Skip to main content

Overview

By default, requests through Layer use Layer’s platform keys. With BYOK (Bring Your Own Keys), you can provide your own provider API keys. Requests are then billed directly to your provider account. Why use BYOK?
  • Bypass platform rate limits — Use your own quota
  • Direct billing — Charges appear on your provider account
  • Compliance — Some organizations require direct provider relationships
  • Control — Maintain your own API key lifecycle

Supported Providers

ProviderKey FormatValidation Method
OpenAIsk-proj-...Lists models (free operation)
Anthropicsk-ant-...Minimal message request
GoogleAIza...Minimal content generation
MistralAPI keyLists models (free operation)

Adding a Provider Key

From the Dashboard

  1. Go to Dashboard → Provider Keys
  2. Find the provider you want to configure
  3. Enter your API key in the input field
  4. Click Test to validate the key against the provider’s API
  5. Click Save
Your key is encrypted immediately using AES-256-GCM and stored securely. Only a masked prefix is visible in the dashboard (e.g., sk-proj-...abc123).

Key Management

  • One key per provider — Each provider can have one active key
  • Enable/Disable — Toggle a key without deleting it
  • Test Connection — Validate your key works at any time
  • Delete — Soft-deleted (recoverable for 90 days, then permanently removed)

How Keys Are Used

When you make a request through Layer:
  1. Layer checks if you have an active BYOK key for the target provider
  2. If yes → your key is decrypted and used for the provider API call
  3. If no → Layer’s platform key is used as a fallback
This happens transparently. Your application code doesn’t change regardless of whether BYOK is configured.

Security

Encryption

All provider keys are encrypted using AES-256-GCM — the same standard used by AWS KMS, Google Cloud KMS, and 1Password.
  • Fresh IV generated for every encryption operation
  • Auth tag detects any tampering with stored data
  • Master key stored separately from the database as an environment variable

What Layer Stores

DataStorage
Full API keyEncrypted (AES-256-GCM)
Key prefixPlaintext (for display, e.g., sk-proj-...abc)
Provider namePlaintext
Active statusPlaintext

Trust Model

Layer’s BYOK uses platform-controlled encryption, which is the industry standard for API proxies. Your keys are encrypted at rest but decrypted server-side when making provider API calls on your behalf — the same model used by Stripe, Vercel, and similar platforms.

Cost Tracking

When BYOK is active, the actual provider charges appear on your provider account. Layer still tracks estimated costs in the dashboard for analytics and spending limit enforcement, but these are calculated from token counts and published pricing — your actual provider bill may vary slightly.

Fallback Behavior

If your BYOK key becomes invalid (expired, revoked, rate-limited):
  • Layer detects the authentication error
  • The key is marked as invalid in the dashboard
  • Requests fall back to Layer’s platform key (if available)
  • You’re notified to update your key