Documentation
Bring your own LLM
Use your own API key (OpenAI or Gemini) for the copilot, Trust Q&A, and document generation.
Last updated May 13, 2026
On Scale and above, you can point Attestly at your own LLM provider instead of using the platform keys. We support OpenAI-compatible endpoints as well as direct integration with Google's Gemini. This is the right fit for tenants who:
- Already have an Enterprise contract (OpenAI or Google Cloud) and want their data to flow through that contract (zero-retention, no training).
- Want to use a regional Azure OpenAI deployment for data-residency reasons.
- Run an internal LLM gateway (Portkey, OpenRouter, LiteLLM) and want Attestly to honour their internal routing/billing.
Enabling it
- Go to Dashboard → Settings → AI provider.
- Select your provider (OpenAI or Gemini) and paste your API key (and base URL, if using a custom OpenAI endpoint).
- We perform a quick health check against the provided endpoint to validate the credentials before persistence.
- The key is encrypted with AES-256-GCM before being written to the database. Decryption only happens inside the server-only AI client at request time. The dashboard never displays the plaintext value back to you.
What it controls
| Surface | Honors BYO-LLM? |
|---|---|
| Compliance copilot (dashboard pane, expert mode, tool-calling) | Yes — see Compliance copilot |
| Trust Center Q&A widget (public) | Yes |
| Document generation (every regenerate, every drift retry) | Yes — threaded via tenant context through generateStructured |
Background workers (Inngest doc/generate) | Yes |
| Public trust-center rendering | N/A (deterministic) |
What we don't do
- We do not call out to your provider for any non-tenant work (e.g. marketing pages, help articles, anonymised metrics).
- We do not try to run our own scanner with your key. The scanner is deterministic; LLM calls are reserved for document generation and the assistant.
- We do not retry against the platform key if your provider returns an error (like a 401 Unauthorized or 429 Rate Limit). You'll get a clear error in the dashboard, and the audit log records the failure.
Compatible providers
We officially support direct API keys for OpenAI and Google Gemini. Additionally, anything that implements OpenAI's POST /v1/chat/completions and GET /v1/models should work as a custom endpoint. Confirmed configurations:
| Provider | baseURL |
|---|---|
| OpenAI | leave blank (https://api.openai.com/v1) |
| Google Gemini | (Native support, no base URL required) |
| Azure OpenAI | https://<resource>.openai.azure.com/openai/deployments/<deployment> |
| OpenRouter | https://openrouter.ai/api/v1 |
| Portkey | https://api.portkey.ai/v1 |
| LiteLLM (self-hosted) | your gateway URL |
Disconnecting
Settings → AI provider → Disconnect removes the key from the database and reverts to the platform key on the next request. The audit log records both the connect and the disconnect.