Skip to main content
AgentFlow agents call third-party AI providers under the hood — Anthropic for Claude, OpenAI for GPT-4o and DALL-E, ElevenLabs for voice, Stability for images, Perplexity for research, and so on. By default they use platform-hosted credits priced in $FLOW. Bring Your Own Key (BYOK) lets you stash your own API keys in the cabinet and have agents use those instead. You pay the upstream provider directly at their wholesale price; AgentFlow only meters orchestration time, not tokens.

What’s it for?

  • Skip the FLOW mark-up if you already have a paid Anthropic / OpenAI account.
  • Use providers we don’t host (Runway, Pika, Cartesia, Brave Search, …).
  • Test a new model the day it ships, not when we add it to the platform catalog.

How keys are protected

  • Plaintext keys are sealed with AES-256-GCM before they hit the database. The master key lives in AGENTS_MASTER_KEY (rotated separately from JWT secrets).
  • The cabinet only ever sees the masked prefix (first 8 chars + ***).
  • Revoking a key is a soft delete — the row stays for audit but the agent runtime stops handing it out.

Add a key (3-step wizard)

1

Pick a category

/account/keys shows five tiles, one per AI capability:
CategoryExamples
LLMAnthropic, OpenAI, OpenRouter, Groq
ImageDALL·E, Stability, Fal, Replicate
VideoRunway, Luma, Pika, Fal Video
AudioElevenLabs, OpenAI TTS, Cartesia
ResearchPerplexity, Tavily, Serper, Brave, Exa
There is no separate “OAuth” category — OAuth, where supported, is just another auth method on a specific provider (see Anthropic below).
2

Pick a provider

Each tile expands into provider cards. Pick the one whose dashboard you already have a key in.Most providers accept only a pasted API key. Anthropic advertises an OAuth path for Claude Pro / Max users, but Anthropic has not yet published a public OAuth flow — clicking Continue with Claude OAuth surfaces a oauth_not_available notice (“OAuth Max — coming soon”). Use an API key from the Anthropic Console for now.
3

Paste the key, name it, save

Optional label lets you tag a key (e.g. prod, personal, client-x). The cabinet shows the label everywhere — useful when you’re juggling several keys per provider.The wizard hits the provider’s testUrl with Authorization: Bearer <key> (or x-api-key for Anthropic) and shows a green pill if it returned 2xx. Catalog entries without a cheap test endpoint (Pika, Cartesia) skip this step.

Rotation

You can stash multiple keys per provider. The runtime picks the one with the lowest rotation_priority for every tool call. Use the up/down arrows in the row to reorder:
  • Priority 0 = most preferred (default for new keys)
  • Higher = fallback
If the preferred key fails, the runtime currently retries with the platform default — full multi-key fallback ships in a later release. For now, keeping a single high-priority key per provider is the cleanest setup.

Coming soon — rentability

The Rentable column is a placeholder for an upcoming marketplace flow. Idea: stake your unused Anthropic quota at $X per million tokens, the platform routes other users’ calls through your key, you earn FLOW, AgentFlow takes a slice. The toggle is disabled today; the schema’s already there so we can ship without a migration.

API examples

# List active keys
curl -s "$BASE/me/provider-keys" \
  -H "Authorization: Bearer $JWT"

# Add an Anthropic key
curl -s "$BASE/me/provider-keys" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $JWT" \
  -d '{"category":"llm","provider":"anthropic","auth_type":"api_key","label":"main","value":"sk-ant-…"}'

# Test a key
curl -s -X POST "$BASE/me/provider-keys/42/test" \
  -H "Authorization: Bearer $JWT"

# Revoke
curl -s -X DELETE "$BASE/me/provider-keys/42" \
  -H "Authorization: Bearer $JWT"

Troubleshooting

  • Test returned 401 — the key is wrong or expired. Re-paste from the provider dashboard.
  • /oauth/anthropic/start returns 501 oauth_not_available — expected. Anthropic does not currently expose a public OAuth flow; the Pro/Max OAuth route is reserved for Anthropic’s own first-party clients (e.g. Claude Code). Use an API key from platform.claude.com instead.
  • Agent still uses platform Anthropic — your key category must match the agent’s needs. An agent that picks @elizaos/plugin-openai won’t use your Anthropic key. Either add an OpenAI key or swap the plugin in agent settings.