Concept
Bring Your Own Key
For knowmind-internal LLM calls — document indexing, entity extraction, reranking, agents — you can register your own provider keys. knowmind gives you control over model choice, data flow and billing.
Supported providers
Anthropic
US
OpenAI
US
Google Gemini
Global
Mistral AIDE / EU
EU
Aleph Alpha (Pharia)DE / EU
DE
Azure OpenAIDE / EU
EU-configurable
Ollama (local)DE / EU
DE
LM Studio (local)DE / EU
DE
vLLM (own hardware)DE / EU
DE
How we protect keys
- In transit: TLS 1.3, Let's Encrypt certificate. The form does not encrypt the value before POST because HTTPS already does.
- At rest: AES-256-GCM with a per-workspace key derived from a master KEK (HKDF-SHA256). The master KEK lives outside the database and outside backups, in a separate secret source.
- In use: the clear text lives in the provider-adapter's RAM for the duration of a call — seconds, not hours. No logs, no tracing fields, no stack traces that could leak a key.
- In the UI: only the masked form
sk-ant-***-xx7K. The clear text never reaches the browser DOM. - Rotation: replace or disable keys yourself at any time. Old keys are marked inactive, not deleted (audit trail).
When BYOK applies, and when it does not
BYOK only applies to calls that knowmind itself makes. Typical example: you upload a PDF, knowmind calls your Anthropic key to extract entities. By contrast, when you use knowmind from Claude Desktop via MCP, the model call runs through your Anthropic subscription — knowmind sees only the recall request, never your Claude key. The integration guides describe this in detail.