Adding your Anthropic or OpenAI key

IsoKron runs on a Bring-Your-Own-Key model: you provide your own frontier vendor API key, and we use your key to run the customer-side stages of compilation. Your vendor account is billed directly. We do not mark up frontier vendor usage and we do not use a shared pool.

Why BYOK?

• Cost transparency. Your vendor invoice is the source of truth for what your compilations cost. There is no opaque markup on our side.
• Quota and rate limits stay yours. Your vendor's rate limits apply to your workspace; another customer's usage cannot affect yours.
• Trust boundary. Operator-paid features (the Layer 4 critic that runs immediately before commit) use our credentials, not yours, by design. Customer-side stages use your credentials, by design. The two paths share no code.

Step 1 — get a key from your vendor

• Anthropic. Console → API keys → Create key. The key starts sk-ant-.
• OpenAI. Platform → API keys → Create new secret key. The key starts sk-.

Save the full key in your own password manager now. We display only the last 4 characters after save; we never display the full key again.

Step 2 — add the key to IsoKron

1. Open Settings → Keys in your workspace.
2. Click Add key and choose your vendor.
3. Paste the key. We send a single one-token completion call to the vendor to confirm the key is valid; on success the key is encrypted at rest and stored in our vault.

On success the key is shown as …<last 4 characters> · Active.

How we handle your key (the short version)

• Stored encrypted at rest in Supabase Vault, scoped per workspace.
• Decrypted into per-request memory only, and the in-memory buffer is zeroed using sodium-native zeroization on release.
• Logger middleware redacts vendor key prefixes (sk-ant-…, sk-…) anywhere they might otherwise appear in error messages or traces.
• Revoked from the vault immediately if the workspace is paused, cancelled, or deleted (you can re-add when the workspace is restored).

See the Privacy Policy for the full description.

Validation troubleshooting

• The key is rejected as invalid even though it works in your console. Confirm there are no leading or trailing spaces or line breaks (a common copy-paste artifact).
• The key is rejected with a vendor 401. The vendor may have rotated the key or revoked the parent credential; generate a fresh one.
• Multiple workspaces fail to validate at the same time. Likely a platform-side issue rather than your key; check our status page or email support.

Next steps

• Connect your fleet if you have not already.
• When the time comes, rotate your key using the add-then-remove flow that avoids any window where we have no key on file.

Paired with the SR-BYOK-001 customer-support flow.