Bring Your Own Key (BYOK)
BYOK lets you plug your own provider API keys into MegaBrain. When you add a key, requests for that provider's models are billed by the provider on your own account instead of drawing down your MegaBrain balance β while you keep using a single gateway, one client configuration, and the same model catalogue. Keys are encrypted at rest and routed automatically; there is nothing to change in your coding agent.
Provider billing
Usage on a BYOK provider is charged to your own provider account, not your MegaBrain credits.
Zero client changes
Once a key is saved, MegaBrain routes matching models through it automatically. Your agent config stays the same.
Encrypted at rest
Keys are encrypted with AES-256-GCM before they touch the database and are never shown again after saving.
Personal keys vs. organization keys
BYOK works at two levels. Pick the one that matches who should pay and who should manage the key.
Personal
Tied to your own account and used for your own requests. Manage them at Account β Bring Your Own Key (BYOK) in the app sidebar.
Organization
Shared across every member of an organization. Only an organization owner or billing manager can add, edit, or remove them, and every change is written to the organization audit log.
Add a key
Open the BYOK page
For a personal key, open Account β Bring Your Own Key (BYOK) from the sidebar. For an organization key, go to your organization's settings and open Bring Your Own Key (BYOK) (visible to owners and billing managers).
Click Add Key and choose a provider
Press Add Key and select the provider whose key you hold. Each provider can hold a single key per account or organization, so a provider you have already configured is shown as (configured) and cannot be added twice β edit the existing entry instead.
Paste your credential
Paste the API key issued by that provider. Most providers take a single secret string (for example an Anthropic sk-ant-β¦ or OpenAI sk-β¦ key). Use the eye toggle to reveal the value while typing if you want to double-check it.
bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions:{ "accessKeyId": "...", "secretAccessKey": "...", "region": "us-east-1" }Save
Click Save. The key is encrypted before storage and cannot be viewed again β if you lose it, add a replacement. A new key is enabled by default and starts routing immediately.
Test it
Use the flask (Test) button on the key's row to send a tiny live request to the provider. A success toast confirms the credential and the provider it authenticated against; a failure usually means the key is wrong, lacks access to the tested model, or is out of credit on the provider side.
How a BYOK key gets used
You do not select your key per request. MegaBrain matches it automatically based on the model you ask for.
Automatic routing
When your client requests a model that one of your enabled keys can serve, that request is routed through your key and billed by the provider β no flag or header needed.
Multiple matches
If more than one of your keys can serve the same model, MegaBrain tries them in an unspecified order until one succeeds.
Balance is skipped
Requests served by a BYOK key do not draw down your MegaBrain credits, so balance and spend checks are bypassed for those calls.
Graceful fallback
If you have no enabled key for the requested model, MegaBrain falls back to its own routing and your MegaBrain balance, exactly as before.
Supported providers
The provider list and the exact models each key covers are shown live inside the Add Key dialog (expand Supported Models). The most common options:
| Provider | Notes |
|---|---|
| Anthropic | Claude family β sk-ant-β¦ keys |
| OpenAI | GPT family β sk-β¦ keys |
| Google AI Studio | Gemini models |
| AWS Bedrock | Claude, Llama & more via your AWS account |
| Mistral AI | Both the Codestral FIM endpoint and other Mistral models |
| DeepSeek | DeepSeek chat & reasoning models |
| xAI | Grok models |
| MiniMax | MiniMax models (also configurable via Token Plan Plus) |
| Moonshot AI | Kimi models |
| Perplexity | Sonar models |
| Fireworks Β· Novita Β· Inception | Hosted open-weight inference |
| Xiaomi Β· Z.ai | Pay-as-you-go providers |
Browse every routable model on the Models page.
Manage existing keys
- βEnable / disable β flip the toggle to stop or resume routing through a key without deleting it. Disabled keys are skipped during routing.
- βUpdate β replace the stored secret with a new one. The provider cannot be changed; delete and re-add if you need a different provider.
- βDelete β remove the key entirely. Future requests for its models fall back to MegaBrain routing.
- βToken Plan Plus (MiniMax) β if a MiniMax key was provisioned by a Token Plan Plus subscription, changing or removing it only affects routing. Subscription billing continues until you cancel it in the Subscription Center.
Troubleshooting
βΆThe key test fails right after I add it
Confirm the key was pasted in full with no trailing spaces, that it is active on the provider side, and that the provider account still has credit. Some keys are scoped to specific models β make sure the key has access to chat/completion models, not just a narrow subset.
βΆI added a key but my requests still bill MegaBrain credits
Routing only applies to models that the provider actually serves. Check that the key is enabled (the toggle is on) and that the model you requested belongs to that provider. For direct providers you must select the prefixed model entry shown in the Add Key dialog.
βΆA newly added direct-provider model does not show up in my client
Direct-provider entries can take a few minutes to propagate. Wait briefly and restart your coding agent so it refetches the model list, then look for the entry carrying that providerβs prefix.
βΆCan I see or export a key I already saved?
No. Keys are encrypted at rest and never returned after creation. If you need the value again, generate a fresh key on the provider and use Update to replace the stored one.
βΆWho can manage organization keys?
Only organization owners and billing managers. Every add, update, enable/disable, and delete on an organization key is recorded in the organization audit log.
βΆMy AWS Bedrock key is rejected
Bedrock expects a JSON object β not a single string β with accessKeyId, secretAccessKey, and region. The IAM user must hold bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions, and the region must be one where the model you want is available.