API Key Management
Mesachat uses a flexible, scope-based API key system for AI provider access.
Key Types
| Type | Description |
|---|---|
| Global | Platform-provided keys shared across the platform |
| BYOK | Bring Your Own Key — your personal API keys |
Supported Providers
- OpenAI
- Anthropic
- Google (Gemini)
Adding Your Own Key (BYOK)
- Go to Settings → API Keys
- Click Add Key
- Select the provider
- Paste your API key
- Choose the scope (Tenant, Bot Group, or Bot)
- Click Save
Your key is encrypted with AES-256-GCM before storage.
Key Resolution Order
When Mesachat needs an API key, it checks scopes from most specific to least specific:
Bot BYOK → Bot Global → Tenant BYOK → Tenant Global
If your bot has a BYOK key, that's used first. Otherwise, it falls back through the hierarchy.
Key Validation
Mesachat periodically validates stored keys:
- Active — Key is valid and working
- Invalid — Key failed validation (check provider dashboard)
- Expired — Key has passed its expiration date
Security
- Keys are encrypted at rest using AES-256-GCM
- Key hashes (SHA-256) are stored for identification without exposing the key
- Keys are never exposed in API responses — only the last 4 characters are shown