BYOK

Bring your own provider API keys

Why BYOK (Bring Your Own Key)

With BYOK through OneRouter, you can seamlessly integrate your own API keys from any supported provider while enjoying a unified access experience. Here’s how it adds value to your business:

  1. Unified API Layer for Faster Development OneRouter offers a single, consistent API interface for all supported providers. Developers no longer need to implement separate integrations for each vendor, saving up to 90% of development time and reducing code complexity.

  2. Centralized Usage & Billing Management Manage usage data and invoices for hundreds of models across multiple providers from a single dashboard. This one-stop billing and analytics approach streamlines financial operations, saving up to 90% of financial back-office time while providing full transparency.

  3. Priority & Fallback Mechanism Set key priority rules and enable automatic fallback. If your BYOK credentials hit rate limits or encounter downtime, OneRouter—based on your fallback configuration—will automatically use your account credits to access the same model from the shared pool. This ensures continuous service availability without manual intervention.

In short, BYOK with OneRouter empowers you to keep full control of your credentials while benefiting from unified integration, centralized management, and resilient failover, making AI adoption faster, more efficient, and more reliable.

The core difference between BYOK and Direct-to-provider

This table compares the BYOK with the traditional Direct-to-provider approach, helping you understand the advantages OneRouter brings to your business.

Feature
BYOK via OneRouter
Direct-to-Provider

Integration Effort

Unified API Layer

  • Developers integrate only once with OneRouter’s API, regardless of provider differences. No need to write custom code for each provider’s SDK or API spec.

  • Up to 90% development time saved.

❌ Must integrate separately with each provider’s API; different SDKs, auth methods, and models require repeated work. Longer delivery time.

Use Case Consistency

✅ OneRouter ensures consistent request/response formats even when switching providers. Minimal code changes when swapping models/vendors.

❌ Each provider may have different request/response structures; switching requires code rewrites and re-testing.

Usage & Billing Management

Centralized Usage & Billing

  • OneRouter consolidates usage data and invoices for hundreds of models across multiple providers.

  • Up to 90% finance team time saved.

❌ Must log into multiple provider dashboards to track and reconcile usage/billing; higher risk of errors.

Key Lifecycle Control

✅ You own and manage your keys; add/remove anytime. Supports multiple keys for different providers/accounts.

❌ Key lifecycle is tied directly to each provider; changes require separate coordination.

Key Priority & Fallback

Priority + Fallback Mechanism — If your BYOK key hits rate limits or errors, and fallback is enabled, OneRouter can automatically switch to using credits in the shared pool for the same model.

❌ No unified fallback; each provider’s system must handle errors independently, often resulting in downtime.

Security & Compliance

✅ BYOK allows full control over your keys; helps meet strict compliance requirements (financial, healthcare, regulated sectors).

⚠ Compliance depends on provider's internal policies; less direct control over key security.

Operational Flexibility

✅ Easily switch providers or models without changing your codebase; just update key settings in OneRouter.

❌ Switching providers/models requires coding changes, testing, and redeployment.

Audit & Observability

✅ Logs available both at OneRouter and provider level; unified dashboard makes it easy to monitor usage and performance.

❌ Must view logs separately from each provider; fragmented observability.

Performance Impact

⚠ Slight overhead due to proxy routing; usually negligible and offset by operational gains.

✅ Slightly lower latency due to direct connection, but sacrifices unified management & fallback.

BYOK on OneRouter is 100% free

OneRouter use your own provider keys and pay only the provider’s standard rates, with no extra platform fees.

Quick start with BYOK

This is a code example showing how to call the gemini-2.5-pro model on Google Vertex using BYOK (Bring Your Own Key).

from openai import OpenAI

client = OpenAI(
  base_url="https://llm.onerouter.pro/v1",
  api_key="<API_KEY>",
)

completion = client.chat.completions.create(
  byok_conf={
    "provider": "google-vertex",
    "fallback": True,
    "credentials": {
      "type": "service_account",
      "project_id": "your-project-id",
      "private_key_id": "your-private-key-id",
      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
      "client_email": "[email protected]",
      "client_id": "your-client-id",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]",
      "universe_domain": "googleapis.com",
      "region": "global"
    } 
  },
  model="gemini-2.5-pro",
  messages=[
    {
      "role": "user",
      "content": "What is the meaning of life?"
    }
  ]
)

print(completion.choices[0].message.content)

  • byok_conf: When this parameter is included in the input, OneRouter will route requests according to the BYOK configuration information specified. When this parameter is null or not provided, OneRouter defaults to routing to the shared provider pool.

  • provider: Specifies the name of the provider where the request should be routed.

  • fallback: OneRouter always prioritizes using your provider keys when available. By default, if your key encounters a rate limit or failure, OneRouter will fall back to using shared OneRouter credits.

    • The default value for fallback is True.

    • If fallback is specified as False, OneRouter will only use your key for requests to that provider.

  • credentials: The keys and credentials used for authentication with the specified provider.

BYOK Security on OneRouter

When you send BYOK configuration data in your requests, it is fully encrypted in transit via HTTPS. OneRouter does not store or retain your provider key information at any time — your keys remain entirely under your control.

You get all OneRouter’s unified API and fallback benefits without ever handing over permanent access to your credentials.

PreviousRerank APINextGoogle Vertex

Last updated