Public API
BYOK providers
Bring Your Own Key. Five providers are supported across the Compiler, the MCP server and the Lab. Keys live in tool arguments only — they are never stored in the database and never written to logs.
Who needs BYOK
The default MCP compile tool (ckf.compile) is heuristic and always works — no key, no auth. BYOK is only needed when you want the LLM quality upgrade via ckf.compile_llm (or the Compiler / Lab UI), which produces richer inference and reduces composition hallucination. See the side-by-side comparison at /compiler-heuristic-vs-llm.
- Anyone — heuristic
ckf.compilerequires no key. - Admins + compiler allowlist — run LLM compile on the hosted Lovable AI Gateway (Advanced AI) for free. No BYOK needed.
- Everyone else who wants LLM compile — must supply a BYOK key in the Compiler, the Lab and MCP
ckf.compile_llm.
Admins can grant gateway access by adding a user to compiler_allowlist via /admin.
Supported providers
| ID | Provider | Endpoint | Auth | Example models |
|---|---|---|---|---|
| openai | OpenAI | https://api.openai.com/v1/chat/completions | Authorization: Bearer | gpt-5, gpt-5-mini |
| deepseek | DeepSeek | https://api.deepseek.com/v1/chat/completions | Authorization: Bearer | deepseek-chat, deepseek-reasoner |
| openrouter | OpenRouter | https://openrouter.ai/api/v1/chat/completions | Authorization: Bearer | any model exposed by OpenRouter |
| anthropic | Anthropic | https://api.anthropic.com/v1/messages | x-api-key + anthropic-version | claude-sonnet-4, claude-opus-4 |
| gemini | Gemini (Google AI Studio) | https://generativelanguage.googleapis.com/v1beta/models/:model:generateContent | ?key=… | gemini-2.5-pro, gemini-3-flash-preview |
Implementation: src/lib/lab/byokGateway.server.ts. OpenAI / DeepSeek / OpenRouter share the OpenAI chat-completions shape; Anthropic and Gemini have native bindings.
Call shape — MCP ckf.compile_llm
{
"jsonrpc": "2.0", "id": 1, "method": "tools/call",
"params": {
"name": "ckf.compile_llm",
"arguments": {
"text": "...source text up to 60k chars...",
"provider": "anthropic",
"model": "claude-sonnet-4-20250514",
"byok_key": "sk-ant-...",
"language": "en",
"format": "json"
}
}
}Security guarantees
Keys are ephemeral
compiler_jobs, lab_* tables or logs. Server logs only record provider/model/duration.- All five endpoint URLs are hardcoded per provider — no SSRF vector via user-supplied URL.
- Errors are normalized:
401/403→ "Provider rejected the API key",402→ "credits exhausted",429→ "rate limit". - Anthropic and Gemini tool schemas are stripped of
additionalPropertiesand$schemabefore forwarding (provider compatibility).
Where to get a key
- OpenAI — platform.openai.com/api-keys
- Anthropic — console.anthropic.com
- Google AI Studio (Gemini) — aistudio.google.com/apikey
- DeepSeek — platform.deepseek.com
- OpenRouter — openrouter.ai/keys