The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 13, 2026 1:22am

@greptile

Greptile Overview

Greptile Summary

This PR successfully democratizes the BYOK (Bring Your Own Key) feature by removing enterprise plan restrictions, making it available to all workspace admins on hosted deployments. The implementation is generally solid with clean removal of authorization gates and proper permission checks.

What Changed

Access Control Evolution:

• Removed isWorkspaceOnEnterprisePlan() and isEnterpriseOrgAdminOrOwner() checks from BYOK APIs
• Deleted the admin bulk management endpoint /api/v1/admin/byok (previously used for enterprise plan churn cleanup)
• Simplified authorization to workspace admin permission only via getUserEntityPermissions()
• Changed BYOK from "enterprise" section to "system" section in settings UI

Execution & Billing Impact:

• BYOK keys are now checked for all workspaces during workflow execution
• When BYOK key exists: Uses user's key, sets isBYOK=true, skips billing (no cost multiplier)
• When no BYOK key: Uses platform hosted keys, applies 1.4x multiplier, bills user
• The billing logic correctly prevents double-charging when users provide their own keys

Documentation Updates:

• Moved BYOK documentation from /enterprise/index.mdx to /execution/costs.mdx
• Added comprehensive setup instructions and clarified that "only workspace admins" can manage keys
• Updated permission messaging from "organization admins and owners" to "workspace admins"

Issues Found

1. Documentation inconsistency: Other language versions (German, Spanish, French, Japanese, Chinese) still have BYOK in their enterprise docs and need updating
2. UI clarity issue: The deletion modal message "platform hosted keys" is vague compared to previous messaging that mentioned cost implications

Security & Access Control Assessment

The new permission model is appropriate and secure:

• Workspace admin permission is correctly enforced via getUserEntityPermissions() which returns 'admin', 'write', 'read', or null
• This is consistent with other sensitive settings (API keys, environment variables) which also require workspace admin
• BYOK keys are encrypted at rest using encryptSecret() and decrypted only when needed
• No privilege escalation risks introduced by removal of enterprise gate

The removal of the admin BYOK bulk deletion endpoint is safe as it was only used for enterprise plan churn cleanup, which is no longer relevant when BYOK is available to all plans.

Confidence Score: 4/5

• This PR is safe to merge with minor documentation inconsistencies that should be addressed
• Score of 4 reflects a well-executed feature democratization with proper security controls and clean code changes. The implementation correctly removes enterprise gates while maintaining appropriate workspace admin authorization. The billing logic properly handles BYOK vs hosted keys to prevent double-charging. The main issues are non-critical documentation inconsistencies (internationalized docs need updating) and a minor UI text clarity issue. No security vulnerabilities, data integrity issues, or breaking changes were found.
• Pay attention to apps/docs/content/docs/en/enterprise/index.mdx - the BYOK section needs to be removed from other language versions (de, es, fr, ja, zh) for consistency

Important Files Changed

File Analysis

Sequence Diagram

sequenceDiagram
    participant User as Workspace Admin
    participant UI as Settings UI
    participant API as BYOK API
    participant DB as Database
    participant Exec as Workflow Execution
    participant Provider as AI Provider

    Note over User,Provider: BYOK Setup Flow (Now Available to All Plans)
    
    User->>UI: Navigate to Settings → BYOK
    UI->>API: GET /api/workspaces/{id}/byok-keys
    API->>DB: Check workspace admin permission
    DB-->>API: Permission verified
    API->>DB: Query existing BYOK keys
    DB-->>API: Return encrypted keys
    API->>API: Decrypt and mask keys
    API-->>UI: Return masked keys list
    UI-->>User: Display provider cards with Add/Update/Delete

    User->>UI: Click "Add Key" for provider
    UI-->>User: Show API key input modal
    User->>UI: Enter API key and save
    UI->>API: POST /api/workspaces/{id}/byok-keys<br/>{providerId, apiKey}
    API->>DB: Verify workspace admin permission
    DB-->>API: Permission verified
    API->>API: Encrypt API key
    API->>DB: Upsert BYOK key for provider
    DB-->>API: Success
    API-->>UI: Return success with masked key
    UI-->>User: Show success message

    Note over User,Provider: Workflow Execution with BYOK

    User->>Exec: Trigger workflow with AI block
    Exec->>Exec: Identify provider and model
    Exec->>DB: Query BYOK key for workspace
    alt BYOK key exists
        DB-->>Exec: Return encrypted key
        Exec->>Exec: Decrypt key
        Exec->>Provider: Call API with user's key
        Provider-->>Exec: Return response
        Exec->>Exec: Calculate cost (no multiplier)
        Note over Exec: isBYOK=true, skip billing
    else No BYOK key
        Exec->>Exec: Use platform hosted key
        Exec->>Provider: Call API with platform key
        Provider-->>Exec: Return response
        Exec->>Exec: Calculate cost with 1.4x multiplier
        Exec->>DB: Log usage and bill user
    end
    Exec-->>User: Return workflow results

@greptile

Greptile Overview

Greptile Summary

This PR democratizes the Bring Your Own Key (BYOK) feature by making it available to all users instead of restricting it to Enterprise plan customers. The changes remove enterprise-only feature gating from the API routes, core execution logic, UI components, and documentation.

Key Changes

Access Control Shift:

• Before: BYOK required enterprise plan + organization admin/owner role
• After: BYOK requires workspace admin permission (any plan)

Code Changes:

1. Removed isEnterpriseOrgAdminOrOwner checks from API routes (GET/POST/DELETE endpoints)
2. Removed isWorkspaceOnEnterprisePlan check from core BYOK key resolution logic
3. Deleted isWorkspaceOnEnterprisePlan function from subscription module
4. Deleted entire /api/v1/admin/byok endpoint used for organization-level management
5. Removed enterprise gate UI component showing "upgrade to enterprise" message
6. Moved BYOK from "Enterprise" to "System" section in settings modal

Documentation Updates:

• Moved BYOK documentation from Enterprise features to Cost Calculation page
• Updated permission requirements from "organization admins and owners" to "workspace admins"
• Added note clarifying BYOK is hosted-only (self-hosted uses environment variables)

Architectural Impact

The permission model now relies solely on workspace-level permissions via getUserEntityPermissions, which checks the permissions table for workspace admin access. This is simpler and more consistent with other workspace settings like API keys and environment variables.

During workflow execution, getApiKeyWithBYOK now checks for BYOK keys for all workspaces in hosted environments, falling back to hosted keys with the pricing multiplier if no BYOK key is configured.

Minor Issue Identified

The API response still includes a byokEnabled: true field that is now always true and serves no purpose. This can be cleaned up in a follow-up or as part of this PR.

Confidence Score: 4/5

• This PR is safe to merge with one minor cleanup recommendation
• The changes are well-structured and consistently applied across all layers (API, core logic, UI, docs). The permission model properly restricts BYOK management to workspace admins, maintaining security while democratizing access. The deletion of the admin BYOK endpoint is intentional since organization-level bulk operations are no longer needed. One style issue exists with the deprecated byokEnabled field, but this doesn't impact functionality.
• apps/sim/app/api/workspaces/[id]/byok-keys/route.ts - contains deprecated byokEnabled field that should be removed for API cleanliness

Important Files Changed

File Analysis

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as BYOK Settings UI
    participant API as /api/workspaces/[id]/byok-keys
    participant Auth as getUserEntityPermissions
    participant Core as getApiKeyWithBYOK
    participant DB as Database
    
    User->>UI: Navigate to Settings → BYOK
    Note over UI: No enterprise gate check
    UI->>API: GET /api/workspaces/[id]/byok-keys
    API->>Auth: Check user permissions
    Auth->>DB: Query permissions table
    DB-->>Auth: Return permission level
    Auth-->>API: Returns 'admin', 'write', 'read', or null
    
    alt User has permission
        API->>DB: Fetch BYOK keys for workspace
        DB-->>API: Return encrypted keys
        API-->>UI: Return keys + byokEnabled: true
        UI->>User: Display BYOK providers
    else No permission
        API-->>UI: 401 Unauthorized
    end
    
    User->>UI: Add/Update API Key
    UI->>API: POST /api/workspaces/[id]/byok-keys
    API->>Auth: Check workspace admin permission
    
    alt User is workspace admin
        API->>DB: Encrypt and store key
        DB-->>API: Success
        API-->>UI: Return success
        UI->>User: Key saved
    else Not workspace admin
        API-->>UI: 403 Forbidden
    end
    
    Note over Core: During workflow execution
    Core->>DB: Check for BYOK key (no enterprise check)
    
    alt BYOK key exists
        DB-->>Core: Return encrypted key
        Core->>Core: Decrypt key
        Core-->>Core: Use BYOK key
    else No BYOK key
        Core->>Core: Fall back to hosted key with multiplier
    end