Vault
Definition
The server-side encrypted store that holds each user's BYOK API keys. Keys are encrypted at rest using AES-GCM; the encryption envelope key never leaves the server.
Avoid: keystore, secrets manager, key chain.
Role
The Vault is the technical mechanism behind BYOK. When a user sets a provider key in /settings, the raw key is encrypted via AES-GCM with a server-only envelope key and written to the byok_keys table. The encrypted blob is never transmitted to the client — only the token_prefix (the first characters of the original key) is shown to the user after storage.
At call time, resolveProviderAndKey() reads the encrypted blob from the Vault, decrypts it server-side, and injects it into the AI SDK call. The decrypted value never touches the client or the response payload.
Lifecycle
Not a stateful concept. The Vault is an infrastructure surface, not an entity with transitions.
- Write —
setByokKeyencrypts and stores the key. - Read —
resolveProviderAndKey()decrypts and injects the key at call time. - Delete —
clearByokKeyremoves the encrypted record.
Related guides
Last updated: 22 June 2026