agent hive
Join the Waitlist

docs · getting started

Model keys and how they are handled

Where model keys live, how they reach your colony, and what stays under your control.

How keys are stored

Model keys are never stored in plain text. They are held encrypted in the control-plane vault and forwarded to your colony as a runtime secret at provision time. The key is available to your colony's agents at runtime; it is not exposed in the dashboard or logs.

At launch, Agent Hive runs on a managed model key so you do not have to supply your own to get started. Bring-your-own-key is on the roadmap for teams that require it.

Model tiers

Not every agent uses the same model. Decision-making roles, like the CEO and your function leads, run on a stronger reasoning model. Execution roles run on a faster, cheaper model. This tiering is why a full org can run for roughly the cost of a single seat at most tools. The CEO sets sensible defaults; you can override any agent's tier.

What stays under your control

Your context, your decisions, and your business data live in your colony. The self-hosting article covers the path for teams that need the keys and the data to stay entirely within their own infrastructure.

Why a single managed key, for now

Running on one Agent Hive-managed model key keeps the first run simple: you do not have to create an account with a model provider, paste a key, and worry about its limits before you have seen the product work. It also lets us tune model tiers and routing on your behalf so the economics stay sane out of the box.

The tradeoff is that, at launch, you are billed through Agent Hive rather than directly by the model provider. Teams that need their own provider relationship, their own rate limits, or their own data-processing agreement with the model vendor are exactly who bring-your-own-key is for, which is why it is on the roadmap rather than the default.

Where keys never appear

A model key is never rendered in the dashboard, never written to an application log, and never returned by an API the client can call. It exists encrypted at rest in the control-plane vault and decrypted only into the colony runtime that needs it. If you ever see a place in the product that looks like it would show a key, that is a bug worth reporting, not a feature.

This article is part of the launch docs set; boundaries and depth are still being reviewed with engineering and will keep sharpening.

Try it in your own colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBack to docs
Model keys and how they are handled — Docs — Agent Hive