At a glance
How your LLM key is handled
In managed mode your LLM API key is envelope-encrypted at rest: a per-bot Data Encryption Key (AES-256-GCM) wraps the key itself, and a Key Encryption Key (KEK) held outside the database wraps the DEK. On each chat request the server unwraps the DEK, decrypts the key in memory, calls the provider, and discards the plaintext - a database-only leak reveals nothing usable. See BYO-key flow for the full detail. In self-hosted mode the chat runs in your ownprobot-bot runtime, so your LLM key lives in your runtime’s environment and never touches pro-bot.dev at all.