Skip to main content
PATCH
/
v1
/
workspaces
/
{workspace_id}
/
byok-keys
/
{byok_key_id}
Update BYOK key
import requests

url = "https://api.auriko.ai/v1/workspaces/{workspace_id}/byok-keys/{byok_key_id}"

payload = {
    "name": "<string>",
    "is_default": True,
    "account_tier": "<string>",
    "disabled": True
}
headers = {
    "Authorization": "Bearer <token>",
    "Content-Type": "application/json"
}

response = requests.patch(url, json=payload, headers=headers)

print(response.text)
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "workspace_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "provider": "<string>",
  "name": "<string>",
  "key_prefix": "<string>",
  "is_default": true,
  "disabled": true,
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z",
  "account_tier": "<string>",
  "last_validated_at": "2023-11-07T05:31:56Z"
}
Change a key’s name, is_default, account_tier, or disabled state. Requires byok:write scope. Naturally idempotent (last write wins). Audit event: byok_key.updated.
The provider secret is immutable. Secret fields are rejected, and this endpoint never triggers provider validation.
To replace a secret: create a new key, set it as default, then delete the old key. There’s no rotation operation.
Setting disabled: true excludes the key from routing without deleting it; the secret stays encrypted at rest. A disabled key can’t be set as default unless the same request re-enables it.
May return 202 with propagation_status: "pending" while the change takes effect. Propagation completes within about 5 minutes.
All parameters, request/response schemas, and examples are auto-generated from the OpenAPI specification.

Authorizations

Authorization
string
header
required

API key authentication. Keys start with ak_ prefix. Example: Authorization: Bearer ak_live_xxxxxxxxxxxx

Path Parameters

workspace_id
string<uuid>
required

Workspace identifier

byok_key_id
string<uuid>
required

BYOK key identifier

Body

application/json

At least one field is required. Provider secret fields are rejected — secrets are immutable.

name
string | null

New human-readable name

Required string length: 1 - 100
is_default
boolean | null

Promote (true) or demote (false) this key as the provider's routing default

account_tier
string | null

Provider account tier from the tiers endpoint

disabled
boolean | null

Disable (true) to exclude the key from routing without deleting it

Response

OK

BYOK key metadata. Redacted — the provider secret is never returned.

id
string<uuid>
required

Unique identifier for the BYOK key

workspace_id
string<uuid>
required

Workspace this key belongs to

provider
string
required

Provider identifier

name
string
required

Human-readable name for the key

key_prefix
string
required

Masked display prefix of the submitted secret

is_default
boolean
required

Whether this key is the provider's default for routing

disabled
boolean
required

Disabled keys are excluded from routing; the secret stays encrypted at rest

validation_status
enum<string>
required

Coarse validation status (no provider diagnostics)

Available options:
valid,
pending,
invalid,
error
created_at
string<date-time>
required
updated_at
string<date-time>
required
account_tier
string | null

Provider account tier used for rate-limit and data-policy routing

account_tier_source
enum<string> | null

How the tier was determined

Available options:
auto_detected,
user_specified,
fallback,
null
last_validated_at
string<date-time> | null

When the key last passed validation (null if never)

propagation_status
enum<string> | null

"pending" while a routing-affecting change for this key's provider is committed but edge propagation has not yet been applied

Available options:
pending,
null