Skip to main content

Overview

Tesslate Studio provides encrypted storage for API keys, environment variables, and other sensitive data your projects need. Keys are encrypted at rest using Fernet symmetric encryption, decrypted only when needed for API calls, and never exposed in logs or exports.

Encrypted Storage

All keys encrypted with Fernet symmetric encryption at rest

Per-Project Scoping

Set different keys for different projects, with user-level defaults as fallback

BYOK Support

Bring Your Own Key for AI models on Pro and Ultra tiers

CSRF Protection

State-changing requests are protected by CSRF tokens

Types of Secrets

For AI model access (BYOK)Supported providers:
  • OpenAI: GPT-4, GPT-3.5 Turbo (provider key: openai)
  • Anthropic: Claude 3 Opus, Sonnet, Haiku (provider key: anthropic)
  • OpenRouter: 100+ models via unified API (provider key: openrouter)
  • Google: Gemini Pro (provider key: google)
When you add your own API key, requests for that provider route through your key instead of platform credits. This is called BYOK (Bring Your Own Key), available on Pro and Ultra tiers.

Managing AI Provider Keys

Adding Your Keys

1

Open Settings

Click your profile icon, then Settings. Navigate to the API Keys section.
2

Select Provider

Choose from: OpenAI, Anthropic, OpenRouter, Google, or GitHub.
3

Enter Your Key

Paste your API key from the provider’s dashboard. You can optionally give it a friendly name (e.g., “Production Key”).
4

Save

Click Save. The key is encrypted using Fernet encryption and stored in the UserAPIKey table. The raw key is never stored in plaintext.
5

Verify

Test by using an AI agent. If you have a valid key for the model’s provider, requests will use your key (BYOK) and cost zero platform credits.

How BYOK Detection Works

When you send a message to an AI agent, the credit system checks if the selected model uses a BYOK provider:
  1. The is_byok_model(model_name) function checks against the BUILTIN_PROVIDERS list
  2. If the model provider matches one of your stored API keys, it is treated as BYOK
  3. BYOK requests cost $0 in platform credits (a UsageLog entry is still created with is_byok=True for analytics)
  4. Adding a new provider to BUILTIN_PROVIDERS automatically makes it recognized as BYOK
BYOK is available on Pro and Ultra subscription tiers. Free and Basic tiers use platform credits for all AI requests.

Getting API Keys

  1. Go to platform.openai.com
  2. Sign up or log in
  3. Navigate to API Keys
  4. Click Create new secret key
  5. Copy the key immediately (it is shown only once)
Models available: GPT-4, GPT-4 Turbo, GPT-3.5 Turbo
  1. Go to console.anthropic.com
  2. Sign up or log in
  3. Navigate to API Keys
  4. Click Create Key
  5. Copy the key immediately
Models available: Claude 3 Opus, Claude 3 Sonnet, Claude 3 Haiku
  1. Go to openrouter.ai
  2. Sign up and go to Keys
  3. Generate an API key
  4. Copy the key
Models available: 100+ models including OpenAI, Anthropic, Qwen, DeepSeek, Mistral, Gemini, and open-source models
  1. Go to aistudio.google.dev
  2. Sign in with your Google account
  3. Navigate to API keys
  4. Create and copy your key
Models available: Gemini Pro
API keys are like passwords. Never share them publicly, commit them to Git, or paste them in chat messages.

The Secrets API

Tesslate provides a dedicated Secrets API for managing your keys programmatically:
EndpointMethodDescription
/api/secrets/api-keysGETList all your API keys (values hidden)
/api/secrets/api-keysPOSTAdd a new API key
/api/secrets/api-keys/{id}PUTUpdate an existing key
/api/secrets/api-keys/{id}DELETERemove a key
/api/secrets/api-keys/{id}?reveal=trueGETReveal the decrypted key value
/api/secrets/providersGETList supported providers

Key Storage Model

Each API key is stored in the UserAPIKey table:
FieldDescription
providerProvider identifier: openrouter, anthropic, openai, google, github
auth_typeType of credential: api_key, oauth_token, bearer_token, personal_access_token
key_nameOptional user-friendly label
encrypted_valueThe actual key, encrypted with Fernet
is_activeWhether the key is currently in use
last_used_atTimestamp of last usage

Authentication and CSRF Protection

Tesslate uses a dual authentication system with CSRF protection for cookie-based sessions.

Authentication Methods

The primary authentication method. After login, a JWT token is stored in localStorage and sent as a Bearer token in the Authorization header on every request.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

CSRF Token Flow

For cookie-based authentication, Tesslate includes CSRF (Cross-Site Request Forgery) protection:
1

Token Fetch

On app load, the frontend calls GET /api/auth/csrf to obtain a CSRF token. The token is stored in memory (not localStorage).
2

Automatic Injection

For all state-changing requests (POST, PUT, DELETE, PATCH), the Axios interceptor automatically adds the X-CSRF-Token header when using cookie-based auth (no Bearer token present).
3

Server Validation

The CSRFProtectionMiddleware on the backend validates the token for all non-safe HTTP methods.
4

Automatic Retry

If a 403 response includes a CSRF error, the frontend automatically re-fetches the CSRF token and retries the request once.
CSRF tokens are only required for cookie-based OAuth sessions. If you use JWT (email/password login), the Bearer token in the Authorization header provides equivalent protection.

Project Environment Variables

Adding Variables

1

Open Project Settings

In your project, click the Settings icon
2

Go to Environment

Navigate to the Environment Variables tab
3

Add Variable

Click Add New Variable
4

Enter Details

Provide a variable name (e.g., STRIPE_KEY) and its value
5

Save and Restart

Click Save. Restart the dev server to apply changes.

Using in Code

// Client-side (must use VITE_ prefix)
const apiUrl = import.meta.env.VITE_API_URL

// Server-side (no prefix needed)
const dbUrl = process.env.DATABASE_URL
Never use the VITE_ prefix for secret keys. This exposes them to client-side JavaScript where anyone can read them in the browser.

Naming Conventions

Client-Side Variables

VITE_ prefix required
  • VITE_API_URL
  • VITE_STRIPE_PUBLIC_KEY
  • VITE_FIREBASE_API_KEY
  • Accessible in the browser

Server-Side Variables

No prefix needed
  • DATABASE_URL
  • STRIPE_SECRET_KEY
  • JWT_SECRET
  • Backend and API routes only

Credential Scoping: User vs Project

Deployment credentials support two scoping levels:
When project_id is NULL, the credential serves as your default for all projects. For example, your Vercel account token applies to any project you deploy unless overridden.

Security Best Practices

  • Do not put keys in code files
  • Always use environment variables
  • Add .env to .gitignore
  • Commit only .env.example with placeholder values
  • Change API keys periodically
  • Rotate immediately if a team member leaves
  • Update keys if potentially exposed
  • Use different keys per environment (dev, staging, production)
  • Use read-only keys when possible
  • Restrict API key scopes to the minimum required
  • Set usage limits on provider dashboards
  • Monitor usage for unexpected spikes
All credentials use Fernet symmetric encryption:
  • Encryption key stored in the ENCRYPTION_KEY environment variable on the server
  • Keys are decrypted only at the moment of use (during API calls)
  • Decrypted values are never logged or cached

Troubleshooting

Problem: Cannot access an environment variable in codeSolutions:
  • Check the variable name spelling
  • Ensure the VITE_ prefix is present for client-side access
  • Restart the development server after changes
  • Verify the variable is saved in project settings
Problem: API key returns authentication errorsSolutions:
  • Verify the key is correct with no extra spaces or newlines
  • Check the key has not expired
  • Ensure you have sufficient credits with the provider
  • Verify the key has the correct scopes and permissions
  • Try regenerating the key from the provider dashboard
Problem: Receiving 403 errors with CSRF messagesSolutions:
  • The app automatically retries once after re-fetching the token
  • If persistent, try refreshing the page to get a new CSRF token
  • Clear cookies and log in again
  • Verify you are not making cross-origin requests without proper CORS headers
Problem: API keys pushed to a Git repositorySolutions:
  • Immediately rotate all exposed keys with the provider
  • Remove the secrets from Git history using git filter-branch or BFG Repo Cleaner
  • Add .env to .gitignore
  • Consider using the git-secrets tool to prevent future leaks

Next Steps

Model Management

Configure AI models and understand BYOK routing

External Deployments

Set up deployment credentials for Vercel, Netlify, and Cloudflare

Billing

Understand how BYOK affects your credit usage

GitHub Integration

Keep secrets out of your Git repositories