BYOK — Bring Your Own Key

Store your own OpenAI, Anthropic, DeepSeek, or OpenRouter API keys so Remb uses your quota where that provider is used.

Overview

By default Remb uses a platform-managed API key. BYOK lets you swap that out for your own key per provider — so billing, rate limits, and quota all hit your account directly. Keys are encrypted with AES-256-GCM at rest and never returned in plaintext from any API.

Supported Providers

Provider	Key prefix	Min length
`openai`	`sk-`	`20 chars`
`anthropic`	`sk-ant-`	`20 chars`
`deepseek`	`sk-`	`20 chars`
`openrouter`	`sk-or-`	`20 chars`

CLI Usage

Three input modes — inline, interactive, or stdin pipe:

# List stored keys (shows last 4 chars only — never plaintext)
remb keys list

# Add / replace a key — interactive hidden prompt (recommended)
remb keys set openai --interactive
remb keys set deepseek --interactive
remb keys set anthropic --interactive

# Inline (warns about shell history exposure)
remb keys set openai sk-...

# Stdin pipe (safe for scripts and CI)
echo "$OPENAI_API_KEY" | remb keys set openai

# Optional label for the key
remb keys set openai sk-... --label "personal"

# Remove a key
remb keys remove openai        # aliases: rm, delete, del

Dashboard

Go to Settings → Models in the dashboard. Each provider shows the last 4 characters of your stored key, when it was set, and an optional label. You can replace or delete any key from this view.

REST API

All endpoints accept either a Bearer API key (Authorization: Bearer remb_…) or a session cookie from the dashboard.

# List key metadata
GET /api/user/keys

# Upsert a key
PUT /api/user/keys
Content-Type: application/json
{ "provider": "openai", "apiKey": "sk-...", "label": "optional" }

# Remove a key
DELETE /api/user/keys?provider=openai

How Keys Are Used

When your key is set, Remb prefers it for supported operations that use that provider, such as conversation summaries, memory embeddings, and extraction. If the stored key is missing or decryption fails, the platform key is used silently so your agent still has a working fallback.

BYOK improves the "better context over time" loop: using your own quota lets Remb summarise more aggressively per session, so the next session loads a tighter and more relevant context slice.

Security

Keys are encrypted with AES-256-GCM before writing to the database, using a server-side encryption key (MCP_ENCRYPTION_KEY) that is never exposed to the client. The plaintext key is never returned by any list, get, or session action — only the last 4 characters are surfaced for identification.

Troubleshooting

Symptom	Fix
`remb keys list shows empty`	Run `remb login` — token may be expired.
`Key rejected on set`	`Check prefix matches provider table above; must be ≥ 20 chars.`
`BYOK key not being used`	Verify via `remb keys list`; platform key is silent fallback if yours fails.