Terms of Service

These terms describe the deal between you and API Locker. By creating an account or using the service, you agree to them. If you don't agree, don't use the service.

1. What the service is

API Locker is a credential vault and proxy. You store API keys and other secrets with us; we encrypt them; your apps and agents proxy requests through our service to the underlying API providers, and we inject your credentials into those requests automatically. You can manage, rotate, pause, and revoke credentials through your dashboard.

2. Your account

You must sign in with a supported OAuth provider (currently Google or GitHub). You are responsible for all activity under your account. Keep your refresh tokens and master tokens safe — if they leak, the attacker can reach anything your tokens are scoped to until you revoke them. We provide tools for rotation, pausing, revocation, and hard deletion; use them.

3. Acceptable use

Don't use API Locker to:

• Store credentials you don't have the right to use
• Proxy traffic that violates the terms of the downstream provider (e.g. using a Stripe key you don't own, or abusing an OpenAI API against its usage policies)
• Generate, distribute, or facilitate illegal content
• Attempt to compromise the service, bypass rate limits, or extract credentials other than your own
• Resell the service to third parties without a reseller agreement

4. Pricing and billing

API Locker is free during public beta. We will notify you in advance of any move to paid plans, and you'll have the option to export your data or close your account before any charges apply.

5. Service availability

We do our best to keep the service running, but during beta there is no uptime SLA. API Locker runs on Cloudflare's global edge network. If Cloudflare has an incident, we probably do too. We recommend monitoring the health of your critical workflows independently.

6. Downstream providers

When you proxy a request, API Locker forwards it to the provider you chose (OpenAI, Stripe, etc.). We are not responsible for the availability, pricing, accuracy, or conduct of those providers. Their terms apply to the portion of your workflow that lives on their infrastructure.

7. Data

You own your data. We process it on your behalf to provide the service. See our Privacy Policy for details on what we collect, how we store it, and your rights. You can delete your data through the dashboard or by contacting us.

8. Termination

You can close your account at any time. We can suspend or terminate accounts that violate these terms, abuse the service, or put other users at risk. In an emergency we may suspend first and investigate after.

9. Warranties and liability

API Locker is provided "as is" during beta. We make no warranties beyond what's legally required. To the maximum extent allowed by law, our liability for any claim arising from your use of the service is limited to the amount you paid us in the 12 months preceding the claim (which during beta is zero).

API Locker stores and proxies credentials, and the security properties we provide depend on the secrets you store with us being handled correctly on your end. Don't paste your refresh token into public code or unsafe environments.

10. Changes

We may update these terms as the service evolves. We'll notify signed-in users about material changes via email or in the dashboard before they take effect. Continued use after an update means you accept the new terms.

11. Contact

Questions? Reach out at legal@apilocker.app.

These terms are a starting point for a credential-vault product in public beta. If you need a custom agreement (DPA, MSA, vendor assessment, etc.), contact us before rolling API Locker out across your organization.