Bring Your Own Key
How to add your own provider API keys to a workspace and use them in Content Studio generation runs.
A workspace owner can connect provider API keys to make BYOK (bring-your-own-key) models available for generation runs. When a BYOK key is active, generation costs are billed directly to that provider account rather than consuming Oxagen credits.
Supported providers
| Provider | Key format | Where to obtain |
|---|---|---|
| Anthropic | sk-ant-api03-… | console.anthropic.com/settings/keys |
| OpenAI | sk-… | platform.openai.com/api-keys |
AIza… | aistudio.google.com/apikey | |
| xAI | xai-… | console.x.ai/ |
| Mistral | (varies) | console.mistral.ai/api-keys/ |
Adding a key
- Navigate to Settings → Models in the workspace sidebar.
- Under API Keys, find the provider row.
- Click Add key.
- Enter a label (default:
primary) and paste the API key. - Click Save key.
The platform runs a one-token probe against the provider API before saving. If the probe fails — expired key, invalid format, insufficient permissions — the key is not stored and an error is shown.
After a key is saved:
- The provider's models appear in the workspace catalog under My models in the model picker.
- The tier dropdowns in Settings → Models → Models include the new provider's options.
Removing a key
- Navigate to Settings → Models → API Keys.
- Click Remove next to the key label.
- Confirm the removal.
After removal, any workloads that were using that key fall back to the Oxagen-managed default and resume consuming platform credits. The key itself is permanently deleted from the platform — it cannot be recovered or re-displayed.
Security properties
| Property | Details |
|---|---|
| Encryption at rest | AES-256-GCM. The key is encrypted before database write using a workspace-scoped encryption key stored in Google Secret Manager. |
| Masked in UI | Only the first four and last four characters are shown after save (e.g. sk-a…bCdE). The full key is never returned in any API response. |
| Not logged | The key value is excluded from all application logs, error traces, and audit records. Audit records capture only the provider name, label, and operation timestamp. |
| Validation probe | A minimal API call is made to the provider at save time to verify the key is valid. The probe result is discarded immediately; no response data is stored. |
| Deletion | Removing a key deletes the encrypted ciphertext from storage. Deletion is immediate and irreversible. |
Using a BYOK key in Content Studio
Once a key is connected, the provider's models appear in the model picker popover under My models. Select any of these models before submitting a generation prompt to route that run through the BYOK key.
To use a BYOK model for all runs in the workspace by default, set it as the tier default in Settings → Models → Models. See Workspace Defaults.
BYOK models selected in a generation run affect only the script generation step. Image generation always uses the platform's configured image providers (Gemini Imagen 3 and OpenAI) regardless of the BYOK model chosen for script generation. See Providers for details.
Plan requirements
BYOK is available on Pro, Ultra, and Enterprise plans. Attempting to add a key on a Free plan returns 403 Forbidden with a message describing the required plan.