LLM Keys (BYOK)
The Keys & Secrets tab at /{username}/settings manages the BYOK LLM keys your agents use to call providers. LLM keys are project-scoped: they are shared with every member of the project and resolved by agents at runtime — so a teammate who joins a project can run its existing workflows immediately, without recreating keys.
The three credential scopes
TARX keeps three kinds of credentials, each with a different scope. Knowing which is which avoids confusion:
| Credential | Scope | Who manages | What it's for |
|---|---|---|---|
| Project LLM Keys (BYOK) | Project — shared across all members | Project admins | Agents call LLM providers (Anthropic, OpenAI, …) at runtime |
| Project Secrets | Project — shared across all members | Project admins | API keys/tokens/env vars referenced by name in workflows & agents |
Platform API Keys (sk-tarx-*) | User — personal to your account | Each user (self) | Programmatic access to the TARX API; authenticate as you, pick a project with the X-Project-ID header |
The first two are shared project resources. The third is your personal identity token — see API Integration.
Key List
The Keys & Secrets tab shows all of the current project's LLM keys:
| Column | Description |
|---|---|
| Name | The label for this key |
| Provider | Anthropic / OpenAI / Google AI / Mistral / HuggingFace / Azure AI Foundry / OpenAI-compatible |
| Key (masked) | First/last few chars shown, middle masked |
| Added by | The project admin who added the key |
All project members can see this list (masked). Only admins see the Add key and delete controls.
Adding a Key (admin only)
- Open Settings → Keys & Secrets while the target project is active.
- Under Project LLM Keys, click Add key.
- Fill in:
- Provider: select from the dropdown
- Name: the label that appears in the agent editor dropdown
- Key Value: your API key (visible only during entry)
- Base URL: required for Azure AI Foundry (
https://<name>.openai.azure.com/) and OpenAI-compatible providers (e.g.https://api.groq.com/openai/v1)
- Click Add key.
Once added, agents source their model list live from the key — for Azure that's your real deployments, for the others the provider's model API. See Models and Providers.
The key value is encrypted immediately on save and cannot be viewed again. If you are not a project admin, ask one to add the key.
Key Usage
When an agent references a key (via user_api_key_id), any member of the project can run that agent — the key resolves by the agent's project, not by who triggers the run. This is what makes onboarding instant: keys live with the project, not with an individual.
Deleting a Key (admin only)
- Click the 🗑️ trash icon next to the key.
- Confirm deletion — any agents in the project using this key will stop working until repointed.
After deletion, agents referencing this key fail at runtime with an API-key error.
Key Security
- Keys are encrypted at rest using industry-standard encryption before storage
- Stored in the
project_llm_keyscontainer — scoped to the project (partitioned byproject_id) - All project members can use keys at runtime; only admins can add or delete them
- Raw values are never returned by any API endpoint — only a masked hint
- Decrypted only in-memory at execution time
See BYOK Keys for full security details.
Rotating a Key
There's no in-place edit — add the new key, repoint agents, then delete the old one:
- As an admin, add the new key (e.g. same name with a
-newsuffix). - Update agents using the old key to point to the new key.
- Verify in the agent test console.
- Delete the old key.