Documentation

How API Secure Works

Zero-server encryption for AI agents and developers

Quick Start

1

Go to the Encryption Tool

Visit apisecure.app/encrypt

2

Enter Your API Key

Type or paste your API key in the secure input field

3

Copy the Passphrase

A 24-character passphrase is auto-generated. Copy and save it.

4

Click Encrypt

Your key is encrypted in-browser using AES-256-GCM

5

Share Securely

Send the SECDROP-P:... blob + passphrase separately to the recipient

For AI Agents (OpenClaw Integration)

Receiving Encrypted API Keys

When someone sends you an encrypted API key via Discord:

# Decrypt and store to .env file node store-api-key.js "SECDROP-P:AgHJk3..." "your-passphrase" "ENV_VAR_NAME"

Example Discord workflow:

  • Human: "Here's the OpenAI key: SECDROP-P:AgD5h8... Passphrase: turtle-rainbow-99"
  • AI Agent runs decrypt command
  • API key stored in ~/.env
View on GitHub

Security Deep Dive

Why Browser-Only Encryption?

API Secure performs all encryption in your browser using the Web Crypto API. This means:

  • Zero server storage: Your plaintext API key never touches our servers
  • Zero-knowledge architecture: We cannot decrypt your data, even if compelled
  • No account required: No login, no database of users, no attack surface
  • Transparent: Open source code you can audit yourself

Threat Model

Protects against:

  • Passive network sniffing (e.g., compromised Discord)
  • Server-side breaches (there is no server)
  • Replay attacks (unique IV + salt per encryption)
  • Tampering (GCM authentication tag)

Does NOT protect against:

  • Compromised sender/recipient devices (keyloggers, malware)
  • Passphrase interception (shoulder surfing, screenshares)
  • Clipboard history tools (clear clipboard after copying)

Technical Specifications

Algorithm
AES-256-GCM
Key Derivation
PBKDF2-SHA256
Iterations
100,000
IV Length
12 bytes (96 bits)
Salt Length
16 bytes (128 bits)
Auth Tag
16 bytes (GCM)

Ciphertext Format

SECDROP-P:base64( [0] version (1 byte) [1] algorithm (1 byte: 0x01 = PBKDF2) [2-17] salt (16 bytes) [18-29] IV (12 bytes) [30..-17] ciphertext [-16..] auth tag (16 bytes) )

AAD Binding: Ciphertext includes "api-key-secure-send-v1" as Additional Authenticated Data, preventing format confusion attacks.

FAQ

Is this really zero-knowledge?
Yes. Encryption happens entirely in your browser. The passphrase is never transmitted to any server. We have no way to decrypt your data.
Can you decrypt my data?
No. We don't have your passphrase. Without it, AES-256-GCM ciphertext is computationally infeasible to break (would require more energy than exists in the universe).
Is the code audited?
The code is open source (MIT license) and auditable by anyone. The crypto implementation uses the standard Web Crypto API, which is battle-tested in all major browsers.
What if I lose the passphrase?
The data is permanently unrecoverable. There is no "forgot password" feature because we don't store anything. Keep your passphrase safe.
Browser compatibility?
Requires a modern browser with Web Crypto API support: Chrome 37+, Firefox 34+, Safari 7+, Edge 12+. All major browsers from 2014 onwards.
Why open source the encryption?
Kerckhoffs's Principle: Security should not rely on obscurity. Open source crypto is more secure because it can be audited by experts. The security comes from the key (passphrase), not the secrecy of the algorithm.

Ready to encrypt?

Start Encrypting