Skip to content

improvement(byok): make available for all plans #2782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
icecrasher321 merged 3 commits into from
Jan 13, 2026
+32 −346
Merged

improvement(byok): make available for all plans #2782

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8e10113
improvement(byok): make available for all plans
icecrasher321 Jan 13, 2026
25575d9
update docs
icecrasher321 Jan 13, 2026
c425b47
address greptile comments
icecrasher321 Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 0 additions & 28 deletions apps/docs/content/docs/en/enterprise/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,33 +31,6 @@ Define permission groups to control what features and integrations team members

Copy link
Contributor

@greptile-apps greptile-apps bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BYOK section was removed from the English enterprise docs, but the same section still exists in other language versions (German, Spanish, French, Japanese, and Chinese). These need to be updated for consistency.

The BYOK section should be removed from:

  • apps/docs/content/docs/de/enterprise/index.mdx
  • apps/docs/content/docs/es/enterprise/index.mdx
  • apps/docs/content/docs/fr/enterprise/index.mdx
  • apps/docs/content/docs/ja/enterprise/index.mdx
  • apps/docs/content/docs/zh/enterprise/index.mdx

And potentially added to the corresponding costs.mdx files in those languages (though I note those files may not exist yet based on the execution/costs.mdx files I saw).

Prompt To Fix With AI 
This is a comment left during a code review.
Path: apps/docs/content/docs/en/enterprise/index.mdx
Line: 31:31

Comment:
The BYOK section was removed from the English enterprise docs, but the same section still exists in other language versions (German, Spanish, French, Japanese, and Chinese). These need to be updated for consistency.

The BYOK section should be removed from:
- `apps/docs/content/docs/de/enterprise/index.mdx`
- `apps/docs/content/docs/es/enterprise/index.mdx`
- `apps/docs/content/docs/fr/enterprise/index.mdx`
- `apps/docs/content/docs/ja/enterprise/index.mdx`
- `apps/docs/content/docs/zh/enterprise/index.mdx`

And potentially added to the corresponding `costs.mdx` files in those languages (though I note those files may not exist yet based on the execution/costs.mdx files I saw).

How can I resolve this? If you propose a fix, please make it concise.

---

## Bring Your Own Key (BYOK)

Use your own API keys for AI model providers instead of Sim Studio's hosted keys.

### Supported Providers

| Provider | Usage |
|----------|-------|
| OpenAI | Knowledge Base embeddings, Agent block |
| Anthropic | Agent block |
| Google | Agent block |
| Mistral | Knowledge Base OCR |

### Setup

1. Navigate to **Settings****BYOK** in your workspace
2. Click **Add Key** for your provider
3. Enter your API key and save

<Callout type="warn">
BYOK keys are encrypted at rest. Only organization admins and owners can manage keys.
</Callout>

When configured, workflows use your key instead of Sim Studio's hosted keys. If removed, workflows automatically fall back to hosted keys.

---

## Single Sign-On (SSO)

Enterprise authentication with SAML 2.0 and OIDC support for centralized identity management.
Expand Down Expand Up @@ -117,4 +90,3 @@ curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
### Notes

- Enabling `ACCESS_CONTROL_ENABLED` automatically enables organizations, as access control requires organization membership.
- BYOK is only available on hosted Sim Studio. Self-hosted deployments configure AI provider keys directly via environment variables.
23 changes: 22 additions & 1 deletion apps/docs/content/docs/en/execution/costs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,28 @@ The model breakdown shows:

## Bring Your Own Key (BYOK)

You can use your own API keys for hosted models (OpenAI, Anthropic, Google, Mistral) in **Settings → BYOK** to pay base prices. Keys are encrypted and apply workspace-wide.
Use your own API keys for AI model providers instead of Sim Studio's hosted keys to pay base prices with no markup.

### Supported Providers

| Provider | Usage |
|----------|-------|
| OpenAI | Knowledge Base embeddings, Agent block |
| Anthropic | Agent block |
| Google | Agent block |
| Mistral | Knowledge Base OCR |

### Setup

1. Navigate to **Settings****BYOK** in your workspace
2. Click **Add Key** for your provider
3. Enter your API key and save

<Callout type="info">
BYOK keys are encrypted at rest. Only workspace admins can manage keys.
</Callout>

When configured, workflows use your key instead of Sim Studio's hosted keys. If removed, workflows automatically fall back to hosted keys with the multiplier.

## Cost Optimization Strategies

Expand Down
199 changes: 0 additions & 199 deletions apps/sim/app/api/v1/admin/byok/route.ts
View file
Open in desktop

This file was deleted.

4 changes: 0 additions & 4 deletions apps/sim/app/api/v1/admin/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,6 @@
* GET /api/v1/admin/subscriptions/:id - Get subscription details
* DELETE /api/v1/admin/subscriptions/:id - Cancel subscription (?atPeriodEnd=true for scheduled)
*
* BYOK Keys:
* GET /api/v1/admin/byok - List BYOK keys (?organizationId=X or ?workspaceId=X)
* DELETE /api/v1/admin/byok - Delete BYOK keys for org/workspace
*
* Access Control (Permission Groups):
* GET /api/v1/admin/access-control - List permission groups (?organizationId=X)
* DELETE /api/v1/admin/access-control - Delete permission groups for org (?organizationId=X)
Expand Down
41 changes: 1 addition & 40 deletions apps/sim/app/api/workspaces/[id]/byok-keys/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ import { nanoid } from 'nanoid'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { isEnterpriseOrgAdminOrOwner } from '@/lib/billing/core/subscription'
import { isHosted } from '@/lib/core/config/feature-flags'
import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
Expand Down Expand Up @@ -58,15 +56,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}

let byokEnabled = true
if (isHosted) {
byokEnabled = await isEnterpriseOrgAdminOrOwner(userId)
}

if (!byokEnabled) {
return NextResponse.json({ keys: [], byokEnabled: false })
}

const byokKeys = await db
.select({
id: workspaceBYOKKeys.id,
Expand Down Expand Up @@ -108,7 +97,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
})
)

return NextResponse.json({ keys: formattedKeys, byokEnabled: true })
return NextResponse.json({ keys: formattedKeys })
} catch (error: unknown) {
logger.error(`[${requestId}] BYOK keys GET error`, error)
return NextResponse.json(
Expand All @@ -131,20 +120,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{

const userId = session.user.id

if (isHosted) {
const canManageBYOK = await isEnterpriseOrgAdminOrOwner(userId)
if (!canManageBYOK) {
logger.warn(`[${requestId}] User not authorized to manage BYOK keys`, { userId })
return NextResponse.json(
{
error:
'BYOK is an Enterprise-only feature. Only organization admins and owners can manage API keys.',
},
{ status: 403 }
)
}
}

const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (permission !== 'admin') {
return NextResponse.json(
Expand Down Expand Up @@ -245,20 +220,6 @@ export async function DELETE(

const userId = session.user.id

if (isHosted) {
const canManageBYOK = await isEnterpriseOrgAdminOrOwner(userId)
if (!canManageBYOK) {
logger.warn(`[${requestId}] User not authorized to manage BYOK keys`, { userId })
return NextResponse.json(
{
error:
'BYOK is an Enterprise-only feature. Only organization admins and owners can manage API keys.',
},
{ status: 403 }
)
}
}

const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (permission !== 'admin') {
return NextResponse.json(
Expand Down
Loading