BYOK: API Keys

BYOK stands for Bring Your Own Key. TARX does not have a platform-level LLM subscription or charge you per token. Instead, you add your own API keys from LLM providers (Anthropic, OpenAI, Google, etc.), and TARX injects those keys into LLM calls on your behalf.

This means:

Your token costs go directly to your provider account (at provider rates, no markup)
TARX never bills you for inference
You can use any model from any provider you have access to
You can switch models freely without changing your billing

Supported Providers

TARX uses LiteLLM under the hood, which provides a unified interface to virtually all LLM providers. The following are natively supported:

Provider	Example Models	Key Format	Needs base URL?
Anthropic	claude-sonnet-4-6, claude-opus-4-6, claude-haiku-4-5	`sk-ant-...`	No
OpenAI	gpt-4o, gpt-4o-mini, o3-mini	`sk-...`	No
Google AI (Gemini)	gemini-2.5-pro, gemini-2.5-flash, gemini-2.0-flash	Google AI Studio key	No
Mistral	mistral-large-latest, mistral-small-latest, codestral-latest	Mistral API key	No
HuggingFace	mistralai/Mistral-7B-Instruct, meta-llama/Llama-3.3-70B-Instruct	`hf_...`	No
Azure AI Foundry	your deployments	Azure key	✅ resource endpoint
OpenAI-compatible	any OpenAI-spec API (Groq, Together, OpenRouter, Ollama, vLLM, …)	Varies	✅ base URL

The exact models available are listed live from your key once you select it in the Agent Editor — you don't have to remember model strings. See Models and Providers.

Getting Provider API Keys

Provider	Where to get a key
Anthropic	console.anthropic.com/keys
OpenAI	platform.openai.com/api-keys
Google Gemini	aistudio.google.com/app/apikey
HuggingFace	huggingface.co/settings/tokens
Groq	console.groq.com/keys
Together AI	api.together.xyz/settings/api-keys

Adding a Key

LLM keys are project-scoped and admin-managed. Add a key while the target project is active; it becomes available to every member of that project.

Click Settings in the sidebar (gear icon at the bottom-left).
Click the Keys & Secrets tab at /{username}/settings.
Under Project LLM Keys, click Add key. (Only project admins see this control — if you're an editor/reader, ask an admin.)

Fill in the form:

Field	Description
Provider	Select from the dropdown (Anthropic, OpenAI, Google AI, Mistral, HuggingFace, Azure AI Foundry, OpenAI-compatible)
Name	A human-readable label — this is what appears in the agent editor dropdown. Examples: `"My OpenAI Key"`, `"Claude Production"`, `"Groq Fast"`
Key Value	Your actual API key. This is the only time the raw value is visible.
Base URL (Azure AI Foundry & OpenAI-compatible)	The resource endpoint / base URL. Azure: the resource endpoint from the Foundry Overview page (e.g. `https://<resource>.cognitiveservices.azure.com/`) — not a single deployment's URL; the form rejects a `…/deployments/<name>/chat/completions` URL. OpenAI-compatible: the API base, e.g. `https://api.groq.com/openai/v1`.

Click Add key.

The key is encrypted immediately on save. You will never see the raw value again (only the name and a masked version). If you need to update a key, delete it and add a new one.

How Keys Are Stored (Security)

Your keys go through this process:

At execution time (when a workflow runs):

Security properties:

Keys are encrypted at rest using industry-standard symmetric encryption
Encryption keys are managed by TARX's secure infrastructure — never in code or environment files
Decryption happens in-memory only during execution
Raw key values are never logged (TARX's logging excludes the api_key parameter)
The raw value is never returned by any API endpoint after creation
Keys are stored in the project-scoped project_llm_keys container — only members of the project can use them, and only admins can add or delete them

Key Scoping

LLM keys are project-level, not user-level. This means:

A key added to a project is shared with every member of that project
Any member (admin, editor, or reader) can run agents/workflows that use the project's keys
Only project admins can add, rotate, or delete keys
Agents resolve keys by their project, not by who triggers the run

Each agent stores a reference (user_api_key_id) to the project key it should use. When a workflow runs, the executor resolves the key from the agent's project.

This design ensures:

A teammate joining a project can run existing workflows immediately — no key setup required
Provider billing is shared at the project level (the cost goes to whoever owns the underlying provider account for that key)
There is one obvious place to manage a project's model access

Shared budget

Because keys are shared, any member who triggers an execution spends against the project's BYOK provider account. This is intentional — it's what makes onboarding instant. Manage who can run workflows via project roles.

Naming Keys Strategically

Give your keys meaningful names, since the name is all you'll see when configuring agents:

Good Names	Why
`Claude Production`	Clear provider + intended use
`OpenAI GPT-4o Production`	Clear environment context
`OpenAI Budget (fast/cheap)`	Signals this key is for cheap/fast operations
`Groq Fast Inference`	Signals speed optimization intent

Avoid names like Key 1 or My Key — they become confusing when you have multiple keys.

OpenAI-Compatible Endpoints

A large ecosystem of providers exposes an OpenAI-spec API — the same request/response format as OpenAI. TARX connects to any of them through the single OpenAI-compatible provider option, so you can run agents on fast inference services, aggregators, or your own self-hosted models.

Providers you can connect

Provider	Base URL	Notes
Groq	`https://api.groq.com/openai/v1`	Very fast inference for open models
Together AI	`https://api.together.xyz/v1`	Large catalog of open models
OpenRouter	`https://openrouter.ai/api/v1`	Aggregator — one key, many providers
Perplexity	`https://api.perplexity.ai`	Web-grounded models
Fireworks	`https://api.fireworks.ai/inference/v1`	Fast open-model hosting
Ollama (local)	`http://localhost:11434/v1`	Self-hosted; local backend only (see warning)
vLLM (self-hosted)	`https://your-vllm-server.com/v1`	Your own GPU server
Any OpenAI-spec endpoint	your endpoint root	If it speaks the OpenAI API, it works

How to connect one

Select OpenAI-compatible as the provider.
Enter your API key (or a placeholder if no auth is required, e.g., local Ollama).
Enter the Base URL — the endpoint root (see the table above). Use the root that ends in /v1, not a full chat-completions path.
In the Agent Editor, selecting this key lists the provider's /v1/models for you. If listing isn't available, type the model name exactly as the server expects it (e.g., llama-3.3-70b-versatile for Groq). TARX routes it as openai/<model> against your base URL.

Ollama / localhost only works for a local backend

A cloud-deployed TARX backend cannot reach http://localhost:11434. Use a reachable base URL (Groq, Together, a hosted vLLM, etc.) for cloud deployments.

Third-party endpoints change

Base URLs and model names are set by each provider and can change. If a connection fails, confirm the current base URL and model identifiers on the provider's own documentation.

Deleting a Key

Settings → Keys & Secrets.
Find the key in the list.
Click the trash icon (🗑️) next to the key.
Confirm deletion.

Agents using the key will break

If you delete a key that agents reference, those agents will fail when workflows run (key not found error). Update those agents to use a different key before deleting.

To find which agents use a key: go to Agents, look for agents where the key dropdown shows the key name you're about to delete.

What About Bridge?

Bridge (the AI chat interface) uses TARX's built-in AI model — you don't need to provide a key for Bridge. TARX covers the cost of Bridge inference.

However, if you connect your own agents to Bridge (multi-agent mode), those agents use your own BYOK key as configured. See Multi-Agent Bridge for details.

FAQ

Q: What if I run out of credits on my provider account?

A: Workflow executions using that key will fail with an authentication or quota error from the provider. Add credits to your provider account and re-run the execution.

Q: Can I use one key for all agents?

A: Yes. You can configure multiple agents to all reference the same key. There is no limit on how many agents reference a single key.

Q: Can I rotate my API key?

A: Yes. Add the new key value as a new entry in Settings → Keys & Secrets with the same name. Then update all agents to reference the new key ID. Then delete the old key entry.

Q: Can other project members see or use a key I add?

A: They can use it (that's the point — keys are shared so agents work for everyone), and they can see its name and masked hint. They can never read the raw value — it's encrypted and never returned by any endpoint. Only project admins can add or delete keys. Members of other projects have no access at all.

Q: Does TARX see my API key usage?

A: TARX's backend makes the API calls on your behalf, so technically the calls route through the TARX backend. However, the key is decrypted in-memory and never stored after the call. TARX does not monitor or log your LLM usage or responses beyond what's stored in your execution records.

Supported Providers​

Getting Provider API Keys​

Adding a Key​

How Keys Are Stored (Security)​

Key Scoping​

Naming Keys Strategically​

OpenAI-Compatible Endpoints​

Providers you can connect​

How to connect one​

Deleting a Key​

What About Bridge?​

FAQ​