improvement(byok): make available for all plans

[icecrasher321]

Summary

BYOK available for everyone.

Type of Change

• Other: UX Improvement

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 13, 2026 1:22am

[icecrasher321]

@greptile

[greptile-apps]

Greptile Overview

Greptile Summary

This PR successfully democratizes the BYOK (Bring Your Own Key) feature by removing enterprise plan restrictions, making it available to all workspace admins on hosted deployments. The implementation is generally solid with clean removal of authorization gates and proper permission checks.

What Changed

Access Control Evolution:

• Removed isWorkspaceOnEnterprisePlan() and isEnterpriseOrgAdminOrOwner() checks from BYOK APIs
• Deleted the admin bulk management endpoint /api/v1/admin/byok (previously used for enterprise plan churn cleanup)
• Simplified authorization to workspace admin permission only via getUserEntityPermissions()
• Changed BYOK from "enterprise" section to "system" section in settings UI

Execution & Billing Impact:

• BYOK keys are now checked for all workspaces during workflow execution
• When BYOK key exists: Uses user's key, sets isBYOK=true, skips billing (no cost multiplier)
• When no BYOK key: Uses platform hosted keys, applies 1.4x multiplier, bills user
• The billing logic correctly prevents double-charging when users provide their own keys

Documentation Updates:

• Moved BYOK documentation from /enterprise/index.mdx to /execution/costs.mdx
• Added comprehensive setup instructions and clarified that "only workspace admins" can manage keys
• Updated permission messaging from "organization admins and owners" to "workspace admins"

Issues Found

1. Documentation inconsistency: Other language versions (German, Spanish, French, Japanese, Chinese) still have BYOK in their enterprise docs and need updating
2. UI clarity issue: The deletion modal message "platform hosted keys" is vague compared to previous messaging that mentioned cost implications

Security & Access Control Assessment

The new permission model is appropriate and secure:

• Workspace admin permission is correctly enforced via getUserEntityPermissions() which returns 'admin', 'write', 'read', or null
• This is consistent with other sensitive settings (API keys, environment variables) which also require workspace admin
• BYOK keys are encrypted at rest using encryptSecret() and decrypted only when needed
• No privilege escalation risks introduced by removal of enterprise gate

The removal of the admin BYOK bulk deletion endpoint is safe as it was only used for enterprise plan churn cleanup, which is no longer relevant when BYOK is available to all plans.

Confidence Score: 4/5

• This PR is safe to merge with minor documentation inconsistencies that should be addressed
• Score of 4 reflects a well-executed feature democratization with proper security controls and clean code changes. The implementation correctly removes enterprise gates while maintaining appropriate workspace admin authorization. The billing logic properly handles BYOK vs hosted keys to prevent double-charging. The main issues are non-critical documentation inconsistencies (internationalized docs need updating) and a minor UI text clarity issue. No security vulnerabilities, data integrity issues, or breaking changes were found.
• Pay attention to apps/docs/content/docs/en/enterprise/index.mdx - the BYOK section needs to be removed from other language versions (de, es, fr, ja, zh) for consistency

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/workspaces/[id]/byok-keys/route.ts	5/5	Removed enterprise plan checks from GET/POST/DELETE endpoints, now only requires workspace admin permission
apps/sim/lib/api-key/byok.ts	5/5	Removed isWorkspaceOnEnterprisePlan check, BYOK keys now checked for all workspaces during execution
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/byok/byok.tsx	4/5	Removed enterprise gate UI and Crown icon, minor text clarity issue in deletion modal
apps/docs/content/docs/en/enterprise/index.mdx	3/5	Removed BYOK section from enterprise docs, but other language versions still have it (needs update)
apps/docs/content/docs/en/execution/costs.mdx	5/5	Added comprehensive BYOK documentation with setup instructions and supported providers

Sequence Diagram

sequenceDiagram
    participant User as Workspace Admin
    participant UI as Settings UI
    participant API as BYOK API
    participant DB as Database
    participant Exec as Workflow Execution
    participant Provider as AI Provider

    Note over User,Provider: BYOK Setup Flow (Now Available to All Plans)
    
    User->>UI: Navigate to Settings → BYOK
    UI->>API: GET /api/workspaces/{id}/byok-keys
    API->>DB: Check workspace admin permission
    DB-->>API: Permission verified
    API->>DB: Query existing BYOK keys
    DB-->>API: Return encrypted keys
    API->>API: Decrypt and mask keys
    API-->>UI: Return masked keys list
    UI-->>User: Display provider cards with Add/Update/Delete

    User->>UI: Click "Add Key" for provider
    UI-->>User: Show API key input modal
    User->>UI: Enter API key and save
    UI->>API: POST /api/workspaces/{id}/byok-keys<br/>{providerId, apiKey}
    API->>DB: Verify workspace admin permission
    DB-->>API: Permission verified
    API->>API: Encrypt API key
    API->>DB: Upsert BYOK key for provider
    DB-->>API: Success
    API-->>UI: Return success with masked key
    UI-->>User: Show success message

    Note over User,Provider: Workflow Execution with BYOK

    User->>Exec: Trigger workflow with AI block
    Exec->>Exec: Identify provider and model
    Exec->>DB: Query BYOK key for workspace
    alt BYOK key exists
        DB-->>Exec: Return encrypted key
        Exec->>Exec: Decrypt key
        Exec->>Provider: Call API with user's key
        Provider-->>Exec: Return response
        Exec->>Exec: Calculate cost (no multiplier)
        Note over Exec: isBYOK=true, skip billing
    else No BYOK key
        Exec->>Exec: Use platform hosted key
        Exec->>Provider: Call API with platform key
        Provider-->>Exec: Return response
        Exec->>Exec: Calculate cost with 1.4x multiplier
        Exec->>DB: Log usage and bill user
    end
    Exec-->>User: Return workflow results

Loading

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (3)

apps/sim/hooks/queries/byok-keys.ts
The byokEnabled field in the interface is no longer functionally used since the enterprise gate was removed. The API still returns byokEnabled: true (line 100 in route.ts), but the frontend no longer checks this value. Consider removing this field from the interface to keep the codebase clean, or if it's needed for backward compatibility, add a comment explaining why it's kept.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/hooks/queries/byok-keys.ts
Line: 20:20

Comment:
The `byokEnabled` field in the interface is no longer functionally used since the enterprise gate was removed. The API still returns `byokEnabled: true` (line 100 in route.ts), but the frontend no longer checks this value. Consider removing this field from the interface to keep the codebase clean, or if it's needed for backward compatibility, add a comment explaining why it's kept.

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

---

apps/sim/app/api/workspaces/[id]/byok-keys/route.ts
The byokEnabled: true field is being returned but is no longer used by the frontend since the enterprise check was removed. The BYOK component no longer reads or checks this value. Consider removing this field from the response to keep the API clean, or update it to reflect the new behavior (e.g., always available for workspace admins).

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/app/api/workspaces/[id]/byok-keys/route.ts
Line: 100:100

Comment:
The `byokEnabled: true` field is being returned but is no longer used by the frontend since the enterprise check was removed. The BYOK component no longer reads or checks this value. Consider removing this field from the response to keep the API clean, or update it to reflect the new behavior (e.g., always available for workspace admins).

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

---

apps/docs/content/docs/en/enterprise/index.mdx
This documentation states "BYOK is only available on hosted Sim Studio" but the PR makes BYOK available to all plans on hosted deployments, not just Enterprise. This note is accurate for self-hosted but may be confusing since the section is about Enterprise features. Consider clarifying that BYOK is now available to all plans on hosted deployments, or moving this note to a more appropriate location.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/docs/content/docs/en/enterprise/index.mdx
Line: 93:93

Comment:
This documentation states "BYOK is only available on hosted Sim Studio" but the PR makes BYOK available to all plans on hosted deployments, not just Enterprise. This note is accurate for self-hosted but may be confusing since the section is about Enterprise features. Consider clarifying that BYOK is now available to all plans on hosted deployments, or moving this note to a more appropriate location.

How can I resolve this? If you propose a fix, please make it concise.

[icecrasher321]

@greptile

[greptile-apps]

Greptile Overview

Greptile Summary

This PR democratizes the Bring Your Own Key (BYOK) feature by making it available to all users instead of restricting it to Enterprise plan customers. The changes remove enterprise-only feature gating from the API routes, core execution logic, UI components, and documentation.

Key Changes

Access Control Shift:

• Before: BYOK required enterprise plan + organization admin/owner role
• After: BYOK requires workspace admin permission (any plan)

Code Changes:

1. Removed isEnterpriseOrgAdminOrOwner checks from API routes (GET/POST/DELETE endpoints)
2. Removed isWorkspaceOnEnterprisePlan check from core BYOK key resolution logic
3. Deleted isWorkspaceOnEnterprisePlan function from subscription module
4. Deleted entire /api/v1/admin/byok endpoint used for organization-level management
5. Removed enterprise gate UI component showing "upgrade to enterprise" message
6. Moved BYOK from "Enterprise" to "System" section in settings modal

Documentation Updates:

• Moved BYOK documentation from Enterprise features to Cost Calculation page
• Updated permission requirements from "organization admins and owners" to "workspace admins"
• Added note clarifying BYOK is hosted-only (self-hosted uses environment variables)

Architectural Impact

The permission model now relies solely on workspace-level permissions via getUserEntityPermissions, which checks the permissions table for workspace admin access. This is simpler and more consistent with other workspace settings like API keys and environment variables.

During workflow execution, getApiKeyWithBYOK now checks for BYOK keys for all workspaces in hosted environments, falling back to hosted keys with the pricing multiplier if no BYOK key is configured.

Minor Issue Identified

The API response still includes a byokEnabled: true field that is now always true and serves no purpose. This can be cleaned up in a follow-up or as part of this PR.

Confidence Score: 4/5

• This PR is safe to merge with one minor cleanup recommendation
• The changes are well-structured and consistently applied across all layers (API, core logic, UI, docs). The permission model properly restricts BYOK management to workspace admins, maintaining security while democratizing access. The deletion of the admin BYOK endpoint is intentional since organization-level bulk operations are no longer needed. One style issue exists with the deprecated byokEnabled field, but this doesn't impact functionality.
• apps/sim/app/api/workspaces/[id]/byok-keys/route.ts - contains deprecated byokEnabled field that should be removed for API cleanliness

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/workspaces/[id]/byok-keys/route.ts	4/5	Removed enterprise-only checks; now allows all workspace admins to manage BYOK keys. Returns deprecated byokEnabled field.
apps/sim/lib/api-key/byok.ts	5/5	Removed enterprise plan check; BYOK keys now checked for all workspaces in hosted environments.
apps/sim/lib/billing/core/subscription.ts	5/5	Removed isWorkspaceOnEnterprisePlan function that was used for BYOK feature gating.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/byok/byok.tsx	5/5	Removed enterprise-only UI gate and Crown icon; updated messaging to reflect availability for all users.
apps/sim/app/api/v1/admin/byok/route.ts	4/5	Deleted admin BYOK endpoint used for organization-level key management and enterprise churn cleanup.

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as BYOK Settings UI
    participant API as /api/workspaces/[id]/byok-keys
    participant Auth as getUserEntityPermissions
    participant Core as getApiKeyWithBYOK
    participant DB as Database
    
    User->>UI: Navigate to Settings → BYOK
    Note over UI: No enterprise gate check
    UI->>API: GET /api/workspaces/[id]/byok-keys
    API->>Auth: Check user permissions
    Auth->>DB: Query permissions table
    DB-->>Auth: Return permission level
    Auth-->>API: Returns 'admin', 'write', 'read', or null
    
    alt User has permission
        API->>DB: Fetch BYOK keys for workspace
        DB-->>API: Return encrypted keys
        API-->>UI: Return keys + byokEnabled: true
        UI->>User: Display BYOK providers
    else No permission
        API-->>UI: 401 Unauthorized
    end
    
    User->>UI: Add/Update API Key
    UI->>API: POST /api/workspaces/[id]/byok-keys
    API->>Auth: Check workspace admin permission
    
    alt User is workspace admin
        API->>DB: Encrypt and store key
        DB-->>API: Success
        API-->>UI: Return success
        UI->>User: Key saved
    else Not workspace admin
        API-->>UI: 403 Forbidden
    end
    
    Note over Core: During workflow execution
    Core->>DB: Check for BYOK key (no enterprise check)
    
    alt BYOK key exists
        DB-->>Core: Return encrypted key
        Core->>Core: Decrypt key
        Core-->>Core: Use BYOK key
    else No BYOK key
        Core->>Core: Fall back to hosted key with multiplier
    end

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

The text "platform hosted keys" is unclear. Consider being more explicit about what happens when BYOK is removed, especially since the cost implications have changed with this PR.

Previously, it mentioned "2x multiplier" (which was actually 1.4x based on the docs), but now BYOK is available to everyone. The message should clarify what "platform hosted keys" means in terms of cost.

Suggested improvement:

Suggested change

	API key? This workspace will revert to using platform hosted keys.
	API key? This workspace will revert to using Sim Studio's hosted keys with the 1.4x pricing multiplier.

This matches the documentation at apps/docs/content/docs/en/execution/costs.mdx line 51 and 84 which explicitly states the 1.4x multiplier.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/byok/byok.tsx
Line: 317:317

Comment:
The text "platform hosted keys" is unclear. Consider being more explicit about what happens when BYOK is removed, especially since the cost implications have changed with this PR. 

Previously, it mentioned "2x multiplier" (which was actually 1.4x based on the docs), but now BYOK is available to everyone. The message should clarify what "platform hosted keys" means in terms of cost.

Suggested improvement:
```suggestion
              API key? This workspace will revert to using Sim Studio's hosted keys with the 1.4x pricing multiplier.
```

This matches the documentation at `apps/docs/content/docs/en/execution/costs.mdx` line 51 and 84 which explicitly states the 1.4x multiplier.

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

The BYOK section was removed from the English enterprise docs, but the same section still exists in other language versions (German, Spanish, French, Japanese, and Chinese). These need to be updated for consistency.

The BYOK section should be removed from:

• apps/docs/content/docs/de/enterprise/index.mdx
• apps/docs/content/docs/es/enterprise/index.mdx
• apps/docs/content/docs/fr/enterprise/index.mdx
• apps/docs/content/docs/ja/enterprise/index.mdx
• apps/docs/content/docs/zh/enterprise/index.mdx

And potentially added to the corresponding costs.mdx files in those languages (though I note those files may not exist yet based on the execution/costs.mdx files I saw).

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/docs/content/docs/en/enterprise/index.mdx
Line: 31:31

Comment:
The BYOK section was removed from the English enterprise docs, but the same section still exists in other language versions (German, Spanish, French, Japanese, and Chinese). These need to be updated for consistency.

The BYOK section should be removed from:
- `apps/docs/content/docs/de/enterprise/index.mdx`
- `apps/docs/content/docs/es/enterprise/index.mdx`
- `apps/docs/content/docs/fr/enterprise/index.mdx`
- `apps/docs/content/docs/ja/enterprise/index.mdx`
- `apps/docs/content/docs/zh/enterprise/index.mdx`

And potentially added to the corresponding `costs.mdx` files in those languages (though I note those files may not exist yet based on the execution/costs.mdx files I saw).

How can I resolve this? If you propose a fix, please make it concise.