Managed mode routes traffic through Rigbox’s OpenRouter gateway and meters it against your credit balance. BYOK skips OpenRouter entirely and connects your workspace directly to the provider you specify, using the key you supply.
When to Use BYOK
BYOK is the right choice when:- You already have API keys from Anthropic, OpenAI, Google, or another provider
- You need unlimited usage beyond the managed credit tiers
- You need a specific model not available in managed mode
- Your organization requires that API keys stay under your own provider account for billing, audit, or compliance reasons
Set BYOK Mode
BYOK is two steps: flip the workspace’s AI mode tobyok, then set your provider key as a workspace environment variable using the standard name your SDK expects (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, …).
Environment changes apply on the next workspace start. Restart the workspace (
rig workspace stop then rig workspace start) if it is already running.How Keys Are Stored and Injected
When you set a BYOK key:- Stored with the workspace - the value is saved as one of the workspace’s environment variables
- Masked by default -
rig workspace env getshows secret-shaped values (like*_API_KEY) as<masked>; pass--revealto print the real value - Injected at runtime - the key is exported into the workspace environment, so SDKs pick it up with no extra setup
- Scoped to the workspace - each workspace has its own environment; changing one does not affect others
OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY).
Clear a Key
To remove a provider key from a workspace, unset the environment variable:Switch Back to Managed Mode
You can switch from BYOK to managed mode at any time. This starts routing through Rigbox-managed credits again:Mode changes take effect on the next AI API call. A new provider key requires a workspace restart to be injected.
Set Defaults for New Workspaces
If you use BYOK across most of your workspaces, set an account default so new workspaces start in BYOK mode with your preferred provider and model:rig workspace env set), so it is never stored account-wide. See the AI Defaults API reference for the full schema.
Managed vs. BYOK Comparison
Provider-Specific Examples
Anthropic (Claude)
OpenAI (GPT)
Google (Gemini)
Security Best Practices
- Rotate keys regularly - update the key with
rig workspace env set, then restart the workspace - Use scoped keys - if your provider supports project-scoped or restricted keys, prefer those over organization-wide keys
- Audit usage - monitor your provider dashboard for unexpected usage patterns
- One key per workspace - avoid sharing the same key across many workspaces; this makes it easier to revoke access to a single workspace
Next Steps
- Managed AI Proxy - use Rigbox-provided credits instead
- Setup Scripts - automate SDK installation in every workspace
- Service Specs - run AI-powered backend services automatically