Create BYOK connection

This step-by-step guide helps you securely connect GPTfy to your own Azure-hosted OpenAI service using BYOK. You’ll configure Azure, Salesforce, and GPTfy to establish a secure, scalable, and compliant integration.

What is a BYOK connection?

BYOK (Bring Your Own Key) connection in GPTfy is a configuration that allows customers to use their own AI service connections instead of GPTfy-managed connections.

The documentation outlines the detailed process for creating this connection, which includes:

• Setting up the necessary Azure infrastructure (creating an Azure OpenAI service and deploying models)
• Configuring Salesforce components (External Credentials, Custom Headers, Permission Sets)
• Setting up Named Credentials to securely connect Salesforce to Azure OpenAI
• Configuring GPTfy to use this connection

This functionality is ideal for customers who:

• Want to use their own Azure-hosted OpenAI services
• Need more control over AI infrastructure and model deployments
• Have specific security or compliance requirements
• Want to leverage existing investments in Azure OpenAI

The BYOK approach offers flexibility while still benefiting from GPTfy’s seamless Salesforce integration.

---

Prerequisites

• An Azure subscription
• Access to Microsoft Foundry (apply if needed)

---

1. Azure Setup

Step 1: Create a Microsoft Foundry Resource

1. Navigate to the Azure Portal.
2. In the search bar at the top, search for Foundry.
3. Select Azure Foundry from the search results.
4. Click Create to create a new resource.
5. Fill in the required details:
   • Subscription: Select your Azure subscription
   • Resource Group: Choose an existing resource group or create a new one
   • Region: Select the region closest to your users
   • Name: Enter a unique name (e.g., azure-foundry-test-001)
   • Default project name: Create a new one
6. Click Review + Create, then click Create to provision the resource.

Step 2: Deploy a Model in Microsoft Foundry

1. Navigate to Microsoft Foundry.
2. Enable the New Foundry toggle button located at the top of the page.
3. Select Build from the top navigation menu.
4. From the left navigation menu, select Models → Deployments.
5. Click Deploy a base model.

6. Choose your desired model (e.g., gpt-35-turbo, gpt-4, or gpt-4o).
7. Enter a deployment name (e.g., gptfy-deploy).
8. Configure the deployment settings as needed.
9. Click Deploy to complete the deployment.
10. Once deployed, navigate to the deployment details and save the Endpoint URL and API Key for later use in Salesforce configuration.

---

2. Salesforce Setup

These steps configure secure callouts from Salesforce to Azure using Named Credentials and External Credentials.

Step 1: Create an External Credential

• Go to Setup → Named Credential → External Credentials
• Click New
• Fill in:
  • Label: OpenAIOnAzure
  • Name: OpenAIOnAzure
  • Authentication Protocol: Custom

Step 2: Create a Principal

• Under the External Credential, go to Principals
• Click New
• Fill in:
  • Parameter Name: AzureOpenAI_Principal
  • Authentication: Leave blank
  • Sequence: 1

Step 3: Create a Custom Header

• Go to Custom Headers under the External Credential
• Click New
• Fill in:
  • Name: Authorization
  • Value: Paste Key 1 from Azure
  • Sequence: 1

Step 4: Create a Permission Set

• Go to Setup → Permission Sets
• Create one named GPTfy_Azure_Permission

• In External Credential Principal Access:
  • Select the appropriate Available External Credential Principal and save.

• Define clear prompts or instructions tailored to your specific needs.

Step 5: Create a Named Credential

• Go to Setup → Named Credentials
• Click New
• Fill in:
  • Label: GPTfyAzureOpenAI
  • URL: Your Azure endpoint (e.g., https://gptfy-resource.openai.azure.com)
  • Identity Type: Named Principal
  • Authentication Protocol: Custom Header Authentication
  • External Credential: AzureOpenAI_Credential
  • Allowed Callouts From: ccai (GPTfy package namespace)

---

3. GPTfy Configuration

Step 1: Create the Model Connection

• Go to GPTfy Cockpit in Salesforce
• Click on Advanced → AI Models
• Click New → Create Your Own

Step 2: Fill in Info Tab

• Model Name: Azure OpenAI
• Description: BYOK connection to Azure-hosted OpenAI
• Icon Source: SLDS Icon or Static Resource
• Sequence: e.g., 5
• Save and proceed

Step 3: Fill in Connection Details Tab

Field	Value
AI Technology	OpenAI/Azure
Platform	Microsfot Azure
Version	gpt-35-turbo or gpt-4.1
Temperature	0.7
Top P	1
Max Output Tokens	1000
Named Credential	GPTfyAzureOpenAI
Endpoint URL	/openai/deployments/[deployment-name]/completions?api-version=2022-12-01

Click Activate

---

Step 4: Test the Integration

1. Open a Salesforce record (e.g., Account)
2. Ensure a prompt is linked to the model
3. Use GPTfy Console:
   • Select the prompt
   • Click Run GPTfy
   • Review the response and audit logs

---

Troubleshooting

Issue	Resolution
Named Credential errors	Ensure Principal and Custom Header are assigned
Key not accepted	Ensure the header name is api-key
Prompt doesn't show	Confirm prompt is active and mapped
Callout errors	Check ccai is set as the allowed namespace

---

Bonus: Configure Azure RAG Model in GPTfy

Take it a step further with GPTfy’s Azure RAG (Retrieval-Augmented Generation) integration.

Step 1: Create Azure RAG Model

• Go to Cockpit → Advanced → AI Models
• Click Azure RAG → Edit Info tab
• Provide:
  • Name
  • Icon
  • Sequence

Step 2: Setup Credentials

Repeat the steps in Salesforce Setup:

• Create External Credential
• Add Principal and Custom Header
• Create Named Credential using Azure endpoint

Ensure:

• Header key is api-key
• Namespace is ccai
• Permission Set is assigned

Step 3: Activate the RAG Model

• Once configuration is complete, activate the Azure RAG model
• This model can now be used across prompts to bring in external data contextually

By completing this setup, you’ve enabled GPTfy to securely use your Azure OpenAI deployment while preserving compliance and maintaining full control over your AI infrastructure.