What is BYOK (Bring Your Own Keys)?

BYOK (Bring Your Own Keys) is a hosting model for AI agent platforms where the user provides their own LLM API keys -- from providers like Anthropic, OpenAI, or Moonshot -- while the platform handles all infrastructure, security, and operational concerns. The user pays the platform a lower hosting fee and pays their LLM provider directly for model usage.

BYOK emerged as a pricing model because LLM costs represent the largest variable expense in running an AI agent. Some users already have API keys with negotiated rates, existing billing relationships, or specific model preferences. BYOK lets them keep that control while offloading the hosting burden.

How BYOK Works

In a BYOK setup, the hosting platform provisions and manages the AI agent infrastructure -- the server, container runtime, messaging integrations, security, and updates. But instead of routing the agent's LLM requests through a managed proxy, the platform configures the agent to call the user's API provider directly using their keys.

The typical flow:

• User signs up for a BYOK plan and enters their API keys (e.g., an Anthropic API key)
• The platform stores the keys securely (encrypted at rest) and injects them into the agent's configuration
• When the agent needs to reason or generate text, it calls the user's API provider directly
• The user pays the hosting platform for infrastructure and pays their API provider for model usage separately

BYOK vs Managed LLM Access

The alternative to BYOK is managed (or "pooled") LLM access, where the hosting platform provides the LLM and bills the user a flat rate or usage-based fee. Here is how they compare:

• BYOK -- Lower platform fee, separate LLM bill, full model choice, existing rate agreements preserved, more billing complexity
• Managed -- Higher platform fee, single bill, curated model selection, no API key management, simpler overall

For developers who already have API keys and want maximum control, BYOK is the obvious choice. For users who want simplicity and a single monthly bill, managed access makes more sense.

Security Considerations

API keys are credentials. Any platform offering BYOK must handle them with care. Best practices include encrypting keys at rest with AES-256 or equivalent, never logging key values, restricting key access to the user's own agent process, and providing the ability to rotate keys without downtime.

In a well-designed BYOK system, the platform never needs to see or store the key in plaintext after initial configuration. The key is injected into the agent's runtime environment and used only for outbound API calls.

How It Relates to KiwiClaw

KiwiClaw offers BYOK as its entry-level plan at $15/month. Users provide their own API keys from any supported LLM provider, and KiwiClaw handles the hosting, sandboxing, messaging integrations, security, and operational management. Keys are encrypted with AES-256-GCM and injected directly into the tenant's isolated VM -- they never pass through KiwiClaw's LLM proxy.

For users who prefer not to manage API keys at all, KiwiClaw's Standard plan ($39/month) includes managed LLM access with curated models, usage caps, and a single monthly bill.

Related Terms

• What is OpenClaw?
• What is an AI Agent?
• What is SSE Streaming?
• What is Data Residency?

Frequently Asked Questions

What does BYOK mean for AI agent hosting?

BYOK (Bring Your Own Keys) is a hosting model where you provide your own LLM API keys from providers like Anthropic or OpenAI, while the platform handles all infrastructure, security, and operations. You pay a lower platform fee and pay your LLM provider directly for model usage.

Is BYOK cheaper than managed LLM access?

BYOK typically has a lower platform fee (e.g., $15/month on KiwiClaw vs $39/month for managed). However, you also pay your LLM provider separately for API usage. Total cost depends on how much you use the agent. For heavy users with negotiated API rates, BYOK can be significantly cheaper.

Are my API keys safe with a BYOK hosting provider?

A well-designed BYOK platform encrypts your API keys at rest with AES-256 or equivalent, never logs key values, and restricts access to your own agent process. On KiwiClaw, BYOK keys are encrypted with AES-256-GCM and injected directly into your isolated VM -- they never pass through the LLM proxy.