Trust infrastructure
BYOK security model
Nexus Gateway coordinates workflows. It does not resell inference, own token billing, or expose provider credentials to the client after save.
Encrypted provider keys
Provider keys are encrypted with AES-GCM using per-user derived key material. Only encrypted ciphertext, IV, algorithm version, and status metadata are stored.
Worker-only decryption
Keys are decrypted inside the Cloudflare runtime only when a user sends a provider request. They are never logged or returned through API responses.
Minimal data writes
The app records completion-time metadata for runs, comparisons, prompts, and usage. It does not write every streamed token or store provider billing data.
Stateless request handling
Every provider request derives auth, selected key, and routing context fresh. No mutable global user context is used.