Skip to main content
By default, Knoq routes AI model calls through its own infrastructure using Knoq-managed API keys, and model usage is metered against your subscription’s monthly query allowance. With Bring Your Own Key (BYOK), you supply an API key from a supported AI provider — such as Anthropic — and Knoq routes all model calls directly through that key. Your tokens, your bill, and your provider relationship. Model traffic never touches Knoq’s metered capacity.
BYOK keys are write-only. Once you save a key in Knoq, you cannot retrieve it through the Knoq interface. Store your API key in your own secret manager (such as AWS Secrets Manager, HashiCorp Vault, or 1Password) before pasting it into Knoq. If you lose access to the key, you will need to generate a new one from your AI provider and update it in Knoq.
BYOK is available exclusively on the Business plan. It is not available during a trial period, as it involves a credential-bearing configuration that persists beyond the trial. Contact sales@knoq.one to upgrade or to discuss Business plan pricing.

How BYOK works

When you configure a BYOK key, Knoq loads it from its encrypted credential store at the start of each model call and passes it directly to the AI provider. The key is:
  • Encrypted at rest — stored using the same AES-256-GCM encryption used for all integration credentials.
  • Never stored in plaintext beyond the in-memory lifetime of a single model call.
  • Never logged or returned via API — no endpoint exists to read back a saved BYOK key.
  • Write-only from the moment it is saved — Knoq confirms the key is saved but cannot display it again.
When BYOK is active, Knoq’s monthly query limits and per-org cost caps do not apply. Because the model costs are billed directly by your AI provider, Knoq has no metered usage to cap.

Prerequisites

Before setting up BYOK, confirm the following:
  • Your organization is on an active Business subscription (not a trial).
  • You have an Admin role in your Knoq organization.
  • You have an API key from a supported AI provider — Anthropic (Claude models) and other supported providers are available. Obtain an Anthropic key from console.anthropic.com.
  • You have stored a copy of the API key in your own secure secret store before proceeding.

Setting up BYOK

1

Open AI Provider settings

Sign in to Knoq and navigate to Admin → Settings → AI Provider. You must have the Admin role to access this section.
2

Add your API key

Click Add Key. Select your provider from the dropdown, then paste your API key into the field provided.
3

Save and confirm

Click Save. Knoq will encrypt the key and store it. The field will display a masked placeholder (e.g. sk-ant-••••••••••••xxxx) to confirm the key is saved. The plaintext key is not stored and cannot be retrieved.
4

Verify BYOK is active

Return to the AI Provider settings panel. A status indicator will show BYOK active when the key is configured. Ask a test question in the chat interface to confirm model calls are routing correctly.

Key rotation

To rotate your BYOK key — for example, after a credential rotation policy cycle or a suspected exposure:
  1. Generate a new API key from your AI provider’s console.
  2. Store the new key in your secret manager.
  3. Navigate to Admin → Settings → AI Provider in Knoq.
  4. Click Update Key, paste your new key, and save.
The new key immediately replaces the old one. There is no gap in service during rotation. Knoq does not store the old key after the new one is saved.
Rotate your BYOK key on the same schedule as your other production API credentials. If your organization uses a 90-day rotation policy, apply that policy to your Knoq BYOK key as well.

What BYOK covers

When BYOK is active, all AI model calls made by Knoq for your organization use your key. This includes every stage of query processing — from planning which tools to invoke, through the reasoning steps that gather information from your connected tools, to the final answer synthesis. BYOK does not cover third-party tool calls made over MCP (those are authenticated with your OAuth tokens to each source tool), nor does it affect usage by other Knoq organizations — BYOK is scoped strictly to your organization.

Cost implications

With BYOK active, model costs appear on your AI provider’s invoice, not on your Knoq subscription. Knoq’s per-org monthly query quota and cost cap are bypassed entirely for BYOK-enabled organizations. You are responsible for monitoring your usage and setting appropriate spending limits in your AI provider’s console. Knoq does not impose its own cost cap when BYOK is configured, because the costs are billed directly between your organization and your AI provider.
Without BYOKWith BYOK
Model costs included in Knoq subscriptionModel costs billed by your AI provider
Subject to monthly query quotaQuery quota bypassed
Subject to Knoq’s per-org cost capCost cap bypassed
Knoq-managed API keysYour organization’s API key