TokenOne®
Docs · BYOK

Bring your own provider keys.

Store keys, scope them to projects, rotate without downtime. Same governance, no rewrap, no vendor middleman. Encrypted at rest; signed in transit.

API referenceTalk to a developer
Concept

What BYOK means in TokenOne®.

You bring the provider keys. We govern the network around them. Your contractual relationship with each provider stays in place · we charge a routing-and-governance fee, not a markup on inference.

Store

Add keys via dashboard or API. Encrypted at rest. Never persisted in plaintext; never logged.

Scope

Assign keys to tenants, projects, or workloads. Routing rules inherit provider availability.

Rotate

24-hour rotation overlap window. Old key keeps working while the new key takes traffic.

Quickstart

From key in your hand to governed call.

  1. Sign in to the TokenOne® console and open /tokenone/byok.
  2. Add a key for each provider you use · OpenAI, Anthropic, Bedrock, Azure, Google, OpenRouter, Cohere. Paste the secret; the dashboard encrypts it client-side and stores it sealed.
  3. Scope the key to a project (or leave it tenant-wide). Routing rules will inherit which providers each project can use.
  4. Test with a sample call from the sandbox. The console shows which key was used, how it routed, and the cost trace.
  5. Rotate when needed · TokenOne® keeps the old key live for 24 hours so traffic transitions cleanly.
Security model

How keys are handled.

  • Encryption at rest via dedicated KMS-rooted key · separate from JWT and signing keys.
  • Plaintext keys never written to logs, never sent to detectors, never returned via the API.
  • Per-call signing chain · every dispatch is HMAC-signed; tampering is detectable.
  • Sovereign endpoints supported · Bedrock, Azure Gov, on-prem.
  • Audit trail · every key access logged with actor, scope and outcome.
  • Rotation policy enforceable per tenant (e.g. mandatory 90-day rotation).
Procurement note

What changes for finance and procurement.

No model markup

You see exactly what your provider charges. We charge a routing-and-governance fee on each call.

Provider DPA stays in place

Your data processing agreement is between you and the provider. TokenOne® is a sub-processor for governance, not a data co-controller.

Switch routing without re-papering

Take your keys with you. We earn your spend on the governance layer · no lock-in.

Ready to bring your keys?

Talk to usSee Wallet + BYOK