When customers bring their own LLM API key, we have a real responsibility: that key, if leaked, could rack up a six-figure bill or expose the provider's account. We treat it as carefully as we treat PHI.
Storage: each key is encrypted with AES-256-GCM using a per-record initialization vector and an authentication tag. The encryption key is derived from a master secret + tenant_id, so the same plaintext encrypted for two different tenants yields different ciphertexts.
Access: the underlying table has row-level security limiting reads and writes to tenant admins, verified server-side by a Postgres RPC before the secret is ever decrypted. Service-role code paths are audited and minimal.
Rotation: admins can rotate the key at any time; the previous ciphertext is purged. The UI surfaces only the last 4 characters to confirm the key is present, never the full value.