Overview
BYOK (Bring Your Own Key) lets you store API credentials for supported upstream providers and then opt-in per request to route through your own keys. Typical reasons to use BYOK:- Your provider bills you directly (enterprise agreements, committed-use discounts, free tiers).
- You want NanoGPT routing + enhancements, without using NanoGPT platform keys.
Availability
BYOK is currently supported on:POST /api/v1/chat/completions
Pricing
When you use BYOK:- Your provider bills you directly for usage on their side.
- NanoGPT charges a 5% platform fee on top for routing and platform features.
Configure Keys
Web UI (Recommended)
Manage BYOK keys in the NanoGPT web app: Keys are never shown again after saving (only a short suffix is displayed), so treat them like passwords.API (NanoGPT key required)
If you prefer managing keys programmatically, use these endpoints (not OpenAI-compatible):Use BYOK On A Request
Enable BYOK
Option A: request headerSelect a provider (optional)
If the model can route through multiple providers, you can force a specific provider. Header:Fallbacks (optional)
BYOK defaults to fail-fast behavior. If your provider key fails, NanoGPT will not silently route the request through a different provider key. You can control this via the request body:Provider Slugs
The exact set of supported providers can evolve; the BYOK UI lists what your account can configure.Chat / completion providers
These providers can be used for BYOK onPOST /api/v1/chat/completions:
| Provider | Slug | Key format |
|---|---|---|
| OpenAI | openai | API key string (sk-...) |
| OpenAI Responses | openai-responses | API key string (sk-...) |
| Anthropic | anthropic | API key string (sk-ant-...) |
| OpenRouter | openrouter | API key string (or-...) |
| Chutes | chutes | API key string (cpk_...) |
| AWS Bedrock | aws | JSON: {"accessKeyId":"...","secretAccessKey":"...","region":"us-east-1"} |
| Azure OpenAI | azure | JSON: {"endpoint":"...","apiKey":"...","deploymentName":"...","apiVersion":"..."} |
| Azure Responses | azure-responses | JSON: {"endpoint":"...","apiKey":"...","apiVersion":"..."} |
| Azure Anthropic Foundry | azure-anthropic-foundry | JSON: {"endpoint":"...","apiKey":"..."} |
| Google AI Studio | google | API key string (AIza...) |
| Groq | groq | API key string (gsk_...) |
| NVIDIA | nvidia | API key string (nvapi-...) |
| SambaNova | sambanova | API key string |
| Vercel | vercel | API key string |
| Novita | novita | API key string (nvta_...) |
| Akash | akash | API key string (sk-...) |
| Z.AI (GLM) | zai | API key string |
| GMICloud | gmicloud | API key string |
| Cerebras | cerebras | API key string (csk-...) |
| DeepInfra | deepinfra | API key string |
| MegaNova | meganova | API key string |
| SiliconFlow | siliconflow | API key string |
- AWS JSON can also include
sessionToken. - Azure-style providers require provider-specific endpoints and identifiers (for example, a deployment name).
- If you want to force Google AI Studio routing for Gemini models, set
x-byok-provider: google(orbyok.provider: "google").
Web-search-only providers
These providers are BYOK for web search enhancements, not chat model execution:| Provider | Slug |
|---|---|
| Tavily | tavily |
| Exa | exa |
| Kagi | kagi |
| Perplexity | perplexity |
| Valyu | valyu |
Teams (BYOK)
Teams can also store provider keys and configure whether team-billed traffic should use team keys. Team settings endpoints (session-authenticated, not OpenAI-compatible):disabled: BYOK off for the team.prefer_team: use a team key when available; otherwise fall back to normal routing.require_team: fail requests when no team key exists for the required provider.
- In
prefer_teammode, team-billed traffic will not use a member’s personal BYOK keys unless the client explicitly opts in to BYOK on the request.
Security Notes
- Never put provider keys in client-side code or public repos.
- Prefer storing keys once (UI or the
/api/user/provider-keysendpoints) and then enabling BYOK per request.