Create BYOK connection
This step-by-step guide helps you securely connect GPTfy to your own Azure-hosted OpenAI service using BYOK. You’ll configure Azure, Salesforce, and GPTfy to establish a secure, scalable, and compliant integration.
What is a BYOK connection?
BYOK (Bring Your Own Key) connection in GPTfy is a configuration that allows customers to use their own AI service connections instead of GPTfy-managed connections.
The documentation outlines the detailed process for creating this connection, which includes:
- Setting up the necessary Azure infrastructure (creating an Azure OpenAI service and deploying models)
- Configuring Salesforce components (External Credentials, Custom Headers, Permission Sets)
- Setting up Named Credentials to securely connect Salesforce to Azure OpenAI
- Configuring GPTfy to use this connection
This functionality is ideal for customers who:
- Want to use their own Azure-hosted OpenAI services
- Need more control over AI infrastructure and model deployments
- Have specific security or compliance requirements
- Want to leverage existing investments in Azure OpenAI
The BYOK approach offers flexibility while still benefiting from GPTfy’s seamless Salesforce integration.
Prerequisites
- An Azure subscription
- Access to Azure OpenAI (apply if needed)
1. Azure Setup
Step 1: Create an Azure OpenAI Resource
- Go to Azure OpenAI Service Create Page.
- Fill in:
- Subscription: Your Azure subscription
- Resource Group: Existing or new
- Region: Closest to users
- Name: e.g.,
azure-openai-test-001 - Pricing Tier: Select the default
- Click Review + Create → Create
Step 2: Deploy a Model in Azure AI Studio
- Go to Azure OpenAI Studio
- Under Deployments, click + Create new deployment
- Choose your model (e.g.,
gpt-35-turbo,gpt-4) - Name it (e.g.,
gptfy-deploy) - Save the Endpoint and Key 1 for later use
2. Salesforce Setup
These steps configure secure callouts from Salesforce to Azure using Named Credentials and External Credentials.
Step 1: Create an External Credential
- Go to Setup → External Credentials
- Click New
- Fill in:
- Label:
OpenAIOnAzure - Name:
OpenAIOnAzure - Authentication Protocol:
Custom
- Label:
Step 2: Create a Principal
- Under the External Credential, go to Principals
- Click New
- Fill in:
- Parameter Name:
AzureOpenAI_Principal - Authentication: Leave blank
- Sequence:
1
- Parameter Name:
Step 3: Create a Custom Header
- Go to Custom Headers under the External Credential
- Click New
- Fill in:
- Name:
Authorization - Value: Paste Key 1 from Azure
- Sequence:
1
- Name:
Step 4: Create a Permission Set
- Go to Setup → Permission Sets
- Create one named
GPTfy_Azure_Permission
- In External Credential Principal Access:
- Select the appropriate Available External Credential Principal and save.
- Define clear prompts or instructions tailored to your specific needs.
Step 5: Create a Named Credential
- Go to Setup → Named Credentials
- Click New
- Fill in:
- Label:
GPTfyAzureOpenAI - URL: Your Azure endpoint (e.g.,
https://gptfy-resource.openai.azure.com) - Identity Type:
Named Principal - Authentication Protocol:
Custom Header Authentication - External Credential:
AzureOpenAI_Credential - Allowed Callouts From:
ccai(GPTfy package namespace)
- Label:
3. GPTfy Configuration
Step 1: Create the Model Connection
- Go to GPTfy Cockpit in Salesforce
- Click on AI Models
- Click + New → Create Your Own
Step 2: Fill in Info Tab
- Model Name:
Azure OpenAI - Description:
BYOK connection to Azure-hosted OpenAI - Icon Source: SLDS Icon or Static Resource
- Sequence: e.g.,
5 - Save and proceed
Step 3: Fill in Connection Details Tab
| Field | Value |
|---|---|
| AI Technology | OpenAI |
| Platform | Azure |
| Version | gpt-35-turbo or gpt-4 |
| Temperature | 0.7 |
| Top P | 1 |
| Max Output Tokens | 1000 |
| Named Credential | GPTfyAzureOpenAI |
| Endpoint URL | /openai/deployments/[deployment-name]/completions?api-version=2022-12-01 |
Click Activate
Step 4: Test the Integration
- Open a Salesforce record (e.g., Account)
- Ensure a prompt is linked to the model
- Use GPTfy Console:
- Select the prompt
- Click Run GPTfy
- Review the response and audit logs
Troubleshooting
| Issue | Resolution |
|---|---|
| Named Credential errors | Ensure Principal and Custom Header are assigned |
| Key not accepted | Ensure the header name is api-key |
| Prompt doesn't show | Confirm prompt is active and mapped |
| Callout errors | Check ccai is set as the allowed namespace |
Bonus: Configure Azure RAG Model in GPTfy
Take it a step further with GPTfy’s Azure RAG (Retrieval-Augmented Generation) integration.
Step 1: Create Azure RAG Model
- Go to Cockpit → AI Models
- Click
Azure RAG→ Edit Info - Provide:
- Name
- Icon
- Sequence
Step 2: Setup Credentials
Repeat the steps in Salesforce Setup:
- Create External Credential
- Add Principal and Custom Header
- Create Named Credential using Azure endpoint
Ensure:
- Header key is
api-key- Namespace is
ccai- Permission Set is assigned
Step 3: Activate the RAG Model
- Once configuration is complete, activate the Azure RAG model
- This model can now be used across prompts to bring in external data contextually
By completing this setup, you’ve enabled GPTfy to securely use your Azure OpenAI deployment while preserving compliance and maintaining full control over your AI infrastructure.