Private API keys (BYOK)
Private API keys register your own upstream provider keys with the platform: when routing and binding rules allow, requests can use your key for the upstream instead of only platform-managed upstream resources.
vs tenant API keys
| Tenant API key | Private API key | |
|---|---|---|
| Purpose | Call RouterBrain HTTP (tenant identity) | Register an upstream key for a provider |
| Typical UI | /keys | /private-api-keys |
| Holder | Platform-issued sk-… | Key you create in the upstream console |
Both can coexist: application code still uses the tenant API key to call the gateway; routing may use your private upstream key when configured.
Create / maintain
- Sign in and open Access & control → Private API keys at
/private-api-keys. - Create: pick an allowed provider (options depend on what’s enabled for your tenant), paste the upstream API key, save.
- Enable / disable: toggle whether this registration participates in routing without deleting it.
- Edit / rotate: edit when rotating keys; confirm no traffic depends on a key before delete.
Field names, provider list, and errors follow the current console.
See also
- Create tenant API keys
- Models and routing (routing and upstream credentials)