GuidesUsing BYOK AI Keys Safely on Mobile
BYOK Providers

Using BYOK AI Keys Safely on Mobile

May 26, 2026
6 min read
Authored by Phos Team

Short version

Bring-your-own-key mode is useful when you want stronger online models without the app company paying for or proxying hosted inference. It is not the same as local mode: prompts go to the provider attached to your key.

What Phos stores

Phos stores provider profile metadata locally and keeps raw provider keys in secure device storage. The app should not put raw keys in local chat rows, diagnostics, screenshots, or public logs.

The key belongs to you. You can remove the provider profile and clear the key from the app.

What leaves the device

When BYOK mode is active, the selected prompt, relevant recent chat context, and any user-approved memory context needed for the request are sent to the provider endpoint.

Private attachments are included only when the active provider and model support that media type and the user selected it.

Safer setup habits

HabitWhy it helps
Create a separate mobile API keyEasier to revoke if your phone is lost.
Set provider spending limitsPrevents surprise usage costs.
Use local mode for sensitive thoughtsKeeps prompts on the device when the local model is enough.
Remove unused providersReduces stale key exposure.
Check provider privacy termsBYOK still uses that provider's service.

Why BYOK belongs in a private assistant

Local models are useful, but phones have limits. BYOK gives users a way to use stronger models while keeping billing and provider choice under their control.

The honest product design is simple: local when privacy matters most, BYOK when model strength matters more, and a visible boundary before anything leaves the phone.

FAQ

What does BYOK mean in an AI app?

BYOK means bring your own key. You connect your own provider API key so the app can call that provider without the app company paying for or proxying hosted inference.

Is BYOK private?

BYOK can be more user-controlled than company-hosted inference, but prompts still go to the provider connected to your key. Provider terms and retention behavior still matter.

Start with a private setup

Phos can run locally, connect to your own server, or use your own provider key when you choose.