verified_userZero-knowledge encryption

A Zero-Knowledge
API Key Wallet

Your AI API keys never leave your browser unencrypted. Apps use them through a secure proxy without ever seeing the raw key.

descriptionRead the docs

Scroll to see the encryption storyexpand_more

warningThe problem

The Raw Key Risk

Every AI app you use today asks for your raw API key. One breach exposes everything.

dangerousTypical AI app integration

// Every app gets your raw key
const client = new OpenAI({
  apiKey: "sk-proj-4f8a...9x2b"
});
// Your key is stored in:
//   - their database (plaintext?)
//   - their server logs
//   - their error tracking
//   - environment variables
// One breach = your key is exposed
// You have no spending control
// You can't revoke per-app

database

Stored in plaintext

Most apps store your key in their database with minimal encryption. A single SQL injection exposes every user's keys.

Scattered across services

You paste the same key into 5, 10, 20 different apps. Each one is an attack surface. Each one can be breached independently.

money_off

No spending control

Once an app has your key, it can make unlimited requests. There is no per-app budget, no rate limit, no kill switch.

visibility_off

No visibility

You have no idea which app made which request, how much each app is spending, or whether a key is being misused.

lockThe solution

Zero-Knowledge Architecture

Your keys are encrypted in your browser before they ever touch our servers. Even 1Relay cannot read them.

password

Step 1

Master Password

You enter a master password. It never leaves your browser. Not even a hash is sent to our servers.

key

Step 2

Argon2id Key Derivation

Your password is stretched into a 256-bit encryption key using Argon2id (memory-hard, GPU-resistant).

Argon2id(pw, salt, 64MB, 3 iter)

enhanced_encryption

Step 3

AES-256-GCM Encryption

Your API key is encrypted with the derived key using AES-256-GCM. Only ciphertext is stored on our servers.

AES-GCM(key, iv, plaintext)

shield

What we store

// Our database only contains:
{
  "encrypted_key": "U2FsdGVkX1+8f...7kQ==",
  "salt": "a9f3...e2b1",
  "iv": "3c7b...8d4f"
}
// Without your password, this is random noise.
// Even if our database leaks, your keys are safe.

If our servers are compromised, attackers get ciphertext that is computationally infeasible to decrypt.

swap_horizHow it works

Secure Proxy in Milliseconds

When an app needs to call an AI API, here is what happens.

send

App sends request

The app calls 1Relay's proxy endpoint instead of OpenAI directly. No API key needed in the request.

verified_user

Token validated

1Relay verifies the app's access token, checks budget limits, and confirms rate limits have not been exceeded.

lock_open

Key decrypted

In an isolated Cloudflare Worker, the session key decrypts your API key in memory for milliseconds.

bolt

Request proxied

The decrypted key is injected into the provider request, sent, then immediately zeroed from memory.

speedTotal overhead: <5ms added latency on Cloudflare's edge network

Everything you need

Built for developers and users who take API key security seriously.

passkey

Client-side encryption

Argon2id + AES-256-GCM in your browser. Your master password never touches a server.

link

Link SDK

Drop-in widget for apps. Users authorize access, set budgets, and pick providers. Like Plaid Link, but for AI.

monitoring

Usage analytics

See every request by app, provider, and model. Track spending per connection in real time.

savings

Budget controls

Set monthly spending caps per app. Rate limit requests per minute. Automatic cutoff when exceeded.

smart_toy

Bot tokens

Generate scoped tokens for AI bots and agents. Separate budget, rate limit, and model access per token.

dns

Multi-provider

OpenAI, Anthropic, and Google Gemini supported. Add keys once, use across all connected apps.

Works with your favorite AI providers

Store and manage keys for all major AI platforms in one encrypted vault.