How are BYOK provider keys stored?

Encrypted at rest with a master key (AES-GCM) and an organization-scoped key version. Only the last 4 characters and a key fingerprint are stored in plaintext for identification.

Does my provider key ever appear in a request?

No. Provider keys are resolved server-side at routing time from the organization's stored credentials. The gateway request body only contains your Privian gateway API key.

BYOK — Bring your own provider key

How it works

Add a provider API key (OpenAI, Anthropic, Google, …) in the dashboard.
Privian encrypts the key with AES-GCM using a master key + per-organisation version.
On a request, the gateway resolves the provider from the model namespace (e.g. openai/gpt-5.5 → OpenAI), decrypts the relevant credential, and calls the provider.
The plaintext key never leaves the server and never reaches the caller.

What is stored

Ciphertext + initialization vector + key version.
Last 4 characters of the key for identification in the UI.
Key fingerprint (hash) for deduplication and rotation visibility.
Status, label, timestamps.

What is not stored

The plaintext provider key.
Provider-side usage details beyond what Privian needs to route the request.

Rotation and revocation

Add a new credential, mark the old one revoked. Revoked credentials are no longer eligible for routing.

Gateway authentication
Product: LLM Gateway
Architecture

How it works

What is stored

What is not stored

Rotation and revocation

Related