Getting StartedProvider billing

Bring Your Own Key (BYOK)

BYOK lets you plug your own provider API keys into MegaBrain. When you add a key, requests for that provider's models are billed by the provider on your own account instead of drawing down your MegaBrain balance β€” while you keep using a single gateway, one client configuration, and the same model catalogue. Keys are encrypted at rest and routed automatically; there is nothing to change in your coding agent.

πŸ’³

Provider billing

Usage on a BYOK provider is charged to your own provider account, not your MegaBrain credits.

πŸ”Œ

Zero client changes

Once a key is saved, MegaBrain routes matching models through it automatically. Your agent config stays the same.

πŸ”’

Encrypted at rest

Keys are encrypted with AES-256-GCM before they touch the database and are never shown again after saving.

Personal keys vs. organization keys

BYOK works at two levels. Pick the one that matches who should pay and who should manage the key.

Personal

Tied to your own account and used for your own requests. Manage them at Account β†’ Bring Your Own Key (BYOK) in the app sidebar.

Organization

Shared across every member of an organization. Only an organization owner or billing manager can add, edit, or remove them, and every change is written to the organization audit log.

Add a key

1

Open the BYOK page

For a personal key, open Account β†’ Bring Your Own Key (BYOK) from the sidebar. For an organization key, go to your organization's settings and open Bring Your Own Key (BYOK) (visible to owners and billing managers).

2

Click Add Key and choose a provider

Press Add Key and select the provider whose key you hold. Each provider can hold a single key per account or organization, so a provider you have already configured is shown as (configured) and cannot be added twice β€” edit the existing entry instead.

3

Paste your credential

Paste the API key issued by that provider. Most providers take a single secret string (for example an Anthropic sk-ant-… or OpenAI sk-… key). Use the eye toggle to reveal the value while typing if you want to double-check it.

AWS Bedrock is the exception β€” instead of a single key it takes a small JSON object with your IAM credentials and region. The IAM user needs bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions:
{ "accessKeyId": "...", "secretAccessKey": "...", "region": "us-east-1" }
4

Save

Click Save. The key is encrypted before storage and cannot be viewed again β€” if you lose it, add a replacement. A new key is enabled by default and starts routing immediately.

5

Test it

Use the flask (Test) button on the key's row to send a tiny live request to the provider. A success toast confirms the credential and the provider it authenticated against; a failure usually means the key is wrong, lacks access to the tested model, or is out of credit on the provider side.

How a BYOK key gets used

You do not select your key per request. MegaBrain matches it automatically based on the model you ask for.

Automatic routing

When your client requests a model that one of your enabled keys can serve, that request is routed through your key and billed by the provider β€” no flag or header needed.

Multiple matches

If more than one of your keys can serve the same model, MegaBrain tries them in an unspecified order until one succeeds.

Balance is skipped

Requests served by a BYOK key do not draw down your MegaBrain credits, so balance and spend checks are bypassed for those calls.

Graceful fallback

If you have no enabled key for the requested model, MegaBrain falls back to its own routing and your MegaBrain balance, exactly as before.

Direct providers:a few providers are reached through a dedicated, prefixed model entry rather than the shared catalogue. For those, the key only applies when you pick a model that carries that provider's prefix. The Add Key dialog lists the exact model IDs to use, and a newly added entry can take a few minutes (and a client restart) to appear.

Supported providers

The provider list and the exact models each key covers are shown live inside the Add Key dialog (expand Supported Models). The most common options:

ProviderNotes
AnthropicClaude family β€” sk-ant-… keys
OpenAIGPT family β€” sk-… keys
Google AI StudioGemini models
AWS BedrockClaude, Llama & more via your AWS account
Mistral AIBoth the Codestral FIM endpoint and other Mistral models
DeepSeekDeepSeek chat & reasoning models
xAIGrok models
MiniMaxMiniMax models (also configurable via Token Plan Plus)
Moonshot AIKimi models
PerplexitySonar models
Fireworks Β· Novita Β· InceptionHosted open-weight inference
Xiaomi Β· Z.aiPay-as-you-go providers

Browse every routable model on the Models page.

Manage existing keys

  • βœ“Enable / disable β€” flip the toggle to stop or resume routing through a key without deleting it. Disabled keys are skipped during routing.
  • βœ“Update β€” replace the stored secret with a new one. The provider cannot be changed; delete and re-add if you need a different provider.
  • βœ“Delete β€” remove the key entirely. Future requests for its models fall back to MegaBrain routing.
  • βœ“Token Plan Plus (MiniMax) β€” if a MiniMax key was provisioned by a Token Plan Plus subscription, changing or removing it only affects routing. Subscription billing continues until you cancel it in the Subscription Center.

Troubleshooting

β–ΆThe key test fails right after I add it

Confirm the key was pasted in full with no trailing spaces, that it is active on the provider side, and that the provider account still has credit. Some keys are scoped to specific models β€” make sure the key has access to chat/completion models, not just a narrow subset.

β–ΆI added a key but my requests still bill MegaBrain credits

Routing only applies to models that the provider actually serves. Check that the key is enabled (the toggle is on) and that the model you requested belongs to that provider. For direct providers you must select the prefixed model entry shown in the Add Key dialog.

β–ΆA newly added direct-provider model does not show up in my client

Direct-provider entries can take a few minutes to propagate. Wait briefly and restart your coding agent so it refetches the model list, then look for the entry carrying that provider’s prefix.

β–ΆCan I see or export a key I already saved?

No. Keys are encrypted at rest and never returned after creation. If you need the value again, generate a fresh key on the provider and use Update to replace the stored one.

β–ΆWho can manage organization keys?

Only organization owners and billing managers. Every add, update, enable/disable, and delete on an organization key is recorded in the organization audit log.

β–ΆMy AWS Bedrock key is rejected

Bedrock expects a JSON object β€” not a single string β€” with accessKeyId, secretAccessKey, and region. The IAM user must hold bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions, and the region must be one where the model you want is available.