While researching for how to do BYOK (bring your own key) for my app JobbedIn, so that people don't have to pay subscription to me, I stumbled upon a new concept: Envelope Encryption. Explained here in freeCodeCamp, Envelope Encryption "involves encrypting your data with a Data Encryption Key, then encrypting the Data Encryption Key (DEK) with a Customer Master Key (CMK)".
Normally, the easy way to do BYOK is to have a master key sitting in the environment as key. Then, you use that key to do symmetric encryption, which means encrypting the API key using a master key, then storing the newly encrypted key in the database. Any API call, you pull out the encrypted key, decrypt with the master key then use the decrypted API key to call the API.
Envelope Encryption, on the other hand, is like this: you put a key (API key) in a chest and close it (encrypt) with a plaintext Data Encryption Key (DEK). This DEK, consisting of a plaintext key and an encrypted, is generated by either a key management system (KMS) or just a second master key (since DEK is the first master key). Afterwards, you throw the plaintext DEK away, which leaves only the encrypted DEK remaining. This is the equivalent of putting the plaintext DEK in a second chest and close it (encrypt again) with the KMS or the second master key. Then both chests are placed in the database.
To implement this into my app, I think I would go for the first choice for easier deployment. The second, Envelope Encryption, would require an actual KMS service, which I do not have yet.