Show HN: Byok-relay – self-hosted proxy for BYOK LLM apps without CORS issues
byok-relay is a minimal self-hosted proxy server designed to help developers build Bring Your Own Key (BYOK) AI web applications without encountering CORS issues or exposing API keys in the browser. It allows users to register their own API keys, which are stored encrypted on the server and used to proxy requests to AI providers without ever being returned to the client. The system supports multiple AI providers and enables full streaming of responses while maintaining security and user control.
- ▪byok-relay enables secure, self-hosted proxying for AI API requests, solving CORS issues and preventing exposure of API keys in frontend code.
- ▪User API keys are encrypted at rest using AES-256-GCM and are transmitted only once during registration, never being returned by the server.
- ▪The relay supports multiple AI providers including Anthropic, OpenAI, Google, Groq, OpenRouter, Mistral, and any OpenAI-compatible endpoint.
- ▪Authentication uses a token-based system where the browser stores a relay token, not the actual API key, limiting exposure and enhancing security.
- ▪Rate limiting is implemented with constraints of 100 requests per minute globally, 20 AI requests per minute per token, and 10 user registrations per hour.
Opening excerpt (first ~120 words) tap to expand
byok-relay A minimal self-hosted relay server for Bring Your Own Key (BYOK) AI web applications. The problem Browser apps can't call AI APIs directly: api.anthropic.com, api.openai.com, and most AI providers block browser requests via CORS Putting API keys in frontend code exposes them to every user The common workaround — a backend proxy — means the app developer holds the keys. That's a trust problem. Users have to trust you not to misuse or leak their keys. byok-relay solves this differently: users bring their own keys, the relay stores them encrypted on your server, and proxies requests without ever returning the key. The user's key travels over the wire exactly once — when they register it.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.