BYOK — Bring Your Own Key
cloudscode never ships a vendor key. To run an agent, each tenant must register at least one provider key — Anthropic, OpenAI, or Gemini.
Why BYOK?
Section titled “Why BYOK?”- You pay the provider directly. No markup, no rate-limit pooling, no vendor lock-in.
- Compliance. Your keys live in your control plane, encrypted at rest with a per-tenant KEK.
- Multi-provider. Mix and match — route different runtimes to different vendors.
Add a key
Section titled “Add a key”curl -X POST http://localhost:8787/byok \ -H "x-tenant-id: <tenant_id>" \ -H 'content-type: application/json' \ -d '{ "provider": "anthropic", "label": "prod-anthropic", "api_key": "sk-ant-..." }'Supported providers:
provider | Key format | Models tested |
|---|---|---|
anthropic | sk-ant-... | Claude Opus 4.7, Sonnet 4.6, Haiku 4.5 |
openai | sk-... | GPT-4.1, o4-mini, GPT-5 |
gemini | AIza... | Gemini 2.5 Pro, 2.5 Flash |
List keys
Section titled “List keys”curl -sS http://localhost:8787/byok \ -H "x-tenant-id: <tenant_id>"Returns metadata only — the API never echoes the secret back, even to the tenant that wrote it.
Delete a key
Section titled “Delete a key”curl -X DELETE http://localhost:8787/byok/<key_id> \ -H "x-tenant-id: <tenant_id>"Deletion is immediate; in-flight runtime calls using the key fail on the next refresh.
Key rotation
Section titled “Key rotation”cloudscode does not auto-rotate provider keys. Rotate by:
- Adding the new key with a fresh
label. - Updating the runtime instance’s
default_keyfield (or letting it pick the most recently added key, depending on your dispatch policy). - Deleting the old key once all runtimes have refreshed.