Privacy Policy

API Locker is a credential vault and proxy. Our entire product exists to keep sensitive data secure, so we take privacy seriously. This page explains what we collect, what we do with it, and what we never touch.

TL;DR

• We store your encrypted API keys and proxy requests to the providers you choose.
• Your raw credentials are encrypted with AES-256-GCM before they hit our database, and the encryption key never leaves our server-side runtime.
• We do not read, sell, or share the contents of your API calls or responses.
• We collect the minimum data needed to run the service: your email, your OAuth provider ID, and request metadata for audit logging.
• You can delete your account and all associated data at any time.

1. What we collect

When you sign up with Google or GitHub, we receive and store:

• Your email address
• Your display name and avatar URL
• A unique identifier from the OAuth provider

When you store a credential, we collect:

• The friendly name you give it
• The provider type (OpenAI, Stripe, etc.) so we know how to inject it
• The encrypted ciphertext of the credential itself

When your apps or agents proxy a request through API Locker, we record:

• The key and token used
• The target provider and path
• The HTTP status code and latency
• The timestamp and source IP

2. What we do NOT collect

• We do not log the request body you send to providers.
• We do not log the response body from providers.
• We do not decrypt or inspect your stored credentials for any purpose other than injecting them into the outbound request you authorized.
• We do not sell any data to third parties.
• We do not use your data to train machine learning models.

3. How we store it

Encrypted credential blobs live in Cloudflare Workers KV, encrypted at rest with AES-256-GCM. The encryption key is stored as an environment secret on Cloudflare Workers and is never exposed to the database or logs. Metadata (your user record, token records, audit logs) lives in Cloudflare D1.

All data in transit is protected by TLS 1.3 via Cloudflare's edge.

4. How we use it

• To authenticate you when you sign in
• To proxy requests to the providers you have stored credentials for
• To enforce token scopes, rotation policies, and revocations
• To detect anomalous traffic patterns (refresh-token reuse, abnormal request volume)
• To generate audit logs you can review in your own dashboard

5. Third parties

API Locker itself uses the following third-party services:

• Cloudflare — hosting, DNS, edge compute, database, and key-value storage
• Google and GitHub — OAuth sign-in only (we never access data beyond your email and profile)

When you proxy a request through API Locker, that request is forwarded to the API provider you chose (OpenAI, Stripe, Anthropic, etc.). Those providers have their own privacy policies and terms that apply to your usage of their services.

5a. MCP clients (Claude, Cursor, Zed, etc.)

API Locker runs a Model Context Protocol (MCP) server that lets AI coding and chat agents read and manage your vault on your behalf. Two connection modes exist, and the privacy implications differ slightly:

• Local MCP (stdio bridge). You install the apilocker CLI, register your device, and configure a local MCP client (Claude Desktop, Claude Code, Cursor, Zed, Continue) to run apilocker mcp as a subprocess. The bridge forwards your requests to https://api.apilocker.app/v1/mcp over HTTPS authenticated with a device master token stored at ~/.apilocker/config.json. Only the JSON-RPC messages reach our servers; your conversation content with the AI model never does.
• Remote MCP (OAuth 2.1). You click an "Add connector" button in a supported MCP client (e.g. Claude web) and authorize the client on our consent screen. The client then holds an access token it uses to call our MCP endpoint directly. We store the token in hashed form, along with the client ID, the user ID, the approved scopes, and the refresh-token rotation history. We do not see or store the underlying conversation you have with the AI model; only the individual tool calls.

What MCP tool calls we log: the same metadata we log for proxy calls — tool name, key ID (if any), timestamp, source IP, country, status code, and latency. We do not log tool call arguments or responses.

What we never see: your chat history with the AI, system prompts, model outputs unrelated to a tool call, or any content that doesn't flow through a specific MCP tool invocation.

Revoking a connected MCP client: you can revoke any connected client at any time from your dashboard. Revocation takes effect on the next authenticated request (within seconds). Revoking the grant invalidates both the current access token and its refresh token; the client must re-authorize to reconnect.

5b. OAuth-connected third-party clients (Dynamic Client Registration)

When you approve a new MCP client via the consent screen, that client goes through RFC 7591 Dynamic Client Registration. We record the client's self-declared name, logo URL (if provided), homepage URL (if provided), and the redirect URIs it registered. We display the self-declared name on the consent screen so you can identify the caller before approving. We do not verify the client's identity beyond its ability to complete the OAuth handshake — you are responsible for only approving clients you recognize and trust.

6. Your rights

• Access: you can view all your stored keys, tokens, and activity logs in the dashboard.
• Deletion: you can delete individual keys and tokens from the dashboard. To delete your entire account, contact us.
• Export: activity logs are queryable via the dashboard and API.

7. Retention

We retain your data as long as your account is active. Audit logs are retained for up to 12 months. Deleted keys and tokens are removed from the database immediately; audit log entries referencing deleted resources remain for the retention window.

8. Contact

The right address depends on what you want to talk about:

• Privacy questions: privacy@apilocker.app
• Security disclosures: security@apilocker.app — please don't open public GitHub issues for security findings
• General support: support@apilocker.app
• Product feedback & feature requests: feedback@apilocker.app
• Bug reports: github.com/apilocker/apilocker/issues

This policy is a starting point for a credential-vault product. If you're planning to use API Locker for regulated data (PCI, HIPAA, GDPR-sensitive data, etc.), contact us before you do — we want to make sure the service fits your compliance needs.