BYOK — Bring Your Own Key
developerz.ai is a thin orchestrator. We never proxy or resell inference tokens. You connect your own API key from Anthropic, OpenAI, or Google Gemini. Your key goes directly to the provider; we are not in the call path.
Why BYOK?
- Cost transparency — your provider invoice shows exactly what the agent spent. No markup, no hidden per-seat token fees.
- Model choice — pick the model that matches your cost/quality needs. Swap at any time without changing your policy file.
- Data residency — your code and issue text go directly to the provider you chose under your own account's data-handling terms.
- No vendor lock-in to us — if you stop using developerz.ai, your key and your data stay with the provider.
Supported providers
| Provider | Models |
|---|---|
| Anthropic | claude-opus-4, claude-sonnet-4, claude-haiku-4 (and later versions) |
| OpenAI | gpt-4o, gpt-4o-mini, o3, o4-mini |
| Google Gemini | gemini-2.5-pro, gemini-2.5-flash |
The model list is updated as providers release new versions. Check the dashboard for the current model picker.
Adding your key
- Open the dashboard and go to Settings → Model keys.
- Choose your provider and paste your API key.
- Click Save. The key is encrypted with AES-256-GCM before being stored; the plaintext is never written to disk or logs after the initial save.
- Select the key in your repository's Settings → Model dropdown.
You can add multiple keys (one per provider) and choose per-repository which key to use.
Key storage and security
- Keys are stored encrypted at rest (
AES-256-GCM, unique IV per row). - Keys are decrypted in memory only at the moment the agent needs to make an API call.
- Keys are never logged, never included in audit events, and never sent to any third party other than the selected provider.
- Key access is scoped to your account. GitHub App installation tokens cannot read keys.
- See the security doc for the full threat model.
Usage limits
You can set soft spending limits and hard caps in the dashboard:
| Limit | Description |
|---|---|
| Monthly budget | Soft alert at 80% of your configured monthly spend. |
| Per-session cap | Maximum LLM steps per agent session (default: limits.max_steps_per_session: 50 in .maintainer.yml). |
| Rate cap | Maximum API calls per minute, to avoid burst charges. |
When a hard cap is hit the agent parks the current session and logs the reason. No partial work is silently abandoned — the audit log shows exactly where the session stopped.
Rotating your key
- Generate a new key in your provider's dashboard.
- Paste the new key in Settings → Model keys → Edit.
- Click Save. The new key takes effect for all subsequent agent sessions.
- Revoke the old key in your provider's dashboard.
There is no downtime during rotation — in-flight sessions complete with the old key; new sessions use the new key.