Stop Hardcoding AI Keys: The Secure BYOK Architecture

Most AI platforms hardcode their API keys and charge your per query. We let users bring their own keys, encrypt them with AES-256-GCM, and never see the plaintext.

It's called BYOK (Bring Your Own Key). And it's the architectural decision that makes Labas fundamentally different from every other AI exam platfrom.

Repo: https://github.com/rogasper/labas-bahasa﻿

Key Takeaways

•BYOK (Bring Your Own Key) lets users manage their own AI provider keys OpenAI, OpenRouter, Groq, or local LLMs encrypted at rest with AES-256-GCM and PBKDF2 key derivation at 100000 iterations. The platform never stores plaintext keys.

•A hand-rolled OpenAI-compatible HTPP client (317 lines) handles SSE streaming, SSRF protection blocking metadata endpoints and RFC1918 private IPs, HTML error page detection, reasoning tag stripping, and automatic truncation retries.

•The open-source business model: no subscription fees, no per-query charges, no vendor lock-in. Users pay their AI provider directly. The platform is free to self-host.

The BYOK Decision: Why We Don't Hardcode API Keys

In 2026, the AI wrapper space is crowded. Most follow the same pattern: the platform owns the API keys, users pay per query (or subscribe monthly), and the platform absorbs the AI cost. It's a classic SaaS model but it has three problems:

1.Vendor lock-in. Users can't switch AI providers without leaving the platform.

2.Cost scaling. As usage grows, the platform's AI bill grows linearly.

3.Trust barrier. Users must trust the platform with their data and their usage patterns.

We chose the opposite: users bring their own keys. They pay their AI provider directly. We never see their keys in plaintext. The platform is free to self-host.

This decision shaped every layer of our architecture from the database schema to the HTPP client to the encryption module.

﻿

The Encryption Module: 59 Lines of Production-Grade Security

The encryption module (packages/api/src/lib/encryption.ts) is 59 lines. It does one thing: encrypt and decrypt API keys using AES-256-GCM.

Why AES-256-GCM, Not AES-256-CBC?

AES-256-CBC is the "default" encryption algorithm in many tutorials. But CBC has a critical weakness: it doesn't authenticate the ciphertext. An attacker can modify the encrypted data, and the decryption will succeed producing garbled output that might be exploitable.

AES-256-GCM (Galois/Counter Mode) includes an authentication tag. If the ciphertext is modified, decryption fails. This is called authenticated encryption and it's the NIST-recommended approach for new applications.

﻿

Why PBKDF2 with 100000 Iterations?

The encryption key ( API_KEY_ENCRYPTION_KEY ) is a server-side secret. But we still derive the actual encryption key using PBKDF2 with a random salt and 100000 iterations. Why?

1.Defense in depth. If the encryption key is compromised, the attacker still needs to crack PBKDF2 which at 100K interations takes significant compute timer per key.

2.Salt uniqueness. Each encrypted API keys gets its own random salt. Even if two users have the same API key, their encrypted values are different.

3.Industry standard. OWASP recommends at least 100000 iterations for PBKDF2-SHA256 (2023 guidelines). We follow that.

The Encrypted Format

The output format is salt:iv:authTag:ciphertext all base64-encoded, colon-separated:

Each component servers a purpose:

•Salt: unique per encryption, used in PBKDF2 key derivation.

•IV: initialization vector, ensures the same plaintext encrypts differently each time.

•Auth tag: GCM authentication tag, verifies ciphertext integrity.

•Ciphertext: the actual encrypted data.

Decryption parses theses four parts, derives the key, and verifies the auth tag before returning the plaintext:

The setAuthTag call is critical without it, GCM mode doesn't authenticate the ciphertext.

The API Client: SSRF Protection for User-Managed Keys

When users bring their own keys, they can point to any OpenAI-compatible endpoint including http://localhost:11434 for local Ollama models. This flexibility is powerful, but it introduces a security risk: SSRF (Server-Side Request Forgery).

A malicious user could set their base_url to http://169.254.169.254/latest/meta-data/ (AWS metadata endpoint) and read cloud credentials through the AI client.

Our client (packages/ai/src/client.ts) blocks this:

The key design choice: localhost is allowed, but private network IPs are blocked in production. This lets developers test with local Ollama models during development, but prevents SSRF attacks when the app is deployed to a cloud environment.

The check runs before every HTTP request:

The Hand-Roll: Why We Didn't Use the OpenAI SDK

Most projects use the official OpenAI SDK. We wrote our own client from scratch. Why?

1.SSRF protection. The OpenAI SDK doesn't block metadata endpoints it trusts whatever URL you give it.

2.Responses format fallback. Some models (especially open-source ones) don't support response_format: { type: "json_object" }. Our client detects this error and retries without parameter:

3. Reasoning tag stripping. Reasoning models (DeepSeek, GLM) wrap chain-of-thought in <think> tags. The SDK doesn't strip theses our client does:

4. Truncation retry. If the LLM's JSON responses is cut off mid-stream, the client detects this and retries with higher max_tokens:

5. HTML error page detection. Some API proxies return HTNL error pages instead of JSON. The client detects this and throws a clear error message instead of failing with a cryptic JSON parse error.

Each of theses edge cases was discovered through real usage not from reading documentation. They're the kind of defensive programming that only emerges when you run an AI platform against diverse providers.

Contrarian take: The OpenAI SDK is great for simple use cases. But when you're building a platform that connects to arbitrary OpenAI-compatible endpoints (OpenRouter, Groq, local Ollama, Azure OpenAI), you need defensive layers that the SDK doesn't provide. A hand-rolled client isn't NIH syndrome it's the right tool for a multi-provider architecture.

The Database Schema: Where Encrypted Keys Live

User API keys are stored in the user_api_key table:

The api_key_encrypted column stores the salt:iv:authTag:ciphertext string. The plaintext is never persisted. When a user initates AI generation, the server:

1.Fetches the encrypted key from the database.

2.Decrypts it using decryptApiKey().

3.Creates an OpenAICompatibleClient with decrypted key.

4.Makes the API call.

5.The decrypted key exists only in memory during the API call it's never logged, never stored, never returned to the client.

The Businees Model: Why BYOK Makes Sense for Open Source

BYOK isn't just a technical decision it's a business model choice.

with BYOK:

•No subscription fees. Users pay their AI provider directly.N

•No per-query charges. The platform doesn't absorb AI costs.

•No vendor lock-in. Users can switch providers by chaning their key.

•Self-hostable. Anyone can run the platform on their own infrastructure.

The tradeoff: users need their own AI API key. For students in Indonesia (our target audience), this means getting an OpenAI key, or using a free tier from OpenRouter, or running a local model with Ollama. It's more setup friction but it gives users full control over their AI costs and provider choice.

What we learned: When we tested with a hardcoded API key model, our monthly AI bill for 100 active users was roughly $200-400 (depending on model choice). With BYOK, that cost shifts to users but they can choose cheaper models (Groq's free tier, local Ollama) or share keys among study groups. The platform's operational cost drops to near zero

Frequently Asked Questions

Isn't BYOK a barrier for non-technical users?
Yes, it is. Getting an API key requires some technical knowledge. We mitigate this by supporting free-tier providers (OpenRouter, Groq) and documenting the setup process step-by-step. For users who can't get a key, we're exploring a credit system where the platform provides free AI generation tokens.
What happens if the encryption key is compromised?
If API_KEY_ENCRYPTION_KEY is compromised, an attacker could decrypt all stored API keys. This is why the key should be stored in a secrets manager (AWS Secrets Manager, HashiCrop Vault, etc.) not in a .env file. We also recommend rotating the encyption key periodically, which requires re-encrypting all stored keys.
Why not use a key management service like AWS KMS?
We could. AWS KMS, HashiVault, or similar services provide key management, rotation, and audit logging. For a self-hosted open-source project, however, we chose a simpler approach: AES-256-GCM with PBKDF2. It's production-grade, doesn't require external infrascructure, and works anywhere Node.js runs.

The BYOK Architecture: Securing User-Managed AI Keys with AES-256-GCM

Key Takeaways

The BYOK Decision: Why We Don't Hardcode API Keys

The Encryption Module: 59 Lines of Production-Grade Security

Why AES-256-GCM, Not AES-256-CBC?

Why PBKDF2 with 100000 Iterations?

The Encrypted Format

The API Client: SSRF Protection for User-Managed Keys

The Hand-Roll: Why We Didn't Use the OpenAI SDK

The Database Schema: Where Encrypted Keys Live

The Businees Model: Why BYOK Makes Sense for Open Source

Frequently Asked Questions