# BYOK Using your own credentials with an **external AI provider** allows Infron to authenticate requests on your behalf `with no added markup`. This approach is useful for using credits provided by the AI provider or executing AI queries that access private cloud data. Infron supports both **Infron credits** and the **option to bring your own provider keys (BYOK)**. * **Using provider keys** enables direct control over rate limits and costs via your provider account. Your provider keys are securely encrypted and used for all requests routed through the specified provider. * If a query using your credentials fails, Infron will retry the query with its system credentials to improve service availability. When you use **Infron credits**, your rate limits for each provider are managed by Infron. Integrating credentials like this with AI Gateway is sometimes referred to as Bring-Your-Own-Key, or BYOK. {% hint style="info" %} **BYOK on Infron AI is free** Infron AI use your own provider keys and pay only the provider’s standard rates, with no extra platform fees. {% endhint %} ### Getting started {% stepper %} {% step %} ### Retrieve credentials from your AI provider First, **retrieve credentials (the ai provider api keys)** from your AI provider. Infron uses these credentials first to authenticate requests to that provider. If a query made with your credentials fails, Infron will re-attempt with **system credentials (your infron api key)**, aiming to provide improved availability. {% endstep %} {% step %} ### Add the credentials to your byok configuration * Go to the [Bring Your Own Key (BYOK) page](https://infron.ai/dashboard/byok) in your dashboard. In the Infron dashboard this feature is found in the **Integrations (BYOK)** section in the sidebar.

* Find your provider from the list and **click the add icon**. * In the dialog that appears, enter the credentials you retrieved from the provider.

* Ensure that the **Enabled toggle** is turned on so that the credentials are **active**. * Click **Test Connection** to validate and add your credentials. This will execute a small test query using a cheap and fast model from the selected provider to verify the health of your credentials. The test is designed to be minimal and cost-effective while ensuring your authentication is working properly.

{% endstep %} {% step %} #### Use the credentials in your real-world requests Once you add credentials, Infron automatically includes them in your requests. You can now use these credentials to authenticate your requests. {% tabs %} {% tab title="cURL" %} ```bash curl https://llm.onerouter.pro/v1/chat/completions \ -H "Content-Type: application/json" \ -H "Authorization: Bearer sk-oQd0Pprww6oBIgE68dJOVJ3bWcACLtLzB2Kb93masMvJ3OCV" \ -d '{ "model": "deepseek/deepseek-v3.2", "messages": [ { "role": "user", "content": "What is the meaning of life?" } ] }' ``` {% endtab %} {% endtabs %} {% endstep %} {% step %} ### Check the byok logs Go to the [logs page](https://infron.ai/dashboard/logs) in your dashboard.

{% endstep %} {% endstepper %} ### BYOK with Google Vertex PT Account If you've purchased a certain amount of PT GSU on Google Vertex and want to prioritize routing requests to your own Google PT account, you can configure it as follows:

Copy the JSON key string for the purchased PT GSU account.

For example, suppose you have purchased `1 GSU` specifically for `Gemini-3-flash` and have configured Google Vertex with BYOK. When you invoke Gemini-3-flash via the Infron gateway, Infron will prioritize routing your request to your dedicated Google Vertex PT account. However, if your request traffic exceeds the PT GSU capacity you have purchased, Google Vertex will route the excess requests to its public pool. At this point, errors—such as 429 or 500—may occur. When Infron detects such an error, it will automatically fall back to Infron's own resources pool for Gemini-3-flash, thereby ensuring the overall stability of your business operations. The routing order will be: ``` Routing Flow: ┌────────────────────────────┐ │ Google Vertex(PT) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Google Vertex (Infron’s shared capacity) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Google AI Studio (Infron’s Provider Routing Fallback) │ └────────────────────────────┘ ```

### BYOK with Provider Ordering When you combine BYOK keys with [provider ordering](https://infronai.gitbook.io/docs/inference-provider-routing#ordering-specific-providers-order), **Infron** **always prioritizes BYOK endpoints first**, regardless of where that provider appears in your specified order. After all BYOK endpoints are exhausted, Infron falls back to shared capacity in the order you specified. This means BYOK keys effectively override your provider ordering for the initial routing attempts. For example, if you have BYOK keys for Amazon Bedrock, Google Vertex AI, and Anthropic, and you send a request with: ```bash { "provider": { "allow_fallbacks": true, "order": ["amazon-bedrock", "google-vertex", "anthropic"] } } ``` The routing order will be: ``` Routing Flow: ┌────────────────────────────┐ │ Amazon Bedrock (BYOK) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Google Vertex AI (BYOK) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Anthropic (BYOK) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Amazon Bedrock (Infron’s shared capacity) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Google Vertex AI (Infron’s shared capacity) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Anthropic (Infron’s shared capacity) │ └────────────────────────────┘ ``` ### **Partial BYOK with Provider Ordering** If you only have a BYOK key for some of the providers in your order, the BYOK provider is still tried first. For example, if you specify ```json { "provider": { "allow_fallbacks": true, "order": ["amazon-bedrock", "google-vertex"] } } ``` but only have a BYOK key for Google Vertex AI. The routing order will be: ``` Routing Flow: ┌──────────────▼─────────────┐ │ Google Vertex AI (BYOK) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Amazon Bedrock (Infron’s shared capacity) │ └──────────────┬─────────────┘ │ ┌──────────────▼─────────────┐ │ Google Vertex AI (Infron’s shared capacity) │ └───────────────────────────┘ ``` Note that even though Amazon Bedrock is listed first in the `order` array, the Google Vertex AI BYOK endpoint takes priority. ### AWS Bedrock API Keys To use Amazon Bedrock with Infron, you can authenticate using either **Bedrock API** **keys** or **traditional AWS credentials**. #### **Option 1: Bedrock API Keys (Recommended)** Amazon Bedrock API keys provide a simpler authentication method. Simply provide your Bedrock API key as a string: ``` your-bedrock-api-key-here ``` **Note:** Bedrock API keys are tied to a specific AWS region and cannot be used to change regions. If you need to use models in different regions, use the AWS credentials option below. You can generate Bedrock API keys in the AWS Management Console. Learn more in the [Amazon Bedrock API keys documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html). #### **Option 2: AWS Credentials** Alternatively, you can use traditional **AWS credentials** in JSON format. This option allows you to specify the region and provides more flexibility: ```json { "accessKeyId": "your-aws-access-key-id", "secretAccessKey": "your-aws-secret-access-key", "region": "your-aws-region" } ``` You can find these values in your AWS account: 1. **accessKeyId**: This is your AWS Access Key ID. You can create or find your access keys in the AWS Management Console under “Security Credentials” in your AWS account. 2. **secretAccessKey**: This is your AWS Secret Access Key, which is provided when you create an access key. 3. **region**: The AWS region where your Amazon Bedrock models are deployed (e.g., “us-east-1”, “us-west-2”). Make sure your AWS IAM user or role has the necessary permissions to access Amazon Bedrock services. At minimum, you’ll need permissions for: * `bedrock:InvokeModel` * `bedrock:InvokeModelWithResponseStream` (for streaming responses) Example IAM policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" } ] } ``` For enhanced security, we recommend creating dedicated IAM users with limited permissions specifically for use with Infron. Learn more in the [AWS Bedrock Getting Started with the API](https://docs.aws.amazon.com/bedrock/latest/userguide/getting-started-api.html) documentation, [IAM Permissions Setup](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html) guide, or the [AWS Bedrock API Reference](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html). ### Google Vertex API Keys To use Google Vertex AI with Infron, you’ll need to provide your **Google Cloud service account key** in JSON format. The service account key should include all standard Google Cloud service account fields, with an optional `region` field for specifying the deployment region. ```json { "type": "service_account", "project_id": "your-project-id", "private_key_id": "your-private-key-id", "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", "client_email": "your-service-account@your-project.iam.gserviceaccount.com", "client_id": "your-client-id", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-service-account@your-project.iam.gserviceaccount.com", "universe_domain": "googleapis.com", "region": "global" } ``` You can find these values in your Google Cloud Console: 1. **Service Account Key**: Navigate to the Google Cloud Console, go to “IAM & Admin” > “Service Accounts”, select your service account, and create/download a JSON key. 2. **region** (optional): Specify the region for your Vertex AI deployment. Use `"global"` to allow requests to run in any available region, or specify a specific region like `"us-central1"` or `"europe-west1"`. Make sure your service account has the necessary permissions to access Vertex AI services: * `aiplatform.endpoints.predict` * `aiplatform.endpoints.streamingPredict` (for streaming responses) Example IAM policy: ```json { "bindings": [ { "role": "roles/aiplatform.user", "members": [ "serviceAccount:your-service-account@your-project.iam.gserviceaccount.com" ] } ] } ``` Learn more in the [Google Cloud Vertex AI documentation](https://cloud.google.com/vertex-ai/docs/start/introduction-unified-platform) and [Service Account setup guide](https://cloud.google.com/iam/docs/service-accounts-create).