← Back to legal
Legal

BYOK posture

Effective: 2026-06-12 Last updated: 2026-06-12

Several Klyna tools talk to AI providers (OpenRouter, Groq, Gemini, Cloudflare Workers AI, Ollama) or other paid APIs. You bring your own key. This page describes exactly what happens to that key.

1. The key lives on your infrastructure, not ours

  • WordPress: stored in the klyna_settings option in your site's database, encrypted with sodium_crypto_secretbox keyed off your AUTH_KEY constant from wp-config.php.
  • Shopify: stored in a shop metafield, encrypted with a key derived from your shop's API secret.
  • Browser extension: stored in chrome.storage.local, scoped to the extension origin.

2. The key is never proxied through klyna.dev

When a Klyna tool calls a third-party API, the request goes directly from your server (or your browser) to the provider. klyna.dev is not in the path. We do not see the request, the response, the prompt, or the completion.

3. The key is never logged

The key is not written to PHP error logs, Shopify app logs, or browser console output. REST endpoints that read settings strip the key field before returning the payload. Frontend admin screens show sk-***************abcd rather than the full key.

4. The key is never returned in API responses

The klyna/v1/settings WP REST endpoint and the equivalent Shopify endpoint omit BYOK fields on read. The only way to retrieve the plaintext key is to read the database directly with the encryption key in hand — which means you, on your server.

5. The key is never used for anything you did not ask for

Klyna only calls a provider when you trigger an action that needs it (running an AI suggestion, generating schema, etc.). There are no background calls, no telemetry calls, no "warm-up" calls.

6. Rotating and revoking

You can change the key at any time in the plugin/app settings. To revoke completely, delete it from the settings screen and rotate the key on the provider's dashboard. There is no server-side copy for us to delete on our end.

7. Your provider's terms still apply

BYOK means you are the customer of OpenRouter / Groq / Gemini / Cloudflare / Ollama — not us. Their data-handling, training opt-out, and pricing terms are between you and them. We do not receive a share, a referral fee, or a marketing kickback from your usage.

Questions? Email hello@klyna.dev. Security reports go to security@klyna.dev.