Routing guarantees
Provider secrets are encrypted at rest and never returned to clients.
Policy scope can be global or workspace-specific, with workspace overrides inheriting from global defaults when unset.
How model access, provider policy, platform keys, and user-managed credentials interact in connected runtime.
ai-proxybyokpolicy
Back to docsBefore you start
Connected API runtime with provider credential secret configured.
Workspace principal with relevant credentials and provider permissions.
Execution steps
Step 1
Resolve workspace policy for providers, mode, and model-tag constraints.
Step 2
Validate request body including model, messages, and stream options.
Step 3
Route via platform key or decrypted BYOK credential depending on policy.
Step 4
Enforce quota checks for platform-managed requests.
Step 5
Persist usage completion metadata and quota snapshots.
Context and safeguards
Operational observability
Completion metadata is logged for activity, security, and domain streams, so operators can investigate request behavior without reading raw prompt payloads.
Usage snapshots are used by dashboard and admin surfaces for quota and billing diagnostics.