Terms of Service

These terms describe the deal between you and API Locker. By creating an account or using the service, you agree to them. If you don't agree, don't use the service.

1. What the service is

API Locker is a credential vault, an outbound proxy, and a Model Context Protocol (MCP) server. You store API keys, service credentials, and OAuth credentials with us; we encrypt them; your apps and agents proxy requests through our service to the underlying API providers, and we inject your credentials into those requests automatically. You can also connect MCP-compatible AI clients (Claude, Cursor, Zed, Continue, and any other client that speaks MCP) so they can read, manage, and act on your vault on your behalf. You can manage, rotate, pause, and revoke credentials through your dashboard, and you can revoke any connected MCP client at any time.

2. Your account

You must sign in with a supported OAuth provider (currently Google or GitHub). You are responsible for all activity under your account, including any actions taken by AI agents you have connected via MCP. Keep your refresh tokens and master tokens safe — if they leak, the attacker can reach anything your tokens are scoped to until you revoke them. We provide tools for rotation, pausing, revocation, and hard deletion; use them.

3. Acceptable use

Don't use API Locker to:

• Store credentials you don't have the right to use
• Proxy traffic that violates the terms of the downstream provider (e.g. using a Stripe key you don't own, or abusing an OpenAI API against its usage policies)
• Generate, distribute, or facilitate illegal content
• Attempt to compromise the service, bypass rate limits, or extract credentials other than your own
• Authorize MCP clients you don't recognize or trust — the consent screen exists for a reason; don't click Approve on a client you can't identify
• Use the MCP server to coordinate automated abuse against downstream providers (e.g. running a scripted agent through proxy_request to circumvent OpenAI or Stripe rate limits)
• Build a competing service that wraps API Locker without permission, or expose API Locker's functionality to your own users without a reseller agreement
• Resell the service to third parties without a reseller agreement

4. MCP server & AI agent connections

API Locker exposes a Model Context Protocol server at https://api.apilocker.app/v1/mcp with 21 tools mirroring the dashboard and CLI. Two connection paths are supported:

• Local MCP (stdio bridge): the apilocker mcp command in our CLI authenticates with a per-device master token stored at ~/.apilocker/config.json. Anyone with that file has the same vault access you do; treat the file as you would an SSH private key.
• Remote MCP (OAuth 2.1): third-party MCP clients (e.g. Claude on claude.ai) can authenticate via the OAuth 2.1 authorization code flow with PKCE. When you click Approve on the API Locker consent screen, you are granting that specific client an access token (1-hour lifetime) and a refresh token (90-day lifetime, rotated on use) scoped to the permissions you approved.

Your responsibility when approving an OAuth client: the consent screen displays the client's self-declared name and the scopes it is requesting. We do not verify the identity of third-party clients beyond their ability to complete the OAuth handshake. If you approve a client you don't recognize, you may give it the ability to read every credential in your vault, make API calls on your behalf, or modify vault state. You are solely responsible for vetting any client you authorize. We strongly recommend only approving clients from organizations you know and trust (Anthropic for Claude, your IDE vendor for Cursor / Zed / Continue, etc.).

Revocation: you can revoke any connected client at any time from your dashboard. Revocation invalidates both the current access token and its refresh token; the client must re-authorize to reconnect. If you suspect a client has been compromised, revoke immediately and rotate any credentials it had access to.

Tool calls and audit logging: every MCP tool call (read, write, proxy) is audit-logged in your dashboard with timestamp, source IP, country, status code, and latency. You can review what any connected client has done in real time via apilocker activity --follow or the dashboard's activity feed.

Refresh token theft protection: our refresh tokens rotate on every use. If we detect that an old refresh token is reused (a strong indicator of token theft), we revoke the entire grant family — both the current and the leaked tokens — and the client must re-authorize through the consent screen.

5. Pricing and billing

API Locker is currently free. We will notify you in advance of any move to paid plans, and you'll have the option to export your data or close your account before any charges apply.

6. Service availability

We do our best to keep the service running, but there is currently no uptime SLA. API Locker runs on Cloudflare's global edge network. If Cloudflare has an incident, we probably do too. We recommend monitoring the health of your critical workflows independently.

7. Downstream providers

When you proxy a request, API Locker forwards it to the provider you chose (OpenAI, Stripe, etc.). We are not responsible for the availability, pricing, accuracy, or conduct of those providers. Their terms apply to the portion of your workflow that lives on their infrastructure.

8. Data

You own your data. We process it on your behalf to provide the service. See our Privacy Policy for details on what we collect, how we store it, and your rights. You can delete your data through the dashboard or by contacting us.

9. Termination

You can close your account at any time. We can suspend or terminate accounts that violate these terms, abuse the service, or put other users at risk. In an emergency we may suspend first and investigate after.

10. Warranties and liability

API Locker is provided "as is". We make no warranties beyond what's legally required. To the maximum extent allowed by law, our liability for any claim arising from your use of the service is limited to the amount you paid us in the 12 months preceding the claim (which on the free plan is zero).

API Locker stores and proxies credentials, and the security properties we provide depend on the secrets you store with us being handled correctly on your end. Don't paste your refresh token into public code or unsafe environments.

11. Changes

We may update these terms as the service evolves. We'll notify signed-in users about material changes via email or in the dashboard before they take effect. Continued use after an update means you accept the new terms.

12. Contact

The right address depends on what you want to talk about:

• Legal & terms questions: legal@apilocker.app
• Privacy questions: privacy@apilocker.app
• Security disclosures: security@apilocker.app — please don't open public GitHub issues for security findings
• General support: support@apilocker.app
• Product feedback & feature requests: feedback@apilocker.app
• Bug reports: github.com/apilocker/apilocker/issues

These terms are a starting point for a credential-vault product. If you need a custom agreement (DPA, MSA, vendor assessment, etc.), contact us before rolling API Locker out across your organization.