What's stored Surfaces Features Pricing Docs Changelog Log in Sign up
Free during beta

Replace your .env file with one token.

Encrypted vault, automatic rotation, and a smart proxy for every API your app talks to. One credential in, every provider out.

Get started free See how it works
.env — 14 secrets
# .env OPENAI_API_KEY=sk-proj-•••••••••••••• ANTHROPIC_API_KEY=sk-ant-•••••••••••••• STRIPE_SECRET_KEY=sk_live_••••••••••••• STRIPE_WEBHOOK_SECRET=whsec_•••••••••••• RESEND_API_KEY=re_•••••••••••••••••• SUPABASE_SERVICE_ROLE_KEY=eyJhb•••••••• SENTRY_DSN=https://••••••••••••••• GITHUB_TOKEN=ghp_•••••••••••••••••• POSTHOG_API_KEY=phc_•••••••••••••••• CLOUDINARY_API_SECRET=•••••••••••• TWILIO_AUTH_TOKEN=•••••••••••••••••••• GOOGLE_CLIENT_SECRET=GOCSPX-•••••••••••• GROQ_API_KEY=gsk_••••••••••••••••• MUX_TOKEN_SECRET=••••••••••••••••••••
.env — 1 token
# .env APILOCKER_REFRESH_TOKEN=rtk_•••••••• # that's it. # every provider above is reachable # through one SDK call: # await apilocker.proxy('openai', ...) # await apilocker.proxy('stripe', ...) # await apilocker.proxy('resend', ...)
Integrations

Works with every API, LLM, and OAuth service you use.

34 provider templates built in. Anything else works via "Custom."

Surfaces

One vault, four ways in.

CLI, web dashboard, MCP server, and VS Code extension. Same vault, same features, every surface.

CLI

Store, inject, rotate, and proxy from your terminal. One npm install away.

$ npm install -g apilocker
$ apilocker store --provider openai
$ apilocker run -- node app.js
Web Dashboard

Visual vault management with three-bucket layout, activity feed, and device management.

apilocker.app/dashboard
// LLM | Service | OAuth
// buckets
MCP Server

21 tools for Claude, Cursor, and any MCP client. Agents call APIs without seeing keys.

$ apilocker mcp serve
// 21 tools exposed
// via stdio bridge
VS Code Extension NEW

Sidebar vault management for VS Code, Cursor, Windsurf, and Antigravity.

// sidebar panel
// list, reveal, rotate
// works in 5 IDEs
Three pillars

One vault, three types of credentials.

Every secret a developer needs to keep safe, organized into categories that match how real apps are built.

LLM API Keys

OpenAI, Anthropic, Gemini, Groq, Mistral.

Keep your AI workloads secure while you ship. Inject model keys directly into your code with apilocker run — no more OpenAI keys in .env files or accidentally committed to git.

  • Zero-config provider templates for every major LLM
  • Rotate keys without redeploying
  • Per-key usage telemetry and anomaly alerts

Service API Keys

Stripe, Twilio, Resend, ElevenLabs, Sentry, and everything else.

Replace every .env file in your project with one token. 15+ provider templates come pre-configured; anything else works via "Custom." Your code still reads process.env.STRIPE_SECRET_KEY — just don't put it in a file anymore.

  • 19+ built-in provider templates, custom for the rest
  • Smart proxy route with audit logs on every call
  • Pause/resume individual keys during incident response

OAuth Credentials

Google, GitHub, Slack, Microsoft, Notion, Spotify, and more.

Store full OAuth credential sets — client ID, client secret, refresh token, scopes — as a single named credential. apilocker run injects every field as its own env var. Nango-quality OAuth management at solo-dev prices.

  • 14 OAuth provider templates with pre-filled endpoints
  • Multi-field encrypted storage, per-field reveal
  • One-command injection via apilocker run
Features

Built for how you ship.

A quiet layer between your apps and the APIs they call. Encrypted, observable, and invisible by default.

Encrypted vault

Your keys, locked behind device-bound auth.

Every credential is encrypted at rest with a master token bound to your machine. Rotate on a schedule, issue scoped tokens per project, and revoke instantly — without touching the underlying key.

Install the CLI Read the docs
vault.enc
openai
sk-proj-••••
anthropic
sk-ant-••••
stripe
sk_live_••••
supabase
eyJhbG••••
resend
re_••••
cloudflare
••••••
Smart proxy

Stream responses without exposing the key.

Your app hits the proxy. The proxy injects the real credential, forwards to the provider, and streams the response back — SSE and all. Your raw key never leaves the vault.

See providers Integration guide
proxy.request
1 Receiving inbound request
2 Validating scoped_token
3 Injecting api_key from vault
4 Forwarding to provider
5 Streaming response
MCP ready

Built for AI agents from day one.

Expose your vault to Claude, Cursor, or any MCP-compatible client. Agents call real APIs without ever seeing the underlying credentials — and every call is logged, scoped, and revocable.

MCP setup Example configs
.mcp.json
{
  "mcpServers": {
    "apilocker": {
      "command": "apilocker",
      "args": ["mcp", "serve"],
      "scope": "openai,anthropic"
    }
  }
}
Pricing

Free during beta. No credit card.

We're building in public. Use everything for free while we ship.

$0
Free during beta
  • Unlimited API keys and OAuth credentials
  • Unlimited scoped tokens
  • Unlimited proxy calls
  • CLI, dashboard, MCP, and VS Code extension
  • 34 provider templates
  • Audit logs and activity feed
Get started free

Your keys.
Your proxy.
Your control.

Free plan — unlimited keys, unlimited tokens, unlimited calls. Sign up in 10 seconds.

$ npm install -g apilocker
Get started free View on npm