Connect your OpenAI key
Airlock is bring-your-own-key. Follow this guide to connect an OpenAI account so the gateway can forward governed requests on your behalf.
1. What BYOK means for Airlock
Airlock is bring-your-own-key. You keep ownership of your OpenAI account, billing, quotas, and rate limits. Airlock sits in front of the provider and enforces your organization's policies on every call.
2. Create a dedicated OpenAI project and API key
In your OpenAI dashboard, create a project scoped to Airlock and issue a new API key inside that project. Using a dedicated project makes it easy to track Airlock-mediated spend and to revoke access without disrupting other integrations.
3. Paste the key into Airlock
In Airlock, go to Settings → Providers → Connect OpenAI, paste the key, and save. Airlock encrypts the key into the managed secrets store immediately. The raw value is not echoed back to the browser after save.
4. Validate the connection
Use the Workbench to send a test request. A successful call updates the connection's last_used_at timestamp; a failure records last_error_type so you can diagnose without exposing the key.
5. Replace, disable, or revoke
- Replace — reconnect in Settings → Providers with a new key; the previous stored copy is destroyed.
- Disable — toggle the connection off; gateway calls return
no_provider_connection(HTTP 424) until you re-enable it. - Revoke — remove the connection in Airlock and delete the key in the OpenAI dashboard. Revoking inside Airlock only destroys Airlock's stored copy; it does not invalidate the key upstream.
6. What Airlock does and does not do with your key
Does: decrypt the key server-side at the moment of a forwarded request; pass it directly to the OpenAI adapter; record the key source (byok / platform) and an internal connection id in audit.
Does not: log the raw key, return it in any API response, store it in audit_events or audit_prompts, share it across organizations, or use it for any request outside your own gateway traffic.
