byokey 0.4.0

Bring Your Own Keys — AI subscription-to-API proxy gateway
byokey-0.4.0 is not a library.

BYOKEY

Bring Your Own Keys Turn AI subscriptions into standard API endpoints. Expose any provider as OpenAI- or Anthropic-compatible API — locally or in the cloud.

ci   crates.io   license   rust

Subscriptions                                     Tools

Claude Pro  ─┐                              ┌──  Amp Code
OpenAI Plus ─┼──  byokey serve  ────────────┼──  Cursor · Windsurf
Copilot     ─┘                              ├──  Factory CLI (Droid)
                                            └──  any OpenAI / Anthropic client

Features

  • Multi-format API — OpenAI and Anthropic compatible endpoints; just change the base URL
  • OAuth login flows — PKCE, device-code, and auth-code flows handled automatically
  • Token persistence — SQLite at ~/.byokey/tokens.db; survives restarts
  • API key passthrough — Set raw keys in config to skip OAuth entirely
  • Deploy anywhere — Run locally as a CLI, or deploy as a shared AI gateway
  • Agent-ready — Native support for Amp Code; Factory CLI (Droid) coming soon
  • Hot-reload config — YAML-based with sensible defaults

Supported Providers

Coming soon — auth implemented, executor in progress: Antigravity (Google) · Qwen (Alibaba) · Kimi (Moonshot) · iFlow (Z.ai)

Installation

From crates.io

cargo install byokey

From source

git clone https://github.com/AprilNEA/BYOKEY
cd BYOK
cargo install --path .

Requirements: Rust 1.85+ (edition 2024), a C compiler for SQLite.

Quick Start

# 1. Authenticate (opens browser or shows a device code)
byokey login claude
byokey login codex
byokey login copilot

# 2. Start the proxy
byokey serve

# 3. Point your tool at it
export OPENAI_BASE_URL=http://localhost:8018/v1
export OPENAI_API_KEY=any          # byokey ignores the key value

For Amp:

// ~/.amp/settings.json
{
  "amp.url": "http://localhost:8018/amp"
}

CLI Reference

byokey <COMMAND>

Commands:
  serve    Start the proxy server
  login    Authenticate with a provider
  logout   Remove stored credentials for a provider
  status   Show authentication status for all providers
  help     Print help

byokey serve

Options:
  -c, --config <FILE>   YAML config file [default: none]
  -p, --port <PORT>     Listen port     [default: 8018]
      --host <HOST>     Listen address  [default: 127.0.0.1]
      --db <PATH>       SQLite DB path  [default: ~/.byokey/tokens.db]

byokey login <PROVIDER>

Runs the appropriate OAuth flow for the given provider. Supported names: claude, codex, copilot, gemini, kiro, antigravity, qwen, kimi, iflow.

Options:
      --db <PATH>   SQLite DB path [default: ~/.byokey/tokens.db]

byokey logout <PROVIDER> — Deletes the stored token for the given provider.

byokey status — Prints authentication status for every known provider.

Configuration

Create a YAML file (e.g. ~/.byokey/config.yaml) and pass it with --config:

port: 8018
host: 127.0.0.1

providers:
  # Use a raw API key (takes precedence over OAuth)
  claude:
    api_key: "sk-ant-..."

  # Disable a provider entirely
  gemini:
    enabled: false

  # OAuth-only (no api_key) — use `byokey login codex` first
  codex:
    enabled: true

All fields are optional; unspecified providers are enabled by default and use the OAuth token stored in the database.

Contributing

See CONTRIBUTING.md for build commands, architecture details, and coding guidelines.

License

Licensed under either of MIT or Apache-2.0 at your option.