Guides
BYOK
Bring Your Own Key — AI provider credential management in Monago.
Overview
BYOK is Monago's architectural model where the customer uses their own AI provider contracts (OpenAI, Anthropic, AWS Bedrock). Monago operates as a governance gateway on top of those contracts. Token usage is billed directly by the provider to the customer; Monago uses a separate subscription model for the governance and audit layer.
Why BYOK is relevant for regulated organisations:
- Provider contract ownership — the organisation remains the account holder and retains full control over the data processing chain.
- End-to-end audit trail — billing and model usage visibility stays in the provider's dashboard, while governance and decision logging sits in Monago.
- Minimal vendor lock-in — the API key is a customer asset; switching gateways requires only metadata migration.
- Cost transparency — no margin layer on top of token usage.
Audience for this page: tenant administrators managing AI credentials.
Concepts
| Term | Definition |
|---|---|
| Tenant credential | A credential entry that stores an encrypted API key for one provider. |
| Provider type | The AI providers supported by Monago: OpenAI, Anthropic, AWS Bedrock. |
| Credential name | An internal label chosen by the administrator (e.g. production-openai). Unique per tenant + provider pair. |
| Last 4 chars | The last four characters of the API key used for masked display in the UI. |
| Show-once | The plaintext key is displayed only once during credential creation or rotation. |
| Fallback default | The platform's default key, used when a tenant has no active credential (cloud deployments). |
| Status | Credential lifecycle state: active, disabled, or revoked. |
Setup
Prerequisites
- The admin role on the tenant.
- Access to the AI Providers menu.
- A plaintext API key from the provider dashboard; see the BYOK guide for acquisition guidance.
- A password manager or internal secret vault to store the plaintext after the show-once dialog.
Configuration steps
Log in as a tenant administrator
Log in to the Monago dashboard.
Open AI Providers
Select AI Providers from the sidebar.
Add a provider
Click Add provider in the top-right.
Pick and fill the form
Pick the provider type; fill the credential name, the plaintext API key, and an optional base URL.
Submit
Click Add credential.
Monago validates the key by calling the provider's metadata endpoint. On success, the key is encrypted at rest with industry-standard cryptographic controls before storage.
Show-once dialog
After successful validation, the show-once dialog displays the plaintext key. Copy it, paste it into your password manager, acknowledge, and close. Once dismissed, the plaintext is no longer surfaced through any product workflow — recovery requires rotating the credential.
Usage
Active credentials list
The AI Providers tab shows the credentials table with columns: name, provider, masked key display, status, created date, and actions. Filter chips above the table: provider and status.
Rotate the key
Scenarios that require rotation:
- Your organisation's compliance policy.
- A suspected key compromise.
- The provider has revoked the key from their side.
Generate a new key
From the provider dashboard.
Rotate in Monago
Row action → Rotate key.
Paste the new plaintext
Submit for validation.
Show-once dialog
Copy, acknowledge, and close.
Tip
Recommended workflow: rotate in Monago first, wait a full day, then revoke the old key from the provider dashboard.
Disable temporarily
To pause use of a credential without permanent revocation. When disabled:
- Cloud: the gateway uses the platform's default key when the deployment administrator has configured one.
- On-premise: the gateway returns a configuration error since there is no fallback.
Revoke a credential
A permanent action. Confirmation requires typing the credential name exactly (case-sensitive). Every revocation is recorded in the audit log with the user performing the action, the timestamp, and the last four characters of the key.
Compliance mapping
Per-clause mapping detail and the evidence package are delivered in a separate procurement document — contact support@monago.io.
Troubleshooting
"Invalid API key"
Common causes: whitespace in the plaintext, an expired key, inactive provider billing, an insufficient scope for the metadata endpoint, or an incorrect base URL. The provider's response message is surfaced on the "Provider detail:" line below the main error.
"Credential name already used"
Use a version suffix, e.g. production-openai-v2.
"AI provider credential not found"
The credential may have been revoked by another administrator. Refresh the page to load the latest state.
Gateway request fails after the credential is disabled
This is expected behaviour. The gateway will attempt to use the platform's default key. Re-enable the credential or have the deployment administrator configure a default key.
Validation timeout
The provider's metadata endpoint can be slow. Retry; transient errors are common.
FAQ
Can the Monago team see the plaintext of my API key?
No. The plaintext is encrypted at rest and decrypted only for the duration of an inference request.
Does the audit log record the plaintext of the key?
No. The audit log records credential metadata: provider, name, the last four characters of the key, and field-level changes. The prohibition on writing plaintext to the audit log is enforced by an automated regression test on every release.
The plaintext was lost after the show-once dialog. How do I recover access?
Generate a new key from the provider dashboard, then rotate in Monago. The old key is replaced automatically.
Can multiple administrators manage credentials?
Yes. Every user with the admin role on the tenant can view, create, rotate, and revoke credentials. The audit log records the user performing each action.
Is there a limit on the number of credentials per tenant?
There is no hard limit during the pilot. Recommendation: 1 to 3 credentials per provider. When multiple active credentials exist for one provider, the gateway uses the most recently created credential.
Can on-premise deployments use this BYOK flow?
Yes. The UI flow is identical. Differences: the super_admin role is not available, the fallback default key is optional, and KMS encryption is customer-managed.
How do I rotate without downtime?
Rotation in Monago is atomic — the next request uses the new key without downtime. Allow a one-day safety window before revoking the old key at the provider.
Related
- Quickstart — three-step setup for integration teams.
- BYOK guide — acquisition, setup, and rotation in full.
- Workspaces — multi-environment isolation.
- Compliance — framework readiness and evidence.