Security first

Your API key never travels in plaintext. We encrypt everything on the client with RSA-OAEP-256 before sending.

BYOK — Bring Your Own Key

You bring your own AI provider key. The secret is never stored in plaintext on our server.

End-to-end encryption

We use the RSA-OAEP-256 algorithm in the browser. The backend only decrypts the key at use time and discards it from memory right after.

Architecture

Public JWK key exposed to the client; private key stays server-side only. Result: the raw secret leaves your browser at most once, always encrypted.

BYOK E2E encryption flowYour browserRSAOAEP-256public keyDelfos backendJWKuseencrypted envelopeAt restencryptedpg_crypto