feat: add support for custom user api keys

[akhileshrangani4]

API Keys Setup Guide

This document explains how to configure custom API keys for AI providers in the application.

Overview

Users can configure their own API keys for the following AI providers:

• Anthropic (Claude) - Claude models
• OpenAI - GPT models
• OpenRouter - Access to multiple AI models through a single API
• AWS Bedrock - AWS managed AI models

System Requirements

Encryption Key

An encryption key is required for storing user API keys securely. Generate one with:

openssl rand -base64 32

Add it to your .env file:

ENCRYPTION_KEY=<your-generated-key>

Database Migration

Run the database migration to add the apiKeys column:

cd db
npx drizzle-kit push

Or if using migrations:

cd db
npx drizzle-kit migrate

Environment Variables

Required

ENCRYPTION_KEY=<32-byte base64 encoded key>

Optional System Keys

These are used as fallback when users don't provide their own keys:

# System AI Provider Keys (Optional)
ANTHROPIC_API_KEY=
OPENAI_API_KEY=
OPENROUTER_API_KEY=

# AWS Bedrock (Optional)
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=us-east-1
AWS_BEDROCK_MODEL_ID=

How It Works

For Users

1. Navigate to Settings from the user menu
2. Go to the API Keys tab
3. Add API keys for any supported provider
4. Optionally specify a custom model ID for each provider
5. Keys are automatically encrypted before storage
6. When making AI requests, custom keys are used if available; otherwise system keys are used

For Developers

Key Storage

• API keys are stored encrypted in the user.apiKeys JSON column
• Encryption uses AES-256-GCM with a master key from ENCRYPTION_KEY
• Keys are only decrypted server-side when making AI requests

Provider Selection

The system automatically selects a provider based on this priority:

1. OpenRouter (if configured)
2. Anthropic (if configured)
3. OpenAI (if configured)
4. AWS Bedrock (if configured)
5. System environment variables (fallback)

API Endpoints

• GET /api/user/api-keys - Check which providers are configured
• PUT /api/user/api-keys - Add/update API keys
• DELETE /api/user/api-keys/:provider - Remove provider keys

Security Considerations

1. ✅ API keys are encrypted at rest using AES-256-GCM
2. ✅ Keys are only decrypted in server-side code
3. ✅ Client never receives actual API keys
4. ✅ Encryption key must be kept secure and not committed to git
5. ✅ Keys are validated before storage
6. ⚠️ Ensure ENCRYPTION_KEY is backed up securely
7. ⚠️ Rotating ENCRYPTION_KEY requires re-encrypting all stored keys

Getting API Keys

Anthropic

• Dashboard: https://console.anthropic.com/settings/keys
• Docs: https://docs.anthropic.com/

OpenAI

• Dashboard: https://platform.openai.com/api-keys
• Docs: https://platform.openai.com/docs

OpenRouter

• Dashboard: https://openrouter.ai/keys
• Docs: https://openrouter.ai/docs

AWS Bedrock

• Console: https://console.aws.amazon.com/bedrock/
• Docs: https://docs.aws.amazon.com/bedrock/

Troubleshooting

"ENCRYPTION_KEY environment variable is not set"

Make sure ENCRYPTION_KEY is set in your .env file. Generate one with:

openssl rand -base64 32

"Failed to decrypt key"

This can happen if:

• The encryption key has changed
• The stored key is corrupted
• Delete the API key and re-add it

API Key Not Working

1. Verify the key is correctly copied from the provider dashboard
2. Check the key has the necessary permissions
3. Ensure your account has sufficient credits/quota
4. Check provider status pages for outages

Development

Building the Packages

After making changes, rebuild the packages:

# Build lib package (contains encryption utilities)
cd lib && npm run build

# Build AI package (contains provider logic)
cd ai && npm run build

Testing API Keys

Test adding a key via the UI or API:

curl -X PUT http://localhost:4000/api/user/api-keys \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <your-token>" \
  -d '{"provider": "openai", "apiKey": "sk-..."}'

Check configured keys:

curl http://localhost:4000/api/user/api-keys \
  -H "Authorization: Bearer <your-token>"

Model Selection

Each provider now supports custom model selection. When configuring your API keys in the Settings UI, you'll see a "Model ID (Optional)" field where you can specify which model to use.

Default Models (if not specified)

• Anthropic: claude-sonnet-4-20250514
• OpenAI: gpt-4o
• OpenRouter: anthropic/claude-sonnet-4-20250514
• AWS Bedrock: anthropic.claude-3-sonnet-20240229-v1:0

Example Model IDs

OpenRouter:

• anthropic/claude-sonnet-4-20250514
• openai/gpt-4
• google/gemini-pro
• meta-llama/llama-2-70b-chat
• See full list: https://openrouter.ai/models

Anthropic:

• claude-sonnet-4-20250514
• claude-opus-4-20250514
• claude-3-5-sonnet-20241022

OpenAI:

• gpt-4o
• gpt-4-turbo
• gpt-3.5-turbo

AWS Bedrock:

• anthropic.claude-3-sonnet-20240229-v1:0
• anthropic.claude-3-opus-20240229-v1:0
• anthropic.claude-3-haiku-20240307-v1:0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sandbox	Error			Oct 16, 2025 7:13pm

[jamesmurdza]

@akhileshrangani4 Don't forget to add the environment variable instructions above to the README.

[jamesmurdza]

@akhileshrangani4 Can you make it so that if there is no encryption key, this feature is disabled? That way it doesn't stop users who just want to get started locally.