BYOK for AI Agents: Keep Customer Credentials Out of Workspaces
How to let customers bring Claude/OpenAI credentials without handing those secrets to untrusted agent code.
Audience: B2B SaaS teams selling AI automation to security-sensitive customers.
The problem
BYOK becomes dangerous if the key is injected into the same workspace where scripts and tools run.
Implementation path
Store provider credentials encrypted at the org level, let the broker own provider calls, and expose only scoped tool capabilities to the sandbox.
Tradeoffs and failure modes
This architecture is slightly more complex than env vars, but it is the difference between BYOK as a trust feature and BYOK as an exfiltration path.
Credential split
Broker: provider credential, billing owner, model call
Sandbox: customer files, tools, temporary outputs
API: encrypted credential registration and rotation
Run this on Argo