Run your workspace

Bring your own keys

BYOK — Bring Your Own Keys — lets each workspace use its own Cloudflare, OpenAI, OpenRouter, or Qdrant credentials rather than the platform's shared pool. It's especially useful when you operate Glozr as a SaaS for downstream customers who want their own AI bills.

What BYOK is

When BYOK is enabled, a workspace owner enters credentials in Settings → BYOK keys. Subsequent agent traffic — embeddings, completions, vector search — runs against those keys instead of the shared platform ones. The usage shows up on the customer's provider dashboard, not yours.

Policy matrix

Two controls combine to decide whether BYOK is available:

Global flag — platform-level toggle.
Per-user override — Inherit global, Force enable, or Force disable.

Flipping either switch takes effect on the next request without restarting the app.

Where to configure it

Administrators

/settings/system — the global BYOK toggle.
/admin/users — per-user overrides.

Workspace owners

/settings/byok-keys — paste your provider credentials here.

Encryption at rest

Credentials are encrypted in the database using APP_KEY via Laravel's Crypt envelope. The raw DB column never contains plaintext — even a full database dump leaks ciphertext, not usable secrets.

Tenant isolation

Five layers keep one workspace's keys away from another:

Encrypted database columns.
Workspace resolution from the authenticated request context only.
Scoped HTTP-client bindings (not framework singletons).
Mutation guards that reject any cross-workspace write.
Automated regression tests that fail loudly if any of the above regresses.

Things to keep in mind

BYOK affects variable AI and vector costs — it doesn't change your Glozr subscription price.
Rotating APP_KEY invalidates the encrypted column; customers will need to re-enter their credentials.
Usage shows up on the provider's dashboard for that workspace's keys, not in Glozr platform analytics.