Secure your secrets

Replace your .env file
with one token.

Encrypted vault, automatic rotation, and a smart proxy for every API your app talks to.
One credential in, every provider out.

Get started free See how it works

Your App

await AL.fetch('openai')

OpenAI

inject: sk-proj-...

Stripe

inject: sk_live-...

Resend

inject: re_...

Integrations

Works with every API, LLM, and OAuth service you use.

34 provider templates built in. Anything else works via "Custom."

The reality of
secrets management.

Putting API keys directly into your source code is a ticking time bomb. When you hardcode secrets into your frontend, mobile app, or public repository, hackers can easily decompile and extract them.

The result? Massive API abuse and thousands of dollars in stolen usage running up your bill before you even notice.

You already know this is a problem.
You just haven’t had a solution that’s easier than the problem.

main.js


                                        const OPENAI_KEY = "sk-proj-xyz9...";

                                        

                                        // TODO: Replace with secure backend call later

                                        fetch('https://api.openai.com', { ... })

Unauthorized API Usage $0.00

Architecture

Engineered for absolute control.

Centralize your workflow, rotate keys with zero downtime, and completely decouple credentials from your codebase.

.env.dev

.env.staging

.env.prod

Store everything in one place

A single source of truth for all environments. No more syncing files over Slack or hunting through DMs.

sk_live_x9z2...

al_prod_q8p...

Apps never see raw keys

Your application processes request temporary access tokens on the fly. Raw API keys stay safely encrypted.

01 APP Req OpenAI key
04 SYS Key rotated
12 USR Viewed token

Full visibility

Know exactly which environment, user, or service accessed each key, right down to the millisecond.

Stop managing secrets the wrong way.

See the immediate impact of adopting a centralized proxy architecture.

1. Slack DMs

Hey can you send me the Stripe key?

sk_live_4eC39HqLyjWD...

2. Notes App

📝 API Keys

OpenAI - production:
sk-proj-a1b2...

Stripe - don't delete:
sk_live_8xyz...

3. .env File

.env


                                        # DO NOT COMMIT

                                        OPENAI_API_KEY=sk_...

                                        AWS_SECRET=AKIA...

                                        STRIPE_KEY=sk_liv...

4. Git History


                                        + OPENAI_API_KEY=sk-proj...

                                        - // No keys were here

5. The Scatter Problem

frontend/.env

backend/.env

worker/.env

3 sync points. No rotation.

The Broken Architecture

1. App stores raw key

→

2. Commits leak keys

→

3. Rotation is manual

→

4. High risk of abuse

Raw credentials are tied directly to your source code, creating multiple points of vulnerability and zero visibility.

1. Team Sharing

Hey can you send me the Stripe key?

Done — I added you as a scoped token. Check your dashboard.

2. Documentation

🛡️ Vault Credentials

LLM Keys Encrypted

Service Keys Encrypted

3. Local Config

.env


                                        APILOCKER_REFRESH_TOKEN=rtk_••••••••

                                        # that's it. every provider is reachable.

4. Version Control


                                        ✓ Clean history. Nothing sensitive to commit.

5. One Source of Truth

Rotated instantly. Logged cleanly.

Technical Flow

1. App sends scoped token

→

2. Proxy decrypts key

→

3. Injected outbound

→

4. Audit Logged

The raw key was never exposed to your application — it existed only in memory for the duration of the call.

Integration

Zero friction.

Three steps. Five minutes. Done.

Install the CLI

npm install -g apilocker

Authenticate securely

apilocker register

Run your app

apilocker run -- node index.js

~ /dev/project

❯ npm install -g apilocker

+ apilocker@1.1.0

added 1 package, and audited 2 packages in 1s

❯ apilocker register

Opening browser for authentication...

✔ Successfully authenticated as dev@company.com

❯ apilocker run -- node index.js

[API Locker] Proxy injected. Vault unlocked.

Server listening on port 3000...

Access

Your vault. Everywhere you work.

Manage your credentials natively through beautifully engineered interfaces.

❯ apilocker run -- node app.js

Injecting 14 credentials...

✔ Server listening on port 3000

CLI

Native terminal commands for seamless local development, quick script injections, and CI/CD pipelines.

Web Portal

A beautiful, centralized browser interface to manage team members, review audit logs, and rotate keys manually.

MCP

MCP Server

Natively expose your vault securely to your local AI agents using the Model Context Protocol standard.

IDE Integration

Native extensions for Google Antigravity, Cursor, Windsurf, & VS Code. Inject keys without leaving the editor.

Your vault, inside

Browse credentials, reveal secrets, rotate keys, create tokens, and monitor vault health — all without leaving your editor.

🔒

Works in your IDE today

Native extensions for VS Code, Cursor, Windsurf, and Antigravity.

🔍 API L|

🔒

API Locker

Install

Install in seconds

Search "API Locker" in your extensions marketplace and authenticate with one click.

Everything in the sidebar

Manage environments, view secret status, and copy values with zero context switching.

☁️

💻

Your existing vault, instantly

Already using the CLI or dashboard? Your credentials appear automatically. Same vault, new surface — zero reconfiguration.

Install for VS Code Install via Open VSX

Engineered
for peace of mind.

sk_live_83hf... ENCRYPTED

DATABASE_U... ENCRYPTED

OPENAI_API... ENCRYPTED

log_stream.sh

14:02:11 FETCH 'STRIPE_LIVE' [192.168.1.1]

14:15:00 ROTATE 'AWS_ACCESS' [Cron]

15:00:21 FETCH 'OPENAI_API' [10.0.0.5]

15:12:05 REVOKE 'GITHUB_PAT' [Admin UI]