N AgentNavaKit
agentnava.com →
Run · Operate

Operate

Day-to-day operations that apply to every agent: routing model calls through your own provider via BYOK, plan transitions, billing. For the Freelancer-specific lifecycle (deploy to test/prod, version rollback, custom domain, embed snippet), see Deploy & Embed. For session-model details (sessionMode, fan-out, lifecycle), see Sessions.

BYOK: bring your own keys

Route model traffic through your own provider account instead of AgentNava's. Useful once usage scales past the free tier, when you want one billing relationship across services, or when compliance requires inference in your own VPC/region.

Configuration is done from the console, not the SDK. Open console.agentnava.com → BYOK, pick a provider, paste credentials, mark as default. Agent code is unchanged.

Two scopes: workspace defaults vs per-agent overrides

BYOK has two levels and you can mix them:

  • Workspace default: applies to every agent in the workspace. The most common setup is one key per provider, used by everyone.
  • Per-agent override: a key you attach to a single agent. When that agent runs, its override wins; every other agent stays on the workspace default.

The Scope chip row at the top of console.agentnava.com/byok switches between them. "Workspace defaults" is the standard list; clicking an agent's chip shows the resolved view for that agent: workspace rows plus overrides, with a Source column saying where each row came from and overridden workspace rows visibly struck through. What you see is exactly what the runtime will use for that agent's traffic.

Override only what you need. A typical setup uses one workspace default (say, Anthropic via your prod account) and zero or one agents that need a sandbox/staging key.

Supported providers

Inference billed to your AWS account. Claude, Llama, Titan, Mistral, Cohere; all model families on Bedrock work.

What to paste:

  • AWS Access Key ID (starts with AKIA for long-lived or ASIA for STS session)
  • AWS Secret Access Key
  • Region: pick the one where your Bedrock models are enabled (e.g. us-east-1, us-west-2, eu-west-3, ap-northeast-1)

IAM permissions required: bedrock:InvokeModelWithResponseStream and bedrock:ListFoundationModels (the latter is hit at Test connection time).

The console SigV4-signs a GET /foundation-models on save to verify the credentials work before activating the key.

Direct to api.anthropic.com. Bring your sk-ant- key from console.anthropic.com.

Paste an API key from console.anthropic.com → Settings → API keys. Validation hits /v1/models on save.

Direct to api.openai.com. GPT-4, GPT-4o, o-series, anything in your account.

Paste an API key from platform.openai.com. Validation hits /v1/models.

Direct to generativelanguage.googleapis.com (AI Studio). Gemini family.

Paste a Gemini API key from aistudio.google.com. The key is sent as a query parameter on each request.

One key, 100+ models. Good if you want a curated catalog without per-provider setup.

Paste an OpenRouter key from openrouter.ai/keys. Validation hits the OpenRouter /v1/models endpoint.

Any OpenAI-compatible endpoint: vLLM, Ollama proxy, LiteLLM, self-hosted. You provide the URL.

Paste your bearer token plus the endpoint URL (e.g. https://proxy.example.com). The runtime will call {endpointUrl}/v1/chat/completions with OpenAI's request shape.

How it works

  1. Provider creds are encrypted at rest with AES-256-GCM. We decrypt only at request time, inside the worker, and never log the plaintext.
  2. For every chat turn the runtime resolves which key wins in this order: agent override → workspace default → AgentNava's managed inference. The first hit wins; no implicit cascade beyond that.
  3. Generic modelClass values on agents (fast, standard, premium, advanced) translate to provider-specific model IDs automatically. For example, standard on Bedrock becomes anthropic.claude-3-haiku-20240307-v1:0, on OpenAI becomes gpt-4o-mini. Pin a specific id with tier@model-id when the default isn't what you want.
  4. If the resolved BYOK provider returns an error, the request fails. There's no silent fallback to a different scope or to platform pricing. Surprises lead to surprise bills.
  5. Remove an override or the workspace default any time; the next request resolves with one fewer level.

Test the connection

The Test connection button on each row makes one validation call (timeout 6s) and stores the result. Status pill on the table:

  • Live: last test succeeded.
  • Failing: last test failed. Hover for the upstream error.
  • Untested: fresh row, never tested.

Test on save plus whenever you suspect the upstream account changed (rotated key, billing on hold, quota hit).

Plan changes and your agents

Changing your plan adjusts the default model your Teammates use and the overall quality of their work, without changing how the team works. The team-of-specialists shape (shared workspace, Manager coordinating, persistent filesystem) is the same on both Standard and Premium; see Roles → Standard vs Premium.

TransitionWhat happens
Standard → Premium Your Teammates start using the more powerful default model on their next turn. Better quality across the board. The spec, the team layout, the workspace, and conversation history are unchanged.
Premium → Standard Your Teammates drop back to the standard default model on the next turn. Same team, same workspace, same files; quality is the only thing that changes.
Free ↔ Standard What you can do changes (per the pricing page); existing agents don't change shape.

Specs, knowledge base entries, journal entries, session history, and your team's workspace files all live across plan changes. Nothing is lost on upgrade or downgrade.

Billing

The runtime is charged per workspace plan; model usage is metered separately. With provider: 'auto', model calls are billed by AgentNava. With BYOK, they're billed by your cloud provider. Plan details and pricing are on agentnava.com/pricing.