Bring your own key, or BYOK, used to be an enterprise checkbox. Now it's everywhere: AI tools that run on your own OpenAI or Anthropic key, email APIs, analytics, form backends. The phrase keeps showing up on pricing pages, and it quietly changes who controls your data.
Here's what bring your own key actually means, why it changes your relationship with a tool, and where it matters beyond forms.
What Bring Your Own Key Means
Bring your own key means you supply the API credentials, and the platform uses your keys to do the work on your behalf, instead of reselling you access through its own account.
This is already how most things work at the infrastructure level. You bring AWS credentials to Terraform. You bring a Stripe secret key to your payments library. The tool orchestrates; the provider bills you directly. Nobody adds a margin on top of your Stripe usage. Stripe does the charging.
"You're not paying for the integration. You're paying for the markup on your own API keys."
The opposite model, call it bring-your-wallet, is where the tool holds the keys, makes the calls on its own account, and bills you a marked-up rate for the privilege. BYOK flips that ownership back to you.
Why BYOK Changes the Trust Model
When the keys are yours, the relationship with the tool changes in three concrete ways:
Cost accrues to you, not a middleman. If you're paying Resend $0.10 per 1,000 emails, that's the cost. There's no integration tier marking up an API you already pay for.
You can leave. Revoke the key and the tool's access ends instantly. Your data isn't hostage to a credential the vendor controls, and there's no migration tax to switch providers.
Security responsibility is explicit. Holding someone's third-party credentials is real responsibility. The honest version of BYOK is verifiable, not just promised:
- Encrypted at rest. Keys are encrypted (OSForms uses AES-256-GCM) before they touch the database, with the encryption key in the environment, not the DB. Dump the database and you get ciphertext.
- Never logged. Decrypted in memory for the call, then discarded. Not in logs, errors, or storage.
- Scoped access. OAuth integrations request the narrowest scope that works. OSForms' Google Sheets integration uses
drive.file, not full-Drive access.
"You don't have to trust a description of how your keys are handled. When the code is open source, you can read the implementation."
BYOK in Practice With a Form Backend
A form backend is a clean example, because every integration it offers runs on a key you already own. In OSForms, adding one looks like this:
- You paste your API key (Resend, a webhook signing secret) or complete an OAuth flow (Google Sheets).
- The credential is encrypted at rest with AES-256-GCM.
- When a submission arrives, OSForms decrypts it in memory and makes the call.
- The decrypted key is never logged or persisted beyond that execution.
Submission → OSForms → decrypts your key → calls Resend API → logs result
↑
Resend bills your account
The practical payoff shows up on the pricing page. Here's what the same integrations cost when the tool owns the keys versus when you do:
| Feature | OSForms (BYOK) | Formspree | FormBold |
|---|---|---|---|
| Email forwarding | Free | $15/mo | $9/mo |
| Google Sheets | Free | $15/mo | $9/mo |
| Webhooks | Free | $9/mo | $9/mo |
| Open source | Yes | No | No |
| Self-hostable | Yes | No | No |
Every paid integration above is executed with credentials you supply. The charge is for an API call to a service you already pay for. For a hands-on example, see how to send form email notifications with Resend on your own key, and the docs cover self-hosting if you want to own the whole stack.
Where Else BYOK Matters
The form backend is just one instance of a pattern worth demanding wherever your data and credentials are involved:
- AI features. Tools that run on your own OpenAI or Anthropic key, so inference cost and prompt data stay on your account, not the vendor's.
- Email and messaging. Resend, Postmark, Twilio: bring the key, pay the provider, skip the per-message markup.
- Analytics and storage. Pipe events and files into infrastructure you control rather than a silo you rent.
The test is simple. If a tool charges you for something that runs on a credential you provide, ask why. BYOK isn't a novel idea; infrastructure tooling has worked this way for years. It's just honest, and it's worth choosing the tools that do it.
OSForms is built entirely on this model. The integrations are free because they cost us nothing to run (you bring the key, you bear the provider cost), and the code is open source so you can verify every word of that.
Try it free, no card required: osforms.com/signup.