Security first
Your API key never travels in plaintext. We encrypt everything on the client with RSA-OAEP-256 before sending.
BYOK — Bring Your Own Key
You bring your own AI provider key. The secret is never stored in plaintext on our server.
End-to-end encryption
We use the RSA-OAEP-256 algorithm in the browser. The backend only decrypts the key at use time and discards it from memory right after.
Architecture
Public JWK key exposed to the client; private key stays server-side only. Result: the raw secret leaves your browser at most once, always encrypted.