BYOK Guide: Use Your Own API Keys with an LLM Gateway
Learn how Bring Your Own Key (BYOK) works, why teams use it, and how to route LLM requests through your own provider contracts with LLMWise.
What is BYOK?
Bring Your Own Key -- BYOK -- is a simple idea: instead of paying an LLM gateway for model access through its credits system, you plug in your own API keys from OpenAI, Anthropic, Google, or any other provider. The gateway still handles routing, failover, orchestration, and observability. But the billing goes directly to your provider account.
Think of it like bringing your own coffee beans to a cafe that has a great espresso machine. You get the equipment and expertise without paying their markup on beans.
In a standard LLM gateway setup, the gateway holds provider keys, routes your requests, and charges you credits or a subscription that covers the underlying model costs plus a margin. That model works well for small teams, prototyping, and anyone who wants a single bill for multi-model access.
But as usage grows -- or when compliance requirements enter the picture -- teams often need direct provider relationships. That is where BYOK comes in. You maintain your own contracts with OpenAI, Anthropic, and Google. The gateway becomes a routing and orchestration layer, not a billing intermediary.
Why teams use BYOK
Four reasons come up repeatedly when teams switch to BYOK for part or all of their LLM traffic.
Volume discounts and negotiated rates. If you are spending $5,000+ per month with a single provider, you likely have (or can negotiate) a discount. Enterprise agreements with OpenAI, Anthropic, and Google often include volume pricing, committed-use discounts, or custom rate cards. Running those requests through an aggregation layer means paying a margin on top of rates you have already negotiated down.
Compliance and procurement requirements. Regulated industries -- finance, healthcare, government -- often require direct contractual relationships with every vendor that processes data. Even if the gateway never stores your data, some compliance frameworks mandate that the billing entity and the data-processing entity are the same. BYOK satisfies this by keeping the financial and data relationship directly between you and the provider.
Existing budgets and allocated spend. Many organizations already have provider accounts with prepaid credits or allocated cloud budgets. An engineering team with $20,000 of OpenAI credits sitting in their account does not want to buy additional credits through a gateway. BYOK lets them consume what they have already paid for while gaining the orchestration features they lack.
Gradual migration. Adopting a new tool is easier when it does not require changing your billing stack on day one. With BYOK, you can start using an LLM gateway for its routing and comparison features while keeping your existing provider invoices unchanged. If the gateway proves its value, you can decide later whether credits make more sense for some models.
How BYOK works in LLMWise
Setting up BYOK on LLMWise takes about two minutes. Here is the flow:
1. Add your provider keys. Go to Settings in the LLMWise dashboard and enter your API keys for any supported provider -- OpenAI, Anthropic, Google, xAI, DeepSeek, and others. Each provider has its own field.
2. Keys are encrypted at rest. LLMWise encrypts every BYOK key using Fernet encryption (AES-128-CBC with HMAC-SHA256) before storing it. Your raw key is never persisted in plaintext, never logged, and never exposed in API responses.
3. Requests route directly to the provider. When you send a request using a model from a provider where you have added a BYOK key, LLMWise routes that request directly to the provider's API using your key. It does not go through OpenRouter or any other aggregation layer. The provider sees your key, your account, your rate limits.
4. Credit billing is skipped. BYOK requests do not deduct from your LLMWise credit balance. You pay the provider directly at whatever rate your account has. LLMWise handles the orchestration for free on those requests.
5. All orchestration features still work. Compare mode, Blend mode, Judge mode, Mesh failover -- every feature works identically with BYOK keys. The only difference is who gets the bill. You can even mix: use BYOK for Anthropic models and credits for everything else, and a Compare request across both will work seamlessly.
For the API, the process is the same. Set your BYOK keys via the settings endpoint, and every subsequent request to a BYOK-enabled provider routes directly. No code changes needed on the request side. For more details on our BYOK gateway architecture, see our BYOK LLM Gateway overview.
BYOK vs Credits: When to use each
The choice is not binary. Most teams end up using a hybrid approach.
| Credits | BYOK | |
|---|---|---|
| Setup time | Instant -- no provider accounts needed | Requires active provider accounts and API keys |
| Billing | Single invoice from LLMWise | Separate invoices per provider |
| Cost | LLMWise rates (includes margin) | Provider rates (no gateway margin) |
| Best for | Low volume, prototyping, multi-model exploration | High volume, enterprise contracts, compliance |
| Rate limits | Shared LLMWise pool | Your own provider-level limits |
| Cost tracking | Built-in dashboard and credit history | Track via provider dashboards + LLMWise usage logs |
| Switching effort | None | Must manage keys per provider |
Use credits when you want simplicity. Credits are the right choice for teams exploring multiple models, running low-volume workloads, or building prototypes where the priority is speed over cost optimization. You get a single balance, a single dashboard, and zero provider account management. See our LLM pricing comparison for how credit costs stack up across models.
Use BYOK when you have volume. If you are sending 10,000+ requests per month to a single provider, the raw provider rate will almost always beat the aggregated rate. BYOK is also the right call when compliance mandates direct provider relationships, or when you have prepaid provider credits to burn through.
Use both when your workload is mixed. A common pattern: BYOK for your primary high-volume model (say, GPT-5.2 for your core product feature) and credits for everything else (comparison testing, fallback models, low-volume experiments). LLMWise handles the split transparently -- no configuration needed beyond adding your BYOK keys.
For a deeper analysis of cost optimization strategies that complement BYOK, see our guide on reducing LLM API costs.
Security considerations
API keys are sensitive credentials. How they are stored matters.
Encryption at rest. Every BYOK key is encrypted using Fernet symmetric encryption before being written to the database. Fernet uses AES-128-CBC for confidentiality and HMAC-SHA256 for integrity verification. The encryption key is managed separately from the database and is required as an environment variable in production (BYOK_ENCRYPTION_KEY). Without it, stored keys are unreadable ciphertext.
No logging or exposure. BYOK keys are never written to application logs, error reports, or API responses. When you retrieve your settings, the response confirms which providers have keys configured but never returns the key values.
Zero-retention mode compatible. LLMWise offers a zero-retention mode that skips storage of prompts, responses, and conversation memory. BYOK works identically in this mode. Your keys are still encrypted at rest (they have to be, to route requests), but no request content is retained.
Full data purge. If you delete your account or trigger a data purge, all stored BYOK keys are deleted along with every other piece of user data. The purge is comprehensive -- encrypted keys, usage logs, conversation history, and semantic memory are all removed.
Key rotation. You can update or remove BYOK keys at any time through the settings page. The old key is overwritten with the new encrypted value. There is no key history -- only the current key is stored.
Getting started with BYOK
The setup is short enough to list in full:
- Sign in to LLMWise at llmwise.ai and navigate to Settings.
- Enter your API keys for the providers you want to use directly. You will need your API key from each provider's dashboard (e.g.,
sk-...from OpenAI,sk-ant-...from Anthropic). - Save your settings. Keys are encrypted and stored immediately.
- Send requests as normal. Use Chat, Compare, Blend, Judge, or Mesh mode. Requests to BYOK-enabled providers will route directly and skip credit billing. No code changes or API parameter changes needed.
- Monitor usage. Check the LLMWise usage dashboard for request counts and latency metrics. Check your provider dashboards for billing.
That is it. You do not need to change your API calls, update request headers, or configure routing rules. The presence of a BYOK key for a given provider is the only trigger -- everything else is automatic.
If you are evaluating whether BYOK makes sense for your team's workload, start by checking your current monthly spend per provider. Any provider where you spend more than $50/month is a candidate for BYOK. The crossover point where BYOK saves meaningful money varies by provider and volume, but the setup cost is low enough that there is little downside to trying it.