BYOK Keys

Bring Your Own Key (BYOK) lets you use your own LLM provider API keys for AI-powered scoring. This is required for the llm_judge scorer type.

Supported providers

Security

• Keys are encrypted before storage — the database never contains plaintext keys
• The UI only displays the key_prefix (first 8 characters) after creation
• Keys are decrypted only inside the isolated eval worker process
• Encryption uses a dedicated BYOK_ENCRYPTION_KEY that is separate from other secrets

Adding a BYOK key

Dashboard

1. Navigate to Settings → BYOK Keys
2. Click Add Key
3. Select the provider, enter your API key, and optionally name it
4. The key is encrypted and stored — you’ll see only the prefix going forward

API

curl -X POST https://api.launchgate.ai/v1/byok-keys \
  -H "Authorization: Bearer $LAUNCHGATE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "openai",
    "name": "Production OpenAI Key",
    "key": "sk-...",
    "is_default": true
  }'

Default keys

You can mark one key per provider as the default. When an llm_judge scorer runs, it uses the default key for the specified provider. Setting is_default: true on a new key automatically unsets the previous default for that provider.

Testing a key

Verify that a key is valid and working:

curl -X POST https://api.launchgate.ai/v1/byok-keys/{keyId}/test \
  -H "Authorization: Bearer $LAUNCHGATE_API_KEY"

Revoking a key

curl -X DELETE https://api.launchgate.ai/v1/byok-keys/{keyId} \
  -H "Authorization: Bearer $LAUNCHGATE_API_KEY"

Revoking a key removes it from use. Any llm_judge cases that depend on a revoked key will fail until a new key is added for that provider.