Encrypted vault, automatic rotation, and a smart proxy for every API your app talks to. One credential in, every provider out — your raw keys never leave the vault.
# .env OPENAI_API_KEY=sk-proj-•••••••••••••• ANTHROPIC_API_KEY=sk-ant-•••••••••••••• STRIPE_SECRET_KEY=sk_live_••••••••••••• STRIPE_WEBHOOK_SECRET=whsec_•••••••••••• RESEND_API_KEY=re_•••••••••••••••••• SUPABASE_SERVICE_ROLE_KEY=eyJhb•••••••• SENTRY_DSN=https://••••••••••••••• GITHUB_TOKEN=ghp_•••••••••••••••••• POSTHOG_API_KEY=phc_•••••••••••••••• CLOUDINARY_API_SECRET=•••••••••••• TWILIO_AUTH_TOKEN=•••••••••••••••••••• GOOGLE_CLIENT_SECRET=GOCSPX-•••••••••••• GROQ_API_KEY=gsk_••••••••••••••••• MUX_TOKEN_SECRET=••••••••••••••••••••
# .env APILOCKER_REFRESH_TOKEN=rtk_•••••••• # that's it. # every provider above is reachable # through one SDK call: # await apilocker.proxy('openai', ...) # await apilocker.proxy('stripe', ...) # await apilocker.proxy('resend', ...)
A quiet layer between your apps and the APIs they call. Encrypted, observable, and invisible by default.
Every credential is encrypted at rest with a master token bound to your machine. Rotate on a schedule, issue scoped tokens per project, and revoke instantly — without touching the underlying key.
Your app hits the proxy. The proxy injects the real credential, forwards to the provider, and streams the response back — SSE and all. Your raw key never leaves the vault.
scoped_tokenapi_key from vaultproviderresponseExpose your vault to Claude, Cursor, or any MCP-compatible client. Agents call real APIs without ever seeing the underlying credentials — and every call is logged, scoped, and revocable.
Install the CLI in under a minute. Free while in beta — no credit card, no signup.