Skip to main content

AI Gateway BYOK (Bring Your Own Key)

Use your own provider API keys through the Vercel AI Gateway for direct billing, zero markup, and full key control.

Overview

BYOK allows enterprise customers to use their own API keys for supported AI providers while still routing through the Vercel AI Gateway. This gives you:

  • Zero markup — Provider charges go directly to your account
  • Direct billing — You see exact usage on your provider dashboard
  • Gateway benefits — Keep routing, observability, and fallback capabilities
  • Per-provider control — Use your keys for some providers, system keys for others

BYOK vs BYOI

FeatureBYOKBYOI
Routes through AI GatewayYesNo
Uses your API keysYesYes (custom endpoint)
Provider auto-detectionYes (from model name)N/A
Gateway observabilityFullNone
Fallback routingAutomaticManual
Setup complexityAPI key onlyFull endpoint config
Best forCost controlCustom infrastructure
Enterprise Feature

BYOK is available exclusively on the Enterprise plan.

Supported Providers

ProviderSlugCredential
OpenAIopenaiAPI key
AnthropicanthropicAPI key
GooglegoogleAPI key
MistralmistralAPI key
xAI (Grok)xaiAPI key
DeepSeekdeepseekAPI key
PerplexityperplexityAPI key
CoherecohereAPI key

Complex credential providers (Vertex AI, AWS Bedrock) will be added in a future update.

Setting Up BYOK

Step 1: Create or Edit a Chatbot

  1. Go to Dashboard > Chatbots
  2. Click "Create New Chatbot" or edit an existing one
  3. Navigate to the Infrastructure tab

Step 2: Enable BYOK

  1. Scroll down to the "AI Gateway BYOK" panel
  2. Toggle "Enable BYOK"
  3. For each provider you want to use your own key:
    • Enter your API key
    • Click "Test Key" to validate
  4. Complete the chatbot setup

Step 3: Verify

After saving your keys:

  1. Wait up to 5 minutes for the credential cache to refresh (no redeploy needed)
  2. Send a test message to your chatbot
  3. The gateway will automatically use your key for the active provider
  4. Check your provider dashboard to confirm direct billing
No Redeploy Required

BYOK keys are fetched dynamically at runtime. You can add, change, or remove keys at any time from the edit page — changes take effect within 5 minutes without redeploying the chatbot.

How It Works

When a chat message is processed:

  1. The system detects which AI provider the current model belongs to (e.g., gpt-4o → OpenAI)
  2. If a BYOK key exists for that provider, it's passed to the AI Gateway as a per-request credential
  3. The gateway authenticates with the provider using your key instead of the system key
  4. If no BYOK key exists for the provider, the system falls back to default credentials
User Message → Chat Stream → AI Gateway → Provider (your API key)

                        Observability / Routing

Security

Credential Storage

  • All API keys are encrypted at rest in secure, isolated storage
  • Keys are never logged or exposed in responses
  • Access is limited to your account and your deployed chatbot

Key Rotation

To rotate a key:

  1. Go to the chatbot's Infrastructure tab
  2. Enter the new API key for the provider
  3. Click "Test Key" to validate
  4. Save — the new key takes effect within 5 minutes (cache TTL)

Best Practices

  • Use API keys with minimal required permissions
  • Set spending limits on your provider accounts
  • Rotate keys regularly
  • Monitor usage on your provider dashboard

FAQ

What happens if my BYOK key fails?

The AI Gateway will return an error. It does not fall back to system credentials — this ensures you maintain billing control.

Does cost tracking still work?

Yes. Langfuse still records the generation for observability. However, the cost may show as $0 in WizChat's cost tracking since the provider bills you directly.

Can I use BYOK for some providers and system keys for others?

Yes. BYOK is per-provider. If you only add an OpenAI key, Anthropic models will use system credentials.

Can I use BYOK and BYOI together?

No. BYOI takes priority — if BYOI is enabled, it bypasses the gateway entirely. BYOK only applies when using the standard AI Gateway path.

How quickly do key changes take effect?

Within 5 minutes (the credential cache TTL).