Skip to main content
The Provider Hub lets admins register their own API keys for supported LLM providers. When a BYOK (Bring Your Own Key) key is active, all AI traffic for your organization routes through your key instead of the platform’s shared keys, giving you direct billing control and access to your provider’s usage dashboard.

How It Works

RelayHub resolves which API key to use in this order:
  1. Custom Provider — If you have configured a custom LLM endpoint, it takes priority
  2. BYOK Key — Your own API key registered in the Provider Hub
  3. Platform Key — RelayHub’s default shared key (usage counted against your subscription)
When a BYOK key is active and enabled, every LLM call — chat, embeddings, vision, and background workers — uses your key with zero fallback to platform keys.

Supported Providers

Adding an API Key

1

Open Provider Hub

Navigate to Provider Hub in the left sidebar (Admin only).
2

Select a provider

Click the card for the provider you want to configure (e.g., OpenAI).
3

Enter your API key

Paste your API key into the key field. The key is encrypted with Fernet encryption before being stored — it is never saved in plaintext.
4

Validate the key

Click Validate to verify the key works. RelayHub makes a lightweight test call to the provider’s API to confirm authentication.
5

Enable the key

Toggle the key to Enabled. All LLM traffic for your organization will now route through this key.

Key Security

API keys are encrypted at rest using Fernet symmetric encryption. Once stored, the full key is never displayed again — only a hint (first and last few characters) is shown for identification.
  • Keys are scoped to your organization and cannot be viewed by other customers
  • The Provider Hub UI never returns the raw key after initial submission
  • Keys can be replaced at any time by entering a new key for the same provider
  • Deleting a key immediately reverts that provider to using the platform key

Managing Keys

From the Provider Hub, each configured provider shows:
FieldDescription
StatusEnabled or Disabled
Key HintMasked key for identification (e.g., sk-...7xQ2)
Last ValidatedWhen the key was last successfully tested
You can disable a key without deleting it. A disabled key is retained in encrypted storage but RelayHub falls back to the platform key. Re-enable it at any time.
If your BYOK key is revoked or expires at the provider, LLM calls will fail with an authentication error. RelayHub does not automatically fall back to platform keys when a BYOK key is present and enabled. Disable or remove the key to restore service.
Use BYOK keys when you need direct visibility into your AI usage costs, want to use organization-specific rate limits, or have compliance requirements around API key ownership.