I built Gateway to solve the security issues with "Bring Your Own Key" (BYOK) apps. Currently, users are trained to paste raw, high-privilege keys into third-party forms, which is poor hygiene and violates OpenAI's sharing policy.
Gateway is a self-hosted middleware ( fork and deploy pull from vercel ) that keeps keys on your infrastructure.
Mechanism: Uses a cryptographic Proof-of-Possession (PoP) flow. Apps get a short-lived pairing string, never the raw key.
Controls: Enforces rate limits, quotas, and model restrictions (e.g., "only allow gpt-4o-mini") that provider dashboards don't offer per-app.
Compatibility: Works with standard SDKs by swapping the baseURL.
I’d appreciate feedback on the PoP implementation and the threat model.