Managing API Keys (BYOK)
Managing API Keys (BYOK)
Note: API keys are optional. plotTree uses a credit system by default—you only need to configure API keys if you want to avoid our platform margin and pay AI providers directly at cost.
If you’ve chosen to use BYOK (Bring Your Own Keys), this guide covers how to manage, update, and rotate your keys.
Viewing Your Keys
Navigate to Configuration → API Keys in the left sidebar to see all your configured API keys.
For each key, you’ll see:
- Provider: Which service (currently OpenRouter)
- Status: Active or inactive
- Created: When you added the key
- Updated: Last modification date
- Masked Key: Only displays
sk-or-v1-****...for security
You can never retrieve the full key after saving it. If you lose it, you’ll need to generate a new one.
Updating a Key
When to Update
You might need to update your API key if:
- You rotated the key at the provider for security
- The key was compromised
- You switched to a different OpenRouter account
- The old key expired or was revoked
How to Update
- Navigate to API Keys page
- Find the key you want to update
- Click “Edit” or the edit icon
- Paste your new OpenRouter key
- Click “Update” or “Save”
plotTree will encrypt and store the new key, replacing the old one. The old key is permanently deleted.
Deleting a Key
When to Delete
Delete a key when:
- You’re no longer using plotTree
- You want to switch to a different provider (when we support more)
- You’re consolidating to a different OpenRouter account
How to Delete
- Navigate to API Keys page
- Find the key you want to remove
- Click “Delete” or the trash icon
- Confirm deletion
Warning: Deleting your OpenRouter key will switch you back to the credit system. If you have no credits remaining, you won’t be able to use AI features until you purchase more credits or add a new key.
Key Limits
You can have one key per provider. Currently, that means one OpenRouter key at a time.
If you try to add a second OpenRouter key, plotTree will show an error. You must delete or update your existing key first.
Security & Key Hygiene
How plotTree Protects Your Keys
Encryption at Rest: All API keys are encrypted before being stored in the database. We use industry-standard AES-256 encryption to ensure your keys are never stored in plain text.
Masked Display: Once saved, your keys are only displayed in masked form (sk-or-v1-****...). You can’t retrieve the full key from plotTree after saving it.
Secure Transmission: Keys are transmitted over HTTPS/TLS and never logged or exposed in error messages, stack traces, or support tickets.
Encryption Key Management: The encryption keys used to protect your API keys are stored separately from the encrypted data and are managed using environment-based secrets.
Best Practices
Never share your API keys: Your OpenRouter key is like a password. Don’t share it with anyone, don’t post it in support tickets or forums, and don’t commit it to version control if you’re working with code.
Rotate keys periodically: Consider generating a new OpenRouter key every 3-6 months and updating it in plotTree. This limits exposure if a key is ever compromised. Treat it like changing passwords.
Monitor your usage: Check your OpenRouter dashboard regularly to ensure usage matches your expectations. Unexpected spikes could indicate unauthorized access or runaway generation loops.
Use key-specific limits: In OpenRouter, you can set spending limits per API key. This prevents runaway costs if something goes wrong or if your key is compromised.
Delete unused keys: If you stop using plotTree or switch providers, delete your API key from both plotTree and OpenRouter. Don’t leave active keys lying around.
Use dedicated keys: Consider creating a plotTree-specific key in OpenRouter rather than reusing keys across multiple applications. This makes it easier to track usage and revoke access if needed.
Don’t expose keys in client-side code: Never include API keys in frontend JavaScript, browser extensions, or any code that runs on user devices. plotTree handles all API calls server-side for this reason.
If You Suspect Compromise
If you think your API key has been exposed or compromised:
- Immediately revoke it in your OpenRouter dashboard
- Generate a new key from OpenRouter with a different name
- Update plotTree with the new key (or delete the old one)
- Check your OpenRouter billing for unauthorized usage
- Review your usage history to identify when the compromise might have occurred
plotTree never has access to your OpenRouter account credentials, only the API key you provide. Revoking the key at OpenRouter immediately stops all access, even if plotTree still has the key stored.
What plotTree Does NOT Do
To be clear about security boundaries:
- We do not store your OpenRouter account password
- We do not have access to your OpenRouter billing information
- We do not see other API keys in your OpenRouter account
- We do not use your keys for anything except your explicit requests in plotTree
- We do not share your keys with third parties
Your API key is used only to make API calls on your behalf when you use plotTree’s AI features.
Troubleshooting
”Invalid API key” error
- Verify you copied the entire key (they’re long!)
- Check for extra spaces at the beginning or end when pasting
- Make sure you’re using an OpenRouter key (
sk-or-v1-...), not an OpenAI key (sk-...) - Confirm the key hasn’t been revoked in your OpenRouter dashboard
”Already have a key for this provider”
- You can only have one OpenRouter key at a time
- Delete or update your existing key if you need to change it
- The old key will be permanently deleted when you update or remove it
AI features not working after adding key
- Verify you have credits in your OpenRouter account
- Check that your OpenRouter key hasn’t been revoked
- Try generating a new key from OpenRouter
- Ensure your OpenRouter account is in good standing (no billing issues)
- Look for any spending limits you might have set on the key
Can’t see my full API key
This is by design for security. Once you save a key to plotTree, you can never retrieve the full value. If you need to see it again, check your OpenRouter dashboard or generate a new key.
Next Steps
With your API keys properly managed:
- Explore Providers & Models: Understand which AI models plotTree uses
- Learn about AI Features: See what AI features are available
- Check Subscription & Billing: Understand the credit system and subscription tiers
Remember: With BYOK, you pay OpenRouter directly for AI usage at cost (avoiding our platform margin), while your plotTree subscription provides platform access and features.