Z-AI / BYOK
Bring your own keys
Z-AI never holds provider credentials in plaintext. You supply your OpenAI / Anthropic / Gemini / etc. keys; we encrypt them with Fernet and use them only to route your requests.
Why BYOK
- Zero markup. You pay your provider directly at their list rates. Z-AI is the router, not the seller.
- Your relationship, your quotas. Rate limits, billing, abuse policy — all stay with the upstream provider.
- Trust boundary stays at the provider. Even if Z-AI is compromised, no plaintext provider keys leak (Fernet AEAD).
- Mix providers in one app. Use Claude for reasoning, Gemini Flash for cheap classification, Groq for low-latency UX — one Z-AI key in your code, swap models with a string.
How it works
- You paste a provider key into Z-AI → Providers.
- The server encrypts it with Fernet (symmetric AEAD,
PROVIDER_KEY_ENCRYPTION_KEY) and stores the ciphertext only. The key is never written to logs or returned from any API. - When you call
/v1/chat/completionswith e.g.openai/gpt-5.4-mini, Z-AI decrypts your OpenAI key in memory just long enough to forward the request to OpenAI's API. - The response (or SSE stream) flows back to you. We log tokens, latency and cost — never the key, never the prompt body.
Encryption at rest
Fernet (AES-128-CBC + HMAC-SHA-256).
bash
# Server-side env (set once at deploy)
PROVIDER_KEY_ENCRYPTION_KEY=$(python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")Rotating this key requires re-encrypting all stored provider keys. Plan a migration window if you ever rotate it.
The encryption key never leaves the server. The API has no endpoint that returns provider plaintext — not even to admins.
Per-provider setup
Click through to your provider, generate an API key, and paste it into Z-AI → Providers.
| Provider | Key format | Get one |
|---|---|---|
| OpenAI | sk-... | platform.openai.com/api-keys |
| Anthropic | sk-ant-... | console.anthropic.com/settings/keys |
| Google Gemini | AIza... | aistudio.google.com/apikey |
| Groq | gsk_... | console.groq.com/keys |
| Mistral | (opaque) | console.mistral.ai/api-keys/ |
| Together AI | (opaque) | api.together.xyz/settings/api-keys |
| Fireworks AI | fw_... | fireworks.ai/account/api-keys |
| Custom (vLLM, Ollama, …) | any / none | Self-hosted — also paste base_url |
Scoping a Z-AI key
For each Z-AI key you issue, you can:
- Pin an allowed-model list so the key can only call certain models (e.g. lock a public-facing service to the cheapest tier).
- Set a spend cap (in micro-USD). When hit, the key returns HTTP 402 until you raise the cap.
- Configure a fallback model. If the primary fails (provider outage, rate limit), Z-AI retries the request against the fallback so your users don't see an error.