Neureus BYOK lets your customers provide their own OpenAI, Anthropic, or Gemini API keys. Keys are encrypted at rest with AES-GCM per tenant, isolated by tenant_id at the database level, and rotatable without downtime.
Every key is encrypted at rest using AES-GCM with a per-tenant Data Encryption Key (DEK). Plaintext keys never touch persistent storage. The DEK is stored separately — compromise of the database doesn't expose keys.
Keys live in nr_tenant_provider_keys — filtered by tenant_id on every read. One tenant's keys are structurally inaccessible to another, even if they share infrastructure.
POST /ai/providers/:provider/rotate re-encrypts the key under a new DEK. During rotation, the old key continues serving traffic. Rotation is atomic — no gap in availability.
Via your settings UI, your customer enters their OpenAI API key. Your app calls the Neureus BYOK endpoint with the key and the tenant's Bearer token.
Neureus generates a per-tenant DEK, encrypts the key with AES-GCM, and stores the ciphertext in nr_tenant_provider_keys. The DEK is stored in KV with the tenant's namespace — separate from the D1 record.
When a tenant calls /ai/chat with model gpt-4o, Neureus decrypts their stored OpenAI key and uses it for the provider call. The global OPENAI_API_KEY Wrangler secret is the fallback when no BYOK key exists for that provider.
Provider calls are made with the customer's key — they see the charges in their own OpenAI/Anthropic dashboard. You never see their usage or pay their token costs.
Store a provider key for the calling tenant. :provider is openai, anthropic, or gemini.
curl -X PUT https://app.neureus.ai/ai/providers/openai \
-H "Authorization: Bearer $TENANT_KEY" \
-H "Content-Type: application/json" \
-d '{ "apiKey": "sk-proj-your-openai-key" }'
// Response: { "provider": "openai", "stored": true }List configured providers for the calling tenant. Returns provider names and masked key previews — never the full key.
curl https://app.neureus.ai/ai/providers \
-H "Authorization: Bearer $TENANT_KEY"
// Response:
{
"providers": [
{ "provider": "openai", "maskedKey": "sk-pr...key", "setAt": "2026-06-20T..." },
{ "provider": "anthropic", "maskedKey": "sk-an...key", "setAt": "2026-06-18T..." }
]
}Re-encrypt the stored key under a new DEK. Zero downtime — the key continues serving traffic during rotation.
curl -X POST https://app.neureus.ai/ai/providers/openai/rotate \
-H "Authorization: Bearer $TENANT_KEY"
// Response: { "provider": "openai", "rotatedAt": "2026-06-20T..." }Remove a stored key. Future calls to that provider will fall back to the global key or return 422 if none exists.
curl -X DELETE https://app.neureus.ai/ai/providers/openai \
-H "Authorization: Bearer $TENANT_KEY"
// Response: { "provider": "openai", "deleted": true }import { NeureuAI } from '@neureus/sdk';
// Each customer gets their own tenant client (their API key = their tenant)
const tenantClient = new NeureuAI({ apiKey: customerApiKey });
// Store their OpenAI key — encrypted, isolated to their tenant
await tenantClient.ai.setProviderKey('openai', customerOpenAIKey);
// Now all OpenAI calls from this tenant use their key automatically
const { text } = await tenantClient.ai.chat({
model: 'gpt-4o', // Uses the customer's OpenAI key, not yours
messages: [{ role: 'user', content: 'Hello' }],
});
// List their configured providers (returns masked keys only)
const { providers } = await tenantClient.ai.listProviderKeys();
// Rotate their key (re-encrypts under new DEK, zero downtime)
await tenantClient.ai.rotateProviderKey('openai');Large enterprise customers often have existing OpenAI or Anthropic contracts. BYOK lets them use Neureus without routing tokens through your billing.
Building a white-label AI tool? Each reseller can provide their own API keys. Their token costs stay on their own accounts — you only charge for the Neureus platform.
Some regulated industries need direct contractual relationships with AI providers. BYOK lets your customers maintain that relationship while using Neureus infrastructure.
Customers who want full visibility into their AI spend — seeing it in their own provider dashboard — prefer BYOK over opaque per-call billing from you.
Encrypted per-tenant key storage, rotation, and isolation — no add-on pricing. Start free.