byokey 0.1.0

Bring Your Own Keys — AI subscription-to-API proxy gateway
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

# byok — Bring Your Own Keys

A local proxy that turns AI **subscriptions** into **OpenAI-compatible API endpoints**,
so any OpenAI-compatible tool (Amp, Cursor, Continue, etc.) can use them without a paid API key.

```
Claude Pro  ─┐
OpenAI Plus ─┤  byok serve  ─►  http://localhost:8018/v1/chat/completions
Copilot     ─┘                  (OpenAI-compatible, streaming)
```

## Features

- **OpenAI-compatible API** — drop-in replacement, just change the base URL
- **OAuth login flows** — PKCE, device code, and auth-code flows handled for you
- **SQLite token store** — tokens survive restarts; stored in `~/.byok/tokens.db`
- **API key passthrough** — prefer raw API keys? Set them in the config file
- **Amp CLI compatibility**`/amp/*` routes for [Amp](https://ampcode.com) out of the box
- **YAML config** — hot-reload friendly, all options have sensible defaults

## Supported Providers

| Provider | Login flow | Models |
|---|---|---|
| **Claude** (Anthropic) | PKCE browser | claude-opus-4-6, claude-sonnet-4-5, … |
| **Codex** (OpenAI) | PKCE browser | o4-mini, o3, gpt-4o, gpt-4o-mini |
| **Copilot** (GitHub) | Device code | gpt-4o, claude-3.5-sonnet, o3-mini |
| **Gemini** (Google) | PKCE browser | gemini-2.0-flash, gemini-1.5-pro, … |
| **Kiro** (AWS) | Device code | kiro-default |
| **Antigravity** (Google) | PKCE browser |*(auth ready, executor WIP)* |
| **Qwen** (Alibaba) | Device code + PKCE |*(auth ready, executor WIP)* |
| **Kimi** (Moonshot) | Device code |*(auth ready, executor WIP)* |
| **iFlow** (Z.ai / GLM) | Auth code |*(auth ready, executor WIP)* |

## Installation

### From crates.io

```sh
cargo install byok
```

### From source

```sh
git clone https://github.com/AprilNEA/BYOKEY
cd BYOK
cargo install --path .
```

**Requirements:** Rust 1.85+ (edition 2024), a C compiler for SQLite.

## Quick Start

```sh
# 1. Authenticate (opens browser or shows a device code)
byok login claude
byok login codex
byok login copilot

# 2. Start the proxy
byok serve

# 3. Point your tool at it
export OPENAI_BASE_URL=http://localhost:8018/v1
export OPENAI_API_KEY=any          # byok ignores the key value
```

For Amp:

```jsonc
// ~/.amp/settings.json  (or wherever Amp reads config)
{
  "amp.url": "http://localhost:8018/amp"
}
```

## CLI Reference

```
byok <COMMAND>

Commands:
  serve    Start the proxy server
  login    Authenticate with a provider
  logout   Remove stored credentials for a provider
  status   Show authentication status for all providers
  help     Print help
```

### `byok serve`

```
Options:
  -c, --config <FILE>   YAML config file [default: none]
  -p, --port <PORT>     Listen port     [default: 8018]
      --host <HOST>     Listen address  [default: 127.0.0.1]
      --db <PATH>       SQLite DB path  [default: ~/.byok/tokens.db]
```

### `byok login <PROVIDER>`

Runs the appropriate OAuth flow for the given provider.
Supported names: `claude`, `codex`, `copilot`, `gemini`, `kiro`,
`antigravity`, `qwen`, `kimi`, `iflow`.

```
Options:
      --db <PATH>   SQLite DB path [default: ~/.byok/tokens.db]
```

### `byok logout <PROVIDER>`

Deletes the stored token for the given provider.

### `byok status`

Prints authentication status for every known provider.

## Configuration

Create a YAML file (e.g. `~/.byok/config.yaml`) and pass it with `--config`:

```yaml
# ~/.byok/config.yaml
port: 8018
host: 127.0.0.1

providers:
  # Use a raw API key (takes precedence over OAuth)
  claude:
    api_key: "sk-ant-..."

  # Disable a provider entirely
  gemini:
    enabled: false

  # OAuth-only (no api_key) — use `byok login codex` first
  codex:
    enabled: true
```

All fields are optional; unspecified providers are enabled by default and use
the OAuth token stored in the database.

## API Endpoints

| Method | Path | Description |
|---|---|---|
| `POST` | `/v1/chat/completions` | OpenAI-compatible chat (streaming supported) |
| `GET` | `/v1/models` | List enabled models |
| `GET` | `/amp/v1/login` | Amp login redirect |
| `ANY` | `/amp/v0/management/{*path}` | Amp management API proxy |
| `POST` | `/amp/v1/chat/completions` | Amp-compatible chat |

The `model` field in the request body determines which provider is used.

## How It Works

```
Client request
byok-proxy  (axum HTTP server)
    │  resolve model → provider
byok-provider  (executor per provider)
    │  get OAuth token (or api_key)
byok-auth  (AuthManager + OAuth flows)
Upstream API  (Anthropic / OpenAI / Google / …)
    │  translate response → OpenAI format
Client response  (JSON or SSE stream)
```

### Workspace Crates

| Crate | Description |
|---|---|
| `byok-types` | Shared types, traits, errors |
| `byok-config` | YAML configuration + file watching |
| `byok-store` | SQLite (and in-memory) token persistence |
| `byok-auth` | OAuth 2.0 login flows for every provider |
| `byok-translate` | Request/response format translation |
| `byok-provider` | Provider executors and model registry |
| `byok-proxy` | axum HTTP server and routing |

## Building & Testing

```sh
# Build everything
cargo build --workspace

# Run all tests (173 tests, no network required)
cargo test --workspace

# Lint
cargo clippy --workspace --all-targets -- -D warnings

# Format
cargo fmt --all
```

## License

Licensed under either of:

- [MIT License](LICENSE-MIT)
- [Apache License, Version 2.0](LICENSE-APACHE)

at your option.