Zero-knowledge BYOK: keys the platform can't see
Most BYOK products store your API key encrypted at rest, decrypt it on use, and trust their own infrastructure. Zero-knowledge BYOK removes the trust step entirely. The platform stores ciphertext only, the key is encrypted client-side with a passkey-derived secret, and the server never has plaintext access to the key. The pattern, the cryptographic primitives, the limits.