LGTM × OpenAI
BYOK with OpenAI on LGTM: paste your platform.openai.com key, we encrypt with AES-256-GCM, decrypt only inside worker memory at review time. Zero markup, your bill, your model choice.
How LGTM uses your OpenAI key
When you add an OpenAI API key in Settings, LGTM validates it by calling GET /v1/models on platform.openai.com with the key. If the call returns 200 and the response includes at least one chat model your account has access to, the key is accepted; otherwise we reject it with a specific error ("key invalid", "organization mismatch", "insufficient quota") that maps to the OpenAI response.
Validation passing, the key is encrypted with AES-256-GCM using a master key stored in Fly Secrets (not in MongoDB, not in any environment variable shipped with the app). The encrypted blob lives alongside your user record. The plaintext key exists in memory for ~50 milliseconds during validation, then drops.
Per-review: a BullMQ worker picks up your review job, decrypts the key into worker memory, makes the LLM call to OpenAI's /v1/chat/completions endpoint, then drops the plaintext. The plaintext key never touches disk, never appears in logs, never crosses our process boundary except into the outgoing HTTPS request to OpenAI.
Supported OpenAI models
Default models LGTM offers from the OpenAI catalog: gpt-5.4 (general flagship), gpt-5.4-pro (highest reasoning quality), gpt-5.4-mini (cost-efficient mid-tier), gpt-5.4-nano (cheapest), gpt-5.3-codex (code-specialised, longer context), gpt-5.2 (legacy, still strong), gpt-4.1-mini (cheapest workable option for low-stakes review).
Each agent in the 6-agent pipeline (Bugs, Security, Performance, Readability, Best-Practices, Documentation) can run on a different model. Default mix: Bugs + Security on gpt-5.4, Performance + Readability + Best-Practices on gpt-5.4-mini, Documentation on gpt-5.4-nano. Pro users can override per-repo.
Model availability follows your account's tier. If a model you select isn't enabled on your OpenAI account, LGTM returns an actionable error pointing you to platform.openai.com/account/limits.
Cost — what you actually pay
Token cost goes directly from OpenAI to your platform.openai.com account. LGTM never proxies your requests, never sees your token usage, never marks up. A 300-line PR review on gpt-5.4 typically costs $0.08-$0.18 in OpenAI charges. Switch to gpt-5.4-mini and the same review drops to ~$0.02-$0.04.
Per-month math: 50 PRs/week × 4 weeks = 200 PRs. On gpt-5.4 default mix, that's ~$30-$60/month in OpenAI charges. On a mixed Mini/Nano setup, ~$5-$15/month. Both significantly below typical vendor-managed SaaS markups for the same review work.
LGTM's own subscription fee is separate: Free (20 PR reviews/mo, ₹0) or Pro (unlimited + auto-review + per-repo overrides, ₹399/mo). The token bill is your provider relationship; the orchestration fee is ours.
Privacy + data handling
Source code visibility: LGTM fetches diff content + selected context symbols from GitHub at review time (using your GitHub App installation token). The fetched code goes into the agent prompt sent to OpenAI via your BYOK key. OpenAI's API terms govern that data path — and OpenAI's standard API terms explicitly EXCLUDE inputs from being used to train their models (only consumer ChatGPT inputs train; API inputs don't).
Persistence on LGTM side: we DO NOT store the diff. We DO NOT store function bodies fetched from GitHub. We DO store the LLM-generated review output (findings, summary, verdict) because the PR review UI needs to show it. Findings can be deleted via the Review Settings page; deleted findings are hard-deleted from MongoDB within 24h.
Logs: structured logs include review IDs, timing, token counts, model used. They DO NOT include diff content or LLM responses. If a job fails, the error message is logged but not the inputs.
Setup — getting started in 3 minutes
(1) Sign in at app.looksgoodtomeow.in via GitHub OAuth. (2) Go to Settings → AI Providers → OpenAI. (3) Paste your API key from platform.openai.com/api-keys. (4) Click Validate; key gets verified against OpenAI in 1-2 seconds. (5) Pick your default model from the dropdown (defaults to gpt-5.4 if you have access).
Per-repo overrides (Pro plan): Repo settings → Models → pick a different model for that repo. Useful for pinning the cheapest possible model on a marketing site while keeping flagship-quality on a payments repo.
Revoking access: Settings → AI Providers → OpenAI → Remove Key. The encrypted blob deletes immediately. The key still exists on your platform.openai.com account — you should ALSO rotate it there if removal is part of an offboarding flow.
Implementation examples
// LGTM validates BYOK before saving
async function validateOpenAIKey(key: string) {
const res = await fetch('https://api.openai.com/v1/models', {
headers: { Authorization: `Bearer ${key}` },
});
if (res.status === 401) throw new Error('invalid_key');
if (res.status === 429) throw new Error('rate_limited');
if (!res.ok) throw new Error('provider_error');
const { data } = await res.json();
const hasChat = data.some(m => m.id.startsWith('gpt-'));
if (!hasChat) throw new Error('no_chat_models');
// OK — encrypt and persist
return encryptKey(key);
}Full LGTM integration architecture
GitHub App + BYOK (OpenAI/Anthropic/Gemini) + AES-256 lifecycle
Go to the product pageOpenAI integration FAQs
Does LGTM store my OpenAI API key in plaintext?
No. The key is encrypted with AES-256-GCM at the moment of save, using a master key stored separately in Fly Secrets. Plaintext exists only inside a worker process during the brief validation call and during each review's LLM request — never on disk, never in logs.
Are my prompts and code used to train OpenAI's models?
No. OpenAI's API terms explicitly exclude API inputs from training. Only ChatGPT consumer inputs are training-eligible by default. Since BYOK uses your API key against the API, you're under the API terms — no training.
What if my OpenAI key gets rate-limited mid-review?
The specific agent that hit the rate limit retries with exponential backoff (1s, 4s, 16s). If all retries fail, that agent fails; other agents continue and the synthesizer produces a degraded review noting which agent didn't complete. You get a notification suggesting an upgrade to a higher OpenAI tier or a switch to Anthropic/Gemini fallback.
Can I share an OpenAI key across a team?
Yes. Create an OpenAI organization, generate one key under that org, paste it once on LGTM. All team members reviewing PRs use that single key. Monitor usage at platform.openai.com/usage. Set monthly spend limits there to avoid surprises.
What models work best for code review?
Empirically: gpt-5.4 for Bugs + Security agents (judgment-heavy), gpt-5.4-mini for Performance + Readability (pattern recognition), gpt-5.4-nano or gpt-4.1-mini for Documentation (low cost, narrow task). Per-repo overrides let you tune the cost/quality dial without affecting other repos.
Related across LGTM
Other integrations
Anthropic
BYOK with Anthropic on LGTM: connect your console.anthropic.com key, encrypted with AES-256-GCM, decrypted only in worker memory. Use Claude Opus 4.7, Sonnet 4.6, or Haiku 4.5 per repo.
Google Gemini
BYOK with Google Gemini on LGTM: paste your ai.google.dev key, AES-256-GCM at rest, decrypt only in worker memory. Use Gemini 2.5 Pro or Flash for review.
GitHub
LGTM's GitHub App: 4 permissions (contents:read, pull-requests:write, checks:write, metadata:read), webhook subscriptions on pull_request + push + installation. No access to secrets, can't push code.