proxykey API KEY VAULT

What is an API key proxy and how does it work

A scheme where the real key never leaves the vault, and applications call the API with virtual tokens. How it's built, how it differs from secrets managers, and what switching costs.

2026-07-05 · proxykey

The problem: everyone needs the key, no one can be trusted with it

One OpenAI key spreads across the backend, scripts, CI, developer laptops, and AI agents. Every copy is an independent leak point: a commit to a public repo, a line in a log, an environment dump. Meanwhile the provider knows only one key: when it leaks, you rotate it everywhere at once, with downtime for everything that sat on it.

How a credential proxy works

A key proxy (credential proxy) breaks the "application ↔ real key" link. Three objects:

ObjectWhat it is
SecretThe real provider key. Entered once, encrypted (in proxykey — AES-256-GCM with envelope encryption), and never returned by any API again.
PassA virtual token (vlt_…) bound to a secret. This is what applications receive. Each pass has its own IP binding, its own rpm/rpd limits, its own expiry and its own log.
ProxyThe gateway requests go through. It validates the pass, decrypts the secret in memory for the single request, injects it, and forwards the request to the provider as-is.
app ──(vlt_ pass)──▶ proxy ──(real key)──▶ provider
                       │
            checks: status, IP, limits
            log: method, path, status, latency

The key consequence: the zone where the real key can leak shrinks to a single server. Everything else — code, configs, CI, agent contexts — only ever handles revocable tokens.

How this differs from a secrets manager

Vault or AWS Secrets Manager solve storage and delivery: the key is kept centrally and handed to the app at startup. But at runtime the key still sits in the app's memory and environment — and leaks together with it.

A credential proxy solves non-delivery: the application never receives the key at any point. That's a different class of guarantee — a leak on the application side cannot reveal the original, by construction.

Secrets managerCredential proxy
Key inside the appYes, at runtimeNever
App-side leakExposes the keyExposes a revocable token
RevocationRotate the key everywhereOne click, original untouched
Per-consumer limits and IPNoPer token
Traffic visibilityNoEvery request logged

What changes in your code

Two lines — the host and the key. Everything else (path, method, body, SSE streaming) passes through the proxy unchanged:

# before — straight to OpenAI
curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer sk-...real..."

# after — through proxykey
curl https://api.proxykey.org/p/openai/v1/chat/completions \
  -H "Authorization: Bearer vlt_openai_..."

For SDKs it's a single baseURL setting. Supported: OpenAI-compatible APIs, Anthropic, Telegram bots (token in the URL path), Stripe, Slack, GitHub, and any custom REST API — the full list is in the docs.

When it pays off the most

FAQ

How much latency does it add?

One extra hop and a cached token check — single-digit milliseconds against the hundreds of milliseconds an LLM takes to respond. Streaming is proxied as a stream, no buffering.

What if the proxy itself goes down?

That's the honest trade-off: the proxy is a critical point. Look at how a specific service is built: proxykey's hot path runs on a validation cache and degrades predictably (cache when the DB is down, fail-closed for validation).

Does the proxy see my requests?

A proxy by definition sits on the traffic path — what matters is what it logs. proxykey records metadata (method, path, status, latency) but never auth headers or key values; request-body previews only if you explicitly enable them per pass.

Try it on one key

Store a key, get a pass, switch one service over — it takes a minute. Free, no card required.

Get started →