Update a BYOK provider credential
Update an existing bring-your-own-key (BYOK) provider credential by its id. Include the key field to rotate the raw provider API key in-place (the previous key material is overwritten). Management key required.
Authorizations
API key as bearer token in Authorization header
Path Parameters
The BYOK credential ID (UUID).
"11111111-2222-3333-4444-555555555555"
Body
Optional allowlist of model slugs this credential may be used for. null means no restriction.
100null
Optional allowlist of user IDs that may use this credential. null means no restriction.
100null
Whether this credential is disabled.
false
Whether this credential is treated as a fallback — used only after non-fallback keys for the same provider have been tried.
false
A new raw provider API key to rotate the credential in-place. The previous key material is overwritten and the masked label is regenerated. Encrypted at rest and never returned in API responses.
1"sk-proj-newkey456..."
Optional human-readable name for the credential.
255"Updated OpenAI Key"
Response
BYOK credential updated successfully
The updated BYOK credential.
{
"allowed_api_key_hashes": null,
"allowed_models": null,
"allowed_user_ids": null,
"created_at": "2025-08-24T10:30:00Z",
"disabled": false,
"id": "11111111-2222-3333-4444-555555555555",
"is_fallback": false,
"label": "sk-...AbCd",
"name": "Production OpenAI Key",
"provider": "openai",
"sort_order": 0,
"workspace_id": "550e8400-e29b-41d4-a716-446655440000"
}