Security First

BYOK Security Architecture

We understand the concern: "How do I know you're not stealing my API keys?"
Here's exactly how we protect them.

What is BYOK?

BYOK (Bring Your Own Keys) means you provide your own API keys from AI providers like OpenAI, Anthropic, Google, or Groq. You pay the providers directly for usage, and you maintain full control over your keys at all times.

Why BYOK?

BYOK gives you transparency—you pay providers directly and can see exactly what you're spending. Since you own the keys, you can revoke them anytime from your provider's dashboard if needed.

How We Protect Your Keys

AES-256 Encryption at Rest

All API keys are encrypted before being stored in our database using AES-256-CBC encryption. Keys are never stored in plain text.

// In our Setting model
protected function casts(): array {
  return [
    'value' => 'encrypted',
  ];
}

Complete Tenant Isolation

Each organization's API keys are stored with their organization ID and can never be accessed by other tenants. API keys are explicitly marked as "tenant-only" settings that never fall back to global values.

  • Each tenant has their own encryption scope
  • No cross-tenant data leakage possible
  • Organization-level access controls enforced

Automatic Log Sanitization

API keys are automatically stripped from all application logs. We use a dedicated LogSanitizer that detects and masks API key patterns before any log entry is written.

// Patterns we sanitize:
'api_key', 'apikey', 'api-key', 'secret_key',
'password', 'bearer', 'authorization'

// Regex pattern matching:
/\b[a-zA-Z0-9]{'{'}32,64{'}'}\b/ → ***MASKED_API_KEY***

Secure Server-Side Forwarding

When you send a message, our server decrypts your API key in memory, makes an HTTPS call to the AI provider, and streams the response back to you. Your key is never exposed to the browser or cached on disk.

Your Browser
Lexix Server
Decrypt → Call → Stream
AI Provider
OpenAI / Anthropic / etc

Hidden From View

After you save an API key, it's displayed as "***" in the UI. Even organization admins cannot view the actual key — only replace it with a new one. This prevents accidental exposure in screenshots or screen shares.

How It All Works Together

What Lexix Does

  • Encrypts your keys before storing in the database
  • Decrypts keys only in-memory when making API calls
  • Masks keys in the UI—shown as "***" after saving
  • Sanitizes logs to prevent accidental key exposure
  • Forwards requests to providers over HTTPS (keys never sent to browser)

Recommended: What to Do at Your Provider

  • 1 Create a dedicated API key just for Lexix (don't reuse keys)
  • 2 Set spending limits in your provider dashboard
  • 3 Check your provider usage periodically
  • 4 Rotate keys periodically for good security hygiene
  • 5 Consider Ollama for fully local processing of sensitive data

Frequently Asked Questions

Can Lexix employees see my API keys?

API keys are encrypted at rest using AES-256-CBC. Database access alone is not enough to read them — decryption requires access to both the database and the application's secret key. For maximum security, consider self-hosting where you control both.

What happens if Lexix is compromised?

If you ever suspect a security issue, you can immediately revoke your API keys from your provider dashboards (OpenAI, Anthropic, Google, Groq). Since you control the keys at the source, you can cut off access instantly.

Do you store my AI conversations?

Conversation history is stored for your convenience, but we don't use it for training or share it with third parties. API traffic flows directly to providers — we only see metadata needed to route requests appropriately.

Can other organizations in Lexix see my keys?

Absolutely not. Each organization is completely isolated with its own encrypted settings storage. There is no mechanism for cross-tenant data access in our architecture.

What about self-hosting for maximum security?

For teams that require maximum control, Lexix supports self-hosted deployment. With self-hosting, all data including encrypted keys remains on your infrastructure. Contact us for enterprise self-hosting options.

Ready to get started?

Join thousands of teams who trust Lexix with their AI workflows. Your keys, your control, our platform.

Get Started Free