> ## Documentation Index
> Fetch the complete documentation index at: https://docs.relayhub.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Provider Hub

> Bring your own API keys for LLM providers

The **Provider Hub** lets admins register their own API keys for supported LLM providers. When a BYOK (Bring Your Own Key) key is active, all AI traffic for your organization routes through your key instead of the platform's shared keys, giving you direct billing control and access to your provider's usage dashboard.

## How It Works

RelayHub resolves which API key to use in this order:

1. **Custom Provider** -- If you have configured a [custom LLM endpoint](/administration/providers/custom-endpoints), it takes priority
2. **BYOK Key** -- Your own API key registered in the Provider Hub
3. **Platform Key** -- RelayHub's default shared key (usage counted against your subscription)

When a BYOK key is active and enabled, every LLM call -- chat, embeddings, vision, and background workers -- uses your key with zero fallback to platform keys.

## Supported Providers

<Cards>
  <Card title="OpenAI" icon="microchip">
    GPT-5.4, GPT-5.3, GPT-5.2, GPT-5.1, GPT-5-mini, GPT-5-nano
  </Card>

  <Card title="Anthropic" icon="brain">
    Claude Sonnet 4.6, Claude Opus 4.6, Claude Sonnet 4.5, Claude Opus 4.5
  </Card>

  <Card title="Google" icon="cloud">
    Gemini 3.1 Pro, Gemini 3 Flash, Gemini 3.1 Flash Lite
  </Card>

  <Card title="xAI" icon="bolt">
    Grok 4, Grok 3, Grok 3 Mini
  </Card>
</Cards>

## Adding an API Key

<Steps>
  <Step title="Open Provider Hub">
    Navigate to **Provider Hub** in the left sidebar (Admin only).
  </Step>

  <Step title="Select a provider">
    Click the card for the provider you want to configure (e.g., OpenAI).
  </Step>

  <Step title="Enter your API key">
    Paste your API key into the key field. The key is encrypted with Fernet encryption before being stored -- it is never saved in plaintext.
  </Step>

  <Step title="Validate the key">
    Click **Validate** to verify the key works. RelayHub makes a lightweight test call to the provider's API to confirm authentication.
  </Step>

  <Step title="Enable the key">
    Toggle the key to **Enabled**. All LLM traffic for your organization will now route through this key.
  </Step>
</Steps>

## Key Security

<Note>
  API keys are encrypted at rest using Fernet symmetric encryption. Once stored, the full key is never displayed again -- only a hint (first and last few characters) is shown for identification.
</Note>

* Keys are scoped to your organization and cannot be viewed by other customers
* The Provider Hub UI never returns the raw key after initial submission
* Keys can be replaced at any time by entering a new key for the same provider
* Deleting a key immediately reverts that provider to using the platform key

## Managing Keys

From the Provider Hub, each configured provider shows:

| Field              | Description                                        |
| ------------------ | -------------------------------------------------- |
| **Status**         | Enabled or Disabled                                |
| **Key Hint**       | Masked key for identification (e.g., `sk-...7xQ2`) |
| **Last Validated** | When the key was last successfully tested          |

You can **disable** a key without deleting it. A disabled key is retained in encrypted storage but RelayHub falls back to the platform key. Re-enable it at any time.

<Warning>
  If your BYOK key is revoked or expires at the provider, LLM calls will fail with an authentication error. RelayHub does not automatically fall back to platform keys when a BYOK key is present and enabled. Disable or remove the key to restore service.
</Warning>

<Tip>
  Use BYOK keys when you need direct visibility into your AI usage costs, want to use organization-specific rate limits, or have compliance requirements around API key ownership.
</Tip>
