Liya Engine

Supply your own OpenAI, Anthropic, or Azure OpenAI API key instead of using Liya Engine's managed infrastructure.

By default, Liya Engine routes all LLM calls through its own managed API keys (provider_config.mode = "liya_managed"). BYOK lets you supply your own provider credentials so that all inference for your tenant is billed directly to your account.

Available on: Growth and Enterprise plans.

Why use BYOK?

Cost control — inference costs hit your own OpenAI/Anthropic bill, not Liya's
Data residency — Azure OpenAI routes data to a region you control, satisfying GDPR or HIPAA BAA requirements
Rate limit headroom — use your own quota tier instead of sharing Liya's
Provider preference — choose Anthropic models if that suits your use case

Supported providers

Provider	Mode	Use case
OpenAI	`openai`	Standard GPT-4o / GPT-4o-mini
Anthropic	`anthropic`	Claude models
Azure OpenAI	`azure`	GDPR / HIPAA data residency, enterprise VNet

Configuring BYOK

BYOK is configured via PATCH /dashboard/account/config using the providerConfig field. Keys are AES-256-GCM encrypted before being stored and are decrypted only at request time — they are never returned in API responses.

OpenAI

PATCH https://api.liyaengine.ai/dashboard/account/config
Authorization: Bearer <dashboard_jwt>
Content-Type: application/json
 
{
  "providerConfig": {
    "mode": "byok",
    "openai_api_key": "sk-...",
    "openai_organization": "org-..."   // optional
  }
}

Anthropic

{
  "providerConfig": {
    "mode": "byok",
    "anthropic_api_key": "sk-ant-..."
  }
}

Azure OpenAI

{
  "providerConfig": {
    "mode": "byok",
    "azure_openai_endpoint": "https://your-resource.openai.azure.com/",
    "azure_openai_key": "...",
    "azure_openai_deployment_id": "gpt-4o",
    "azure_openai_region": "eastus"
  }
}

Azure OpenAI takes the highest routing priority when configured — all requests for your tenant will use it.

Provider routing priority

When mode is byok, the engine selects a provider in this order:

Azure OpenAI — if azure_openai_endpoint and key are set
Anthropic — if anthropic_api_key is set
OpenAI — if openai_api_key is set

Reverting to managed keys

PATCH /dashboard/account/config
 
{
  "providerConfig": {
    "mode": "liya_managed"
  }
}

Setting mode back to liya_managed removes BYOK routing. Existing encrypted keys are cleared from storage.

Security notes

Keys are encrypted with AES-256-GCM using a master key that never leaves Liya's infrastructure
Keys are never returned in any API response — not even masked
Key transmission uses TLS 1.3; keys are decrypted in memory at request time only
Audit log entries are created when BYOK config is updated (action: byok_config_updated)

Bring Your Own Key (BYOK)