Skip to main content
BYOK is currently in development. Contact support@arouter.ai to join the beta.
Bring Your Own Key (BYOK) lets you register your own provider API keys with ARouter. When a request routes to a provider for which you have a registered key, ARouter uses your key instead of its shared key pool. Benefits:
  • Zero markup on token costs — pay providers directly at their list price
  • Your quota — requests count against your own provider rate limits, not ARouter’s shared pool
  • Your data policy — your existing provider agreements and data terms apply
  • Unified gateway — still get ARouter’s routing, fallback, and observability on top

How BYOK Works

Your Request → ARouter Gateway → [Route Selection] → Provider API (using your key)
  1. You register provider API keys in the ARouter Dashboard
  2. When ARouter routes a request to that provider, it substitutes your key
  3. Your account is not charged for token costs (only ARouter service fees, if any)
  4. usage.is_byok: true is returned in the response

Registering Keys

Add provider keys in the ARouter Dashboard. Supported providers and their key formats:
ProviderKey FormatDashboard Label
OpenAIsk-...OpenAI API Key
Anthropicsk-ant-...Anthropic API Key
Google (Gemini)AIza...Google AI Studio Key
Azure OpenAIEndpoint + KeyAzure OpenAI
AWS BedrockAccess Key + Secret + RegionAWS Bedrock
Google Vertex AIService Account JSONGoogle Vertex AI

BYOK with Provider Ordering

Combine BYOK with provider.order to control when your key is used: 
{
  "model": "openai/gpt-5.4",
  "messages": [{"role": "user", "content": "Hello"}],
  "provider": {
    "order": ["OpenAI"]
  }
}
When OpenAI is in the order list and you have an OpenAI BYOK key registered, ARouter automatically uses your key for that provider.

Partial BYOK

You can register keys for some providers while using ARouter’s shared pool for others: 
{
  "model": "anthropic/claude-sonnet-4.6",
  "provider": {
    "order": ["Anthropic", "AWS Bedrock"]
  }
}
If you have an Anthropic BYOK key, Anthropic will be tried first with your key. If you have an AWS Bedrock key, it tries next. Otherwise ARouter falls back to its shared pool.

Azure OpenAI

Register your Azure OpenAI endpoint and key: 
{
  "provider_name": "Azure",
  "azure_endpoint": "https://your-resource.openai.azure.com",
  "azure_api_key": "your-azure-key",
  "azure_deployment": "gpt-5-4"
}
Then route to it: 
{
  "model": "openai/gpt-5.4",
  "provider": {
    "order": ["Azure"]
  }
}

AWS Bedrock

Two authentication options: Option 1: Bedrock API Keys (recommended) 
{
  "provider_name": "Bedrock",
  "aws_access_key_id": "AKIA...",
  "aws_secret_access_key": "your-secret",
  "aws_region": "us-east-1"
}
Option 2: AWS Credentials 
{
  "provider_name": "Bedrock",
  "aws_credentials": {
    "access_key_id": "AKIA...",
    "secret_access_key": "...",
    "session_token": "...",
    "region": "us-east-1"
  }
}

Google Vertex AI

{
  "provider_name": "VertexAI",
  "vertex_service_account": {
    "type": "service_account",
    "project_id": "your-project",
    "private_key_id": "...",
    "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
    "client_email": "your-sa@your-project.iam.gserviceaccount.com"
  }
}

Identifying BYOK Requests

Responses include is_byok: true in the usage object when your key was used: 
{
  "usage": {
    "prompt_tokens": 120,
    "completion_tokens": 45,
    "total_tokens": 165,
    "cost": 0.00,
    "is_byok": true
  }
}
When is_byok: true, usage.cost reflects your direct provider cost (not ARouter markup).

Key Priority and Fallback

ScenarioBehavior
BYOK key registered for providerUse your key
BYOK key registered but provider unavailableFall back to ARouter shared pool (unless allow_fallbacks: false)
No BYOK key for providerUse ARouter shared pool
allow_fallbacks: false + no BYOK keyRequest fails with 404

Debugging BYOK Issues

Check the Activity page in the Dashboard to see which key was used for each request. Common errors:
ErrorCauseFix
401 UnauthorizedInvalid or expired provider keyRotate key in Dashboard Settings
403 ForbiddenKey lacks required permissionsCheck provider IAM settings
quota_exceededYour provider quota exhaustedUpgrade provider plan or remove BYOK to use shared pool