Nembl
Admin Guide
Vaults
BYOK: AI Agent Keys

BYOK: Bring Your Own Key for AI Agents

Nembl lets each company use its own Large Language Model (LLM) API keys for AI agents — so your agents' inference spend lands on your provider bill (Anthropic, OpenAI) and stays under your control, quotas, and compliance boundary. This pattern is called Bring Your Own Key (BYOK).

This applies to AI agents only. The in-app Nembl chatbot continues to use a DevOpspolis-managed key at no charge to you.

Why BYOK

  • Cost control — agent inference is metered on your own Anthropic or OpenAI account, with your own quotas, alerts, and negotiated rates.
  • Compliance — provider telemetry stays in your provider contract. No LLM data flows through DevOpspolis.
  • Model choice — use whatever provider and model you've standardized on, including custom/fine-tuned endpoints.
  • Kill switch — rotating your API key instantly disables all agents that reference it.

Supported Providers and Models

Agent configuration has a Provider dropdown and a Model dropdown:

ProviderCurated models in dropdown
AnthropicCurrent Claude Opus, Sonnet, and Haiku family
OpenAICurrent GPT-5 and GPT-4.1 family

Models not in the dropdown can still be used — type the model ID and it will be saved with a (custom) marker.

Setup in 4 Steps

1. Create a vault with your API key

Admin → Vaults → Create Vault

  • Name / slug — something descriptive like anthropic-prod or openai-qa
  • Value — paste your API key (starts with sk-ant-… for Anthropic, sk-… for OpenAI)
  • Expires at (optional) — set a rotation reminder date; the dropdown shows a warning near expiry
  • Tags (optional) — e.g. provider:anthropic, environment:prod — policies can gate which roles see which keys

Vaults are encrypted at rest, scoped to your company. The stored value is only viewable by users with secret:reveal permission via the Reveal button on the vault detail page; everyone else sees metadata only.

2. Create or edit an agent

Admin → Agents → New Agent (or open an existing agent)

All three agent types support BYOK:

  • Queue Intake agent — decides accept / reject / prioritize on an inbox
  • Service Assist agent — helps fill in a request form
  • Workflow Phase agent — drives a workflow phase

3. Select provider, model, and vault

In the agent's LLM Configuration section:

  1. Provider — Anthropic or OpenAI
  2. Model — pick from the curated list, or type a custom model ID
  3. Vault — pick one of your company's vaults from the dropdown. Use the + Create Vault link next to the dropdown to open a new-vault tab without losing your work; click the refresh icon when you return to reload the list.

The agent's effective principal needs secret:reveal permission on the bound vault (so it can decrypt the value at runtime). UI binding only requires secret:read (metadata access).

4. Save — validation fires automatically

When you save, Nembl calls the provider's /v1/models endpoint with your key to verify it:

  • 200 OK → save proceeds
  • 401 / 403 → save blocked with "API key was rejected — check the value and try again"
  • 429 rate-limited → save proceeds anyway (can't distinguish a valid-but-throttled key from an invalid one quickly)
  • Network / unreachable → save blocked with "Could not reach provider"

If validation passes, the agent is ready to run.

Runtime Behavior

When an agent executes:

  1. Nembl resolves the vault (5-minute in-memory cache, invalidated on vault update)
  2. The call goes directly to the provider (Anthropic or OpenAI) using your key
  3. Success → response is processed and the agent continues
  4. Failure → the execution is logged with a structured error code and company admins are notified so you can respond before users notice

Error Codes

Agent executions log to Admin → Agents → Activity with a status badge and, on error, an error code:

CodeMeaningWhat to do
API_KEY_NOT_FOUNDThe referenced vault is missing or emptyRecreate the vault or pick a different one in the agent config
API_KEY_UNAUTHORIZED401 from the provider — key is invalid or revokedRotate the key with the provider and update the Nembl vault
API_KEY_FORBIDDEN403 from the provider — key lacks permission for this model or endpointCheck your provider account's allowed models / regions
API_KEY_RATE_LIMITED429 from the providerBack off, or increase your provider quota
PROVIDER_ERRORProvider returned a non-2xx not covered aboveCheck the provider's status page; if persistent, open a support ticket

Every error writes an audit row with status, errorCode, model, and provider fields — filter the Agent Activity table on status to triage quickly.

Rotating a Key

  1. Generate a new key at your provider (Anthropic / OpenAI)
  2. Admin → Vaults → select the vault → Update Value → paste the new value
  3. Save. The in-memory cache is invalidated and the next agent invocation uses the new key.

No agent config changes are needed — they reference the vault by ID, not by value.

What Does Not Use Your Key

  • Nembl chatbot (/chat) — uses a DevOpspolis-managed Anthropic key. No setup required.
  • Nembl internal features that use LLM inference (e.g. workflow suggestions in future releases) will be explicitly labeled if they use your key vs the DevOpspolis key.

Related

Creating & Managing VaultsB2B Dashboard