BYOK: Your Keys, Your Control
What is BYOK?
BYOK (Bring Your Own Key) means "bring your own keys" - a service model that returns complete data control to users.
In the AI API service domain, BYOK means:
- You use your own API Keys obtained from official platforms like OpenAI, Anthropic, DeepSeek
- The service provider does not hold, sell, or control your upstream keys
- All API call charges are deducted directly from your official account, not through intermediaries
- You can view, replace, delete, or migrate your keys at any time
XAI Router's BYOK Design Philosophy
XAI Router adopts a 100% pure BYOK architecture - this is our core value proposition:
🔐 Data Sovereignty Belongs to You
Traditional AI Aggregation Platforms:
User → Buy platform credits → Use platform key pool → Platform pays official APIs
❌ You don't know whose keys are being used
❌ You can't control data flow
❌ Service interrupts if platform shuts down
XAI Router BYOK Model:
User → Add your own official keys → XAI Router smart routing → Direct official API calls
✅ You fully control the keys
✅ Transparent costs (official billing)
✅ Can migrate to other platforms anytime
💰 Transparent Costs, Zero Markup
| Platform | Pricing Model | GPT-4 Call Cost Example |
|---|---|---|
| XAI Router | Zero Markup | $0.03/1K tokens (official price) |
| OpenRouter | 5% service fee + official price | $0.03 × 1.05 = $0.0315/1K tokens |
| Traditional Aggregators | 10%-50% markup | $0.03 × 1.3 = $0.039/1K tokens |
Example Calculation: If you call 100M tokens per month, using XAI Router vs OpenRouter saves $1,500/month.
🛡️ End-to-End Encryption, Zero-Trust Architecture
XAI Router employs cryptocurrency-grade security:
Your Provider Keys Encryption Flow:
┌─────────────────────────────────────────────────────────┐
│ 1. You add OpenAI API Key: sk-proj-abc123... │
│ │
│ 2. System generates your unique Encryption Key (32 bytes)│
│ │
│ 3. Encrypts your Provider Key with ChaCha20-Poly1305 │
│ ├─ Algorithm: XChaCha20-Poly1305 (AEAD) │
│ ├─ Nonce: 24-byte random value │
│ └─ Ciphertext stored in PostgreSQL │
│ │
│ 4. Your Encryption Key itself is encrypted by system key │
│ │
│ 5. Decryption requires your account credentials │
│ System admins cannot access │
└─────────────────────────────────────────────────────────┘
Key Security Features:
- ✅ User-Level Isolated Encryption: Each user has a unique Encryption Key
- ✅ No Super-Admin: Database admins cannot decrypt any user's keys
- ✅ Memory Hot Cache: Decryption results cached in memory for only 120 minutes
- ✅ Even if Database Leaks: Attackers cannot recover your Provider Keys
BYOK vs Traditional API Aggregation Platforms
| Comparison | XAI Router (BYOK) | OpenRouter (Hybrid) | Traditional Aggregators |
|---|---|---|---|
| Key Source | 100% user-owned | BYOK or platform pool | Platform pool |
| Pricing | Zero markup | BYOK charged 5% fee | 10%-50% markup |
| Data Control | Fully user-owned | Partially user-owned | Platform-controlled |
| Billing Transparency | Official bills directly viewable | Additional billing required | Black-box billing |
| Vendor Lock-in | None, migrate anytime | No lock-in for BYOK | Strong lock-in |
| Free Tier | Completely free (use your own keys) | 1M requests/month free | None |
| Security Level | End-to-end encryption | Standard encryption | Standard encryption |
| Service Interruption Risk | Low (official API stability) | Medium | High (platform-dependent) |
Three Core Advantages of BYOK
1. 🎯 Cost Control, No Black Box
Traditional Platform Pain Points:
- Unclear which model version is actually called
- Cannot verify if token counts are accurate
- Platform suddenly raises prices, users forced to accept
XAI Router BYOK Solution:
# You can directly verify every call on official platforms
# 1. Login to OpenAI Dashboard: https://platform.openai.com/usage
# 2. View real-time usage: model, token count, cost
# 3. Compare with XAI Router logs to ensure consistency
2. 🔒 Data Sovereignty, Compliance Assured
For strictly regulated industries like finance, healthcare, government:
| Compliance Requirement | Traditional Platforms | XAI Router BYOK |
|---|---|---|
| Data Stays In-Region | ❌ Data goes through platform servers | ✅ Direct official API connection |
| Key Auditing | ❌ Cannot audit platform keys | ✅ All keys traceable |
| SOC 2 Compliance | ❓ Depends on platform certification | ✅ User-controlled |
| GDPR Conformance | ❌ Platform is data processor | ✅ User is controller |
3. 🚀 Flexible Migration, Avoid Lock-in
Scenario Example:
Your team uses XAI Router for 6 months, then decides to migrate to self-hosted:
Day 1: Export XAI Router configuration
├─ Level Mapper: claude*=2, gpt*=1
├─ Model Mapper: gpt-4=gpt-4-turbo
└─ Provider Keys: Your own official keys
Day 2: Import config to self-hosted system, change base_url
Day 3: Seamless migration complete ✅
What if using traditional platforms?
❌ Cannot export keys (you never owned them)
❌ Need to reapply for all official API Keys
❌ Historical usage data cannot be migrated
How to Practice BYOK with XAI Router?
Step 1: Prepare Your Official API Keys
Visit these platforms to obtain keys:
- OpenAI Platform → Get
sk-proj-... - Anthropic Console → Get
sk-ant-... - DeepSeek Platform → Get
sk-... - Google AI Studio → Get
AIzaSy...
Step 2: Add to XAI Router
# Via Admin Console
https://a.xaicontrol.com → Providers → Add Provider Key
# Or via API
curl -X POST https://api.xaicontrol.com/x-keys \
-H "Authorization: Bearer YOUR_XAI_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"SecretKey": "sk-proj-your-openai-key",
"Name": "OpenAI Production",
"Level": 1,
"Provider": "https://api.openai.com",
"Status": true
}'
Step 3: Configure Smart Routing
# Set Level Mapper (model routing rules)
curl -X POST https://api.xaicontrol.com/x-conf \
-H "Authorization: Bearer YOUR_XAI_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"LevelMapper": "claude*=2,gpt-4*=1,gpt-3.5*=1,deepseek*=3"
}'
Step 4: Start Calling
from openai import OpenAI
client = OpenAI(
base_url="https://api.xaicontrol.com/v1",
api_key="YOUR_XAI_API_KEY" # Note: This is the virtual key from XAI
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello"}]
)
# XAI Router automatically:
# 1. Routes gpt-4o to Level 1 based on LevelMapper
# 2. Selects an available OpenAI Key from Level 1 pool
# 3. Calls OpenAI official API with that key
# 4. Charges deducted directly from your OpenAI account
Frequently Asked Questions
Q1: How does XAI Router profit with BYOK?
A: XAI Router offers two business models:
- XAI Control [2] (Cloud Service): Basic routing service is completely free; monetization through enterprise-grade premium features (advanced monitoring, SLA guarantees, dedicated support)
- XAI Router [1] (Self-Hosted): One-time license fee + optional technical support services
We believe that only by truly solving user pain points can we build long-term value. Free BYOK is not a marketing gimmick, but our core philosophy.
Q2: Will my keys be misused by XAI Router?
A: Absolutely not. We employ multiple safeguards:
- Technical Isolation: Each user's keys are encrypted with a unique Encryption Key; system admins cannot decrypt
- Audit Logs: All key usage is fully logged and traceable to specific requests
- Open Source Plan: Core AI API Router code (to be open-sourced in 2026)
Q3: What's the difference between XAI Router BYOK and OpenRouter BYOK?
| Feature | XAI Router | OpenRouter |
|---|---|---|
| Must Use BYOK | ✅ 100% BYOK, no other option | ❌ Optional BYOK or platform pool |
| BYOK Fee | ✅ Completely free | ❌ 5% service charge |
| Free Tier | ✅ Unlimited (use your own keys) | ⚠️ 1M requests/month then paid |
| Self-Hosted | ✅ Supported | ❌ Cloud-only |
Q4: How do I export my configuration if I want to switch platforms?
A: Very simple:
# 1. Export all configuration
curl https://api.xaicontrol.com/x-conf \
-H "Authorization: Bearer YOUR_XAI_API_KEY" \
> my-config.json
# 2. Export Provider Keys list (shows names and Levels only, not keys themselves)
curl https://api.xaicontrol.com/x-keys \
-H "Authorization: Bearer YOUR_XAI_API_KEY" \
> my-keys.json
# 3. Your original keys are always on official platforms (e.g., OpenAI Dashboard), just copy directly
Further Reading
- "Terminology" to understand BYOK-related terms
- "Access Control" to learn how to protect your keys
- "Quick Start" to start using BYOK