BYOK (Bring Your Own Key)
Definition
The privacy model by which each user supplies their own AI provider API key (OpenAI, Anthropic, or Gemini), stored encrypted in the Vault, and used in place of any platform key when the user runs AI operations.
Avoid: bring your own token, user key, personal key.
Role
BYOK is the enterprise-grade privacy guarantee. Every AI call that Shrubbery makes on behalf of a user — Smart Paste extraction via /api/gather, future AI features — resolves the provider key at call time through resolveProviderAndKey(). If the user has set a key, it is used; if not, the platform falls back to its own key (where available). After Sprint 14, there is no platform-side AI fallback for Smart Paste — a BYOK key is required.
The user manages BYOK from the /settings panel: set, clear, or rotate keys per provider. The raw key value is never shown after it is stored; only the token_prefix is visible on the UI. Keys are isolated per user — no key is ever shared across accounts.
Lifecycle
Not a stateful concept. BYOK describes the per-user key policy, not an entity with transitions.
- Set — user pastes a provider key in
/settings→ encrypted and written to the Vault viasetByokKey. - Resolved —
resolveProviderAndKey()swaps the user's key into each AI SDK call at run time. - Cleared — user removes a key via
/settings→clearByokKeywipes the encrypted record.
Related guides
Last updated: 22 June 2026