Provider Routing
How Ragnerock secures and routes AI provider configurations for Bring Your Own AI.
Ragnerock’s Bring Your Own AI (BYOAI) feature lets you use your own AI provider API keys for all agent-powered features: the Research Agent, annotation operators, and workflow processing. All features work identically regardless of which provider you choose.
Supported Providers
Ragnerock supports the following AI providers:
| Provider | Models | Notes |
|---|---|---|
| Gemini | Gemini models | Ragnerock’s default provider, used when no custom configuration is set |
| OpenAI | GPT-4o and compatible models | |
| Anthropic | Claude models | |
| xAI | Grok models |
Any model that supports structured outputs, streaming, and tool calling is compatible with Ragnerock’s agent system.
Security
Ragnerock takes multiple measures to protect the API keys you store:
Envelope Encryption
Each API key is encrypted with a unique data encryption key (DEK). The DEK itself is encrypted with a master key stored in a hardware-backed key management service. Keys are decrypted only at request time and exist in plaintext only in memory for the duration of the request. They are never written to disk or logs in unencrypted form.
Tenant Isolation
Each request carries its own encrypted credentials. There is no shared credential state between accounts, eliminating an entire class of credential leakage risks.
Encryption in Transit
All communication between Ragnerock’s internal services uses encrypted channels. Your API keys are never transmitted in plaintext between components.
Restricted Access
AI provider endpoints are accessed only by Ragnerock’s execution service, the component that actually makes calls to your provider. Other services in the platform never handle or see your provider credentials.
Logical Isolation
API-level and database-level access controls enforce strict boundaries between accounts. No account can access another account’s provider configuration, keys, or data.
How It Works
When a request requires AI (whether it’s powering a Research Agent conversation or running an annotation operator) Ragnerock follows three steps:
- Configuration lookup: The system checks whether your account has an active custom AI provider. This configuration includes the provider type, model, and your encrypted API key.
- Credential decryption: The encrypted API key is decrypted in memory for the duration of the request.
- Provider dispatch: The request is routed to your chosen provider. The response streams back through Ragnerock to you.
If no custom configuration exists, requests are handled by Ragnerock’s default provider (Gemini) with no additional setup required.
Embedding Generation
While BYOAI is supported for all agent interactions (Research Agent and operators), embedding generation currently uses Ragnerock’s managed service.
This is because different embedding models produce vectors of different dimensions and in different vector spaces. Switching embedding models would require re-embedding your entire data library, since old embeddings would be incompatible with new ones. Similarity comparisons across different embedding spaces are meaningless. This could disrupt search quality and affect downstream annotation workflows.
By keeping embeddings on Ragnerock’s managed service, the platform guarantees:
- Search consistency: All data sources exist in the same vector space, so similarity scores are always comparable
- Stability: Embedding vectors remain valid regardless of changes to your AI provider configuration
- Simplicity: You can switch your agent and annotation provider freely without affecting search
We are actively exploring ways to support BYOAI for embeddings in a future release.
Provider Validation
Before saving a custom provider configuration, Ragnerock validates that your chosen model supports all required capabilities:
- Structured output: Can the model produce valid JSON matching a schema?
- Streaming: Does the model support streaming responses?
- Tool calling: Can the model invoke tools (required for the Research Agent)?
- Large input handling: Can the model process data sources of typical length?
All four tests must pass for the configuration to be accepted. This ensures that switching providers never degrades functionality.
Fallback
For accounts using a custom provider, Ragnerock offers an optional fallback mechanism. If your custom provider experiences issues (rate limits, downtime, or transient errors) the system can automatically fall back to Ragnerock’s managed service to keep your workflows running. This provides a safety net during initial BYOAI setup or when a provider experiences intermittent issues.
Next Steps
- Bring Your Own AI: Setup guide for configuring your own provider
- AI Research Agent: Agent capabilities powered by your provider
- Operators: Automated agents for data processing