improvement(byok): make available for all plans (#2782)

* improvement(byok): make available for all plans

* update docs

* address greptile comments

Author: icecrasher321

apps/docs/content/docs/en/enterprise/index.mdx

@@ -31,33 +31,6 @@ Define permission groups to control what features and integrations team members
 
 ---
 
-## Bring Your Own Key (BYOK)
-
-Use your own API keys for AI model providers instead of Sim Studio's hosted keys.
-
-### Supported Providers
-
-| Provider | Usage |
-|----------|-------|
-| OpenAI | Knowledge Base embeddings, Agent block |
-| Anthropic | Agent block |
-| Google | Agent block |
-| Mistral | Knowledge Base OCR |
-
-### Setup
-
-1. Navigate to **Settings** → **BYOK** in your workspace
-2. Click **Add Key** for your provider
-3. Enter your API key and save
-
-<Callout type="warn">
-  BYOK keys are encrypted at rest. Only organization admins and owners can manage keys.
-</Callout>
-
-When configured, workflows use your key instead of Sim Studio's hosted keys. If removed, workflows automatically fall back to hosted keys.
-
----
-
 ## Single Sign-On (SSO)
 
 Enterprise authentication with SAML 2.0 and OIDC support for centralized identity management.
@@ -117,4 +90,3 @@ curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
 ### Notes
 
 - Enabling `ACCESS_CONTROL_ENABLED` automatically enables organizations, as access control requires organization membership.
-- BYOK is only available on hosted Sim Studio. Self-hosted deployments configure AI provider keys directly via environment variables.

apps/docs/content/docs/en/execution/costs.mdx

@@ -106,7 +106,28 @@ The model breakdown shows:
 
 ## Bring Your Own Key (BYOK)
 
-You can use your own API keys for hosted models (OpenAI, Anthropic, Google, Mistral) in **Settings → BYOK** to pay base prices. Keys are encrypted and apply workspace-wide.
+Use your own API keys for AI model providers instead of Sim Studio's hosted keys to pay base prices with no markup.
+
+### Supported Providers
+
+| Provider | Usage |
+|----------|-------|
+| OpenAI | Knowledge Base embeddings, Agent block |
+| Anthropic | Agent block |
+| Google | Agent block |
+| Mistral | Knowledge Base OCR |
+
+### Setup
+
+1. Navigate to **Settings** → **BYOK** in your workspace
+2. Click **Add Key** for your provider
+3. Enter your API key and save
+
+<Callout type="info">
+  BYOK keys are encrypted at rest. Only workspace admins can manage keys.
+</Callout>
+
+When configured, workflows use your key instead of Sim Studio's hosted keys. If removed, workflows automatically fall back to hosted keys with the multiplier.
 
 ## Cost Optimization Strategies
 

apps/sim/app/api/v1/admin/byok/route.ts

@@ -53,10 +53,6 @@
  *   GET    /api/v1/admin/subscriptions/:id                  - Get subscription details
  *   DELETE /api/v1/admin/subscriptions/:id                  - Cancel subscription (?atPeriodEnd=true for scheduled)
  *
- *   BYOK Keys:
- *   GET    /api/v1/admin/byok                               - List BYOK keys (?organizationId=X or ?workspaceId=X)
- *   DELETE /api/v1/admin/byok                               - Delete BYOK keys for org/workspace
- *
  *   Access Control (Permission Groups):
  *   GET    /api/v1/admin/access-control                     - List permission groups (?organizationId=X)
  *   DELETE /api/v1/admin/access-control                     - Delete permission groups for org (?organizationId=X)

apps/sim/app/api/v1/admin/index.ts

@@ -6,8 +6,6 @@ import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { isEnterpriseOrgAdminOrOwner } from '@/lib/billing/core/subscription'
-import { isHosted } from '@/lib/core/config/feature-flags'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -58,15 +56,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    let byokEnabled = true
-    if (isHosted) {
-      byokEnabled = await isEnterpriseOrgAdminOrOwner(userId)
-    }
-
-    if (!byokEnabled) {
-      return NextResponse.json({ keys: [], byokEnabled: false })
-    }
-
     const byokKeys = await db
       .select({
         id: workspaceBYOKKeys.id,
@@ -108,7 +97,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       })
     )
 
-    return NextResponse.json({ keys: formattedKeys, byokEnabled: true })
+    return NextResponse.json({ keys: formattedKeys })
   } catch (error: unknown) {
     logger.error(`[${requestId}] BYOK keys GET error`, error)
     return NextResponse.json(
@@ -131,20 +120,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     const userId = session.user.id
 
-    if (isHosted) {
-      const canManageBYOK = await isEnterpriseOrgAdminOrOwner(userId)
-      if (!canManageBYOK) {
-        logger.warn(`[${requestId}] User not authorized to manage BYOK keys`, { userId })
-        return NextResponse.json(
-          {
-            error:
-              'BYOK is an Enterprise-only feature. Only organization admins and owners can manage API keys.',
-          },
-          { status: 403 }
-        )
-      }
-    }
-
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
     if (permission !== 'admin') {
       return NextResponse.json(
@@ -245,20 +220,6 @@ export async function DELETE(
 
     const userId = session.user.id
 
-    if (isHosted) {
-      const canManageBYOK = await isEnterpriseOrgAdminOrOwner(userId)
-      if (!canManageBYOK) {
-        logger.warn(`[${requestId}] User not authorized to manage BYOK keys`, { userId })
-        return NextResponse.json(
-          {
-            error:
-              'BYOK is an Enterprise-only feature. Only organization admins and owners can manage API keys.',
-          },
-          { status: 403 }
-        )
-      }
-    }
-
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
     if (permission !== 'admin') {
       return NextResponse.json(