Route with BYOK
To restrict a request to your own keys, setgateway.routing.only_byok:
Understand routing behavior
Auriko prefers your BYOK key when one exists for the requested provider. You get direct billing control and your provider tier applies. Auriko falls back to platform keys in two cases:- Rate-limited: your BYOK key is rate-limited and the platform key has capacity.
- Unavailable: your BYOK key is unavailable at request time and a platform key exists.
only_byok: true— use only your BYOK key and fail the request if unavailable.only_platform: true— ignore BYOK keys entirely.
Set up BYOK keys
Manage your provider keys in the Auriko Dashboard.- Go to Settings > Provider Keys in the dashboard.
- Click Add Provider Key.
- Select the provider and paste your API key.
- Auriko validates the key before saving.
Manage keys via the API
You can also manage BYOK keys programmatically with an API key carrying thebyok:read / byok:write scopes:
- List BYOK providers and provider account tiers — public discovery endpoints, the source of allowed
account_tiervalues. - Create, list, get, update, and delete BYOK keys.
byok:write changes which third-party credentials Auriko uses for future model calls. Treat it as a sensitive permission.
List supported providers
GET /v1/registry/providers returns the current list of supported providers. The endpoint is public and doesn’t require authentication:
cURL
Detect provider tier
Auriko detects your provider account tier on first use. The detected tier affects rate limits and routing decisions. You can override detection:- Enterprise flag — mark a key as enterprise tier in the dashboard for higher limits.
- Manual tier — select a specific tier for providers that require it (e.g., Google AI Studio), in the dashboard or via
account_tieron the create and update endpoints.
Secure your keys
Auriko encrypts your provider keys and isolates them per workspace.- Encrypted at rest: authenticated encryption with per-workspace key isolation.
- Masked in responses: API responses show only a short prefix of each key.
- Decrypted at request time only: Auriko decrypts your key when calling the provider, then discards it.
- Never logged: Auriko never logs or persists decrypted keys.
Control data handling
BYOK keys inherit the workspace data policy. Options:none, no_training, and zdr (zero data retention).
A per-request data_policy overrides the workspace default. Providers that don’t meet the required level aren’t available for routing.
See Advanced routing for more on data policies.