let your customers use their own
OpenAI key

Drop-in vault and proxy for customer-provided AI API keys. Keys are encrypted at rest, decrypted only for the proxied call, and immediately discarded. Your backend never sees the raw key.

Get started for free

$ npm install byo-sdk

Quick Start

Collect your customer's API key on the frontend. Proxy AI calls from your backend.

// npm install byo-connect

import 'byo-connect/form';

<byo-connect-form

publishable-key="byo_pk_live_..."

ref-id="customer_123"

theme="dark"

></byo-connect-form>

const form = document.querySelector('byo-connect-form');

form.addEventListener('byo:connected', (e) => {

const { id, provider, refId, status } = e.detail;

});

How it works

┌─────────────────┐         ┌──────────────┐
│  Your Frontend  │────────▶│   BYO API    │
│  (byo-connect)  │         │  (vault)     │
└─────────────────┘         └──────┬───────┘
                                   │
┌─────────────────┐                │         ┌───────────────────┐
│  Your Backend   │────────────────┘    ┌───▶│    OpenAI API     │
│  (byo-sdk)      │                     │    └───────────────────┘
└─────────────────┘            Proxy    ├───▶│  Anthropic API    │
                               calls    │    └───────────────────┘
                                        ├───▶│ Google AI Studio  │
                                        │    └───────────────────┘
                                        ├───▶│  Azure OpenAI     │
                                        │    └───────────────────┘
                                        └───▶│   AWS Bedrock     │
                                             └───────────────────┘

1.Your customer submits their API key through your frontend using byo-connect

2.BYO encrypts and stores it, your backend never sees the raw key

3.When your backend needs to call a provider, the SDK routes through BYO

4.BYO decrypts the key, makes the call, and discards the key from memory

Encrypted at rest

AES-256-GCM encryption. Keys are decrypted only for the proxied call, then immediately discarded from memory.

Multi-provider

OpenAI, Anthropic, Google AI Studio, Azure OpenAI, AWS Bedrock, and any OpenAI-compatible endpoint.

Full audit trail

Every proxy request is logged with provider, status, latency, and customer ref ID. Browse logs in the dashboard.

Webhooks

Get notified when keys are connected, revoked, disabled, or fail validation. HMAC-signed payloads with retries.

SDKs for every layer

TypeScript and Python SDKs for your backend. Browser helper for your frontend. OpenAPI spec for any other language.

Self-host or hosted

Run the entire stack on your own infrastructure with Docker and Postgres, or use the hosted version.

Supported keys

Your customer connects their key once. You proxy calls through BYO using any of these providers through a single API.

OpenAI

Anthropic

Google AI Studio

Azure OpenAI

AWS Bedrock

Stripe

PlanetScale

// Connect the key (frontend)

await connect({

provider: 'openai',

refId: 'customer_123',

providerKey: 'sk-...',

});

// Proxy a call (backend)

const openai = byok.openai({ refId: 'customer_123' });

const response = await openai.responses.create({

model: 'gpt-4.1',

input: 'Hello!',

});

Also supports any OpenAI-compatible endpoint (vLLM, OpenRouter, Ollama, Together AI) via providerConfig.baseUrl.

Use with any framework

BYO exposes OpenAI-compatible routes. Point any SDK or framework that accepts a custom base URL at your BYO instance like CrewAI, LangGraph, LangChain, Autogen, and more.

from openai import OpenAI

from byo import BYOK

byok = BYOK(api_key="byo_sk_live_...")

client = OpenAI(**byok.openai_compatible(ref_id="customer_123"))

response = client.chat.completions.create(

model="gpt-4.1",

messages=[{"role": "user", "content": "Hello!"}],

)

Works with CrewAI, LangGraph, LangChain, Autogen, and any library that uses the OpenAI client.

Trust badge

Show your customers their API key is stored securely. The <byo-badge> Web Component works in React, Vue, Svelte, Astro, or plain HTML.

// Auto-registers when you import byo-connect

import { createConnect } from 'byo-connect';

<byo-badge theme="dark"></byo-badge>

Frequently asked questions

Security, providers, and how BYO handles your customers' keys.

Your customers keep control of their keys

Integrate in minutes. Self-host or use the hosted version.