BYOK — Bring Your Own Key

Store your own OpenAI, Anthropic, or OpenRouter API keys so Remb uses your quota for AI calls — summaries, embeddings, and context assembly.

Overview

By default Remb uses a platform-managed API key. BYOK lets you swap that out for your own key per provider — so billing, rate limits, and quota all hit your account directly. Keys are encrypted with AES-256-GCM at rest and never returned in plaintext from any API.

Supported Providers

Provider	Key prefix	Min length
`openai`	`sk-`	`20 chars`
`anthropic`	`sk-ant-`	`20 chars`
`openrouter`	`sk-or-`	`20 chars`

CLI Usage

Three input modes — inline, interactive, or stdin pipe:

# List stored keys (shows last 4 chars only — never plaintext)
remb keys list

# Add / replace a key — interactive hidden prompt (recommended)
remb keys set openai --interactive
remb keys set anthropic --interactive

# Inline (warns about shell history exposure)
remb keys set openai sk-...

# Stdin pipe (safe for scripts and CI)
echo "$OPENAI_API_KEY" | remb keys set openai

# Optional label for the key
remb keys set openai sk-... --label "personal"

# Remove a key
remb keys remove openai        # aliases: rm, delete, del

Dashboard

Go to Settings → Models in the dashboard. Each provider shows the last 4 characters of your stored key, when it was set, and an optional label. You can replace or delete any key from this view.

REST API

All endpoints accept either a Bearer API key (Authorization: Bearer rmb_…) or a session cookie from the dashboard.

# List key metadata
GET /api/user/keys

# Upsert a key
PUT /api/user/keys
Content-Type: application/json
{ "provider": "openai", "apiKey": "sk-...", "label": "optional" }

# Remove a key
DELETE /api/user/keys?provider=openai

How Keys Are Used

When your key is set, Remb uses it for all AI operations in your sessions: conversation summaries, memory embeddings, and context assembly. If the stored key is missing or decryption fails, the platform key is used silently — no error is surfaced, so your agent always has a working fallback.

BYOK improves the "better context over time" loop: using your own quota lets Remb summarise more aggressively per session, so the next session loads a tighter and more relevant context slice.

Security

Keys are encrypted with AES-256-GCM before writing to the database, using a server-side encryption key (MCP_ENCRYPTION_KEY) that is never exposed to the client. The plaintext key is never returned by any list, get, or session action — only the last 4 characters are surfaced for identification.

Troubleshooting

Symptom	Fix
`remb keys list shows empty`	Run `remb login` — token may be expired.
`Key rejected on set`	`Check prefix matches provider table above; must be ≥ 20 chars.`
`BYOK key not being used`	Verify via `remb keys list`; platform key is silent fallback if yours fails.