Documentation

How API Secure Works

Zero-server encryption for AI agents and developers

Quick Start

🔒 Encrypting an API Key

1

Go to the Encryption Tool

Visit apisecure.app/encrypt

2

Enter Your API Key

Type or paste your API key in the secure input field

3

Copy the Passphrase

A 24-character passphrase is auto-generated. Copy and save it.

4

Click Encrypt

Your key is encrypted in-browser using AES-256-GCM

5

Share Securely

Send the SECDROP-P:... blob + passphrase separately to the recipient

🔓 Decrypting an API Key

1

Go to the Decryption Tool

Visit apisecure.app/decrypt

2

Paste the Encrypted Blob

Enter the full SECDROP-P:... ciphertext you received

3

Enter the Passphrase

Type the passphrase shared separately (e.g., "turtle-rainbow-99")

4

Click Decrypt

Your API key is decrypted in-browser and displayed

5

Copy and Use

Copy the decrypted key and clear your clipboard after using it

For AI Agents

Option 1: Browser-Based Decryption (Recommended)

The easiest way for AI agents to decrypt API keys is using the browser automation:

# Use browser.act() to fill the decrypt form browser(action: "open", targetUrl: "https://apisecure.app/decrypt") browser(action: "act", request: { kind: "type", ref: "ciphertext-input", text: "SECDROP-P:AgHJk3..." }) browser(action: "act", request: { kind: "type", ref: "passphrase-input", text: "your-passphrase" }) browser(action: "act", request: { kind: "click", ref: "decrypt-button" })

Why browser-based? Zero setup, uses the official web tool, fully auditable in real-time.

Option 2: Node.js Decryption Skill

For command-line workflows or automated systems, use the Node.js decrypt skill:

# Install the AgentSkill from GitHub git clone https://github.com/CharlescSturt/apisecure cd apisecure # Decrypt and store to .env file node store-api-key.js "SECDROP-P:AgHJk3..." "your-passphrase" "ENV_VAR_NAME"

Example Discord workflow:

  • Human: "Here's the OpenAI key: SECDROP-P:AgD5h8... Passphrase: turtle-rainbow-99"
  • AI Agent runs decrypt command
  • API key stored in ~/.env

Skill location: github.com/CharlescSturt/apisecure

View on GitHub

Security Deep Dive

Why Browser-Only Encryption?

API Secure performs all encryption in your browser using the Web Crypto API. This means:

  • Zero server storage: Your plaintext API key never touches our servers
  • Zero-knowledge architecture: We cannot decrypt your data, even if compelled
  • No account required: No login, no database of users, no attack surface
  • Transparent: Open source code you can audit yourself

Threat Model

Protects against:

  • Passive network sniffing (e.g., compromised Discord)
  • Server-side breaches (there is no server)
  • Replay attacks (unique IV + salt per encryption)
  • Tampering (GCM authentication tag)

Does NOT protect against:

  • Compromised sender/recipient devices (keyloggers, malware)
  • Passphrase interception (shoulder surfing, screenshares)
  • Clipboard history tools (clear clipboard after copying)

Browser-Based Decryption

How It Works

The decryption tool at /decrypt provides a simple, secure way to decrypt API keys without installing any software.

  • Zero installation: Works directly in your browser
  • Client-side only: Decryption happens locally, passphrase never leaves your device
  • Same security: Uses identical AES-256-GCM implementation as encryption
  • Auto-clear: Decrypted keys can be copied and automatically cleared from view

Step-by-Step Guide

1

Receive Encrypted Data

Get both the SECDROP-P:... blob and passphrase from the sender (sent separately for security)

2

Open Decrypt Page

Navigate to apisecure.app/decrypt in any modern browser

3

Paste Encrypted Blob

Copy and paste the full SECDROP-P:... string into the "Encrypted API Key" field

4

Enter Passphrase

Type the passphrase exactly as received (case-sensitive, 24 characters)

5

Decrypt & Copy

Click "Decrypt" to reveal your API key, then use the "Copy" button

6

Clear & Close

Clear the decrypted key from screen and clipboard when done for security

Security Best Practices

  • Close the tab: Don't leave decrypted keys visible on screen
  • Clear clipboard: Copy something else after using the key
  • Private browsing: Use incognito/private mode if on a shared device
  • Verify sender: Only decrypt keys from trusted sources
  • Check the blob: SECDROP-P: prefix confirms proper encryption format

Browser Compatibility

The decrypt page requires Web Crypto API support (available in all modern browsers since 2014):

Chrome
37+
Firefox
34+
Safari
7+
Edge
12+

Technical Specifications

Algorithm
AES-256-GCM
Key Derivation
PBKDF2-SHA256
Iterations
100,000
IV Length
12 bytes (96 bits)
Salt Length
16 bytes (128 bits)
Auth Tag
16 bytes (GCM)

Ciphertext Format (Version 2)

SECDROP-P:base64( [0] version (1 byte: 0x02) [1] algorithm (1 byte: 0x01 = PBKDF2) [2-17] salt (16 bytes) [18-29] IV (12 bytes) [30..-17] ciphertext [-16..] auth tag (16 bytes) )

AAD Binding: Ciphertext includes "api-key-secure-send-v1" as Additional Authenticated Data, preventing format confusion attacks.

Version History: Version 2 is the current format. Version 1 is deprecated but still supported for backward compatibility.

FAQ

Is this really zero-knowledge?
Yes. Encryption happens entirely in your browser. The passphrase is never transmitted to any server. We have no way to decrypt your data.
Can you decrypt my data?
No. We don't have your passphrase. Without it, AES-256-GCM ciphertext is computationally infeasible to break (would require more energy than exists in the universe).
Is the code audited?
The code is open source (MIT license) and auditable by anyone. The crypto implementation uses the standard Web Crypto API, which is battle-tested in all major browsers.
What if I lose the passphrase?
The data is permanently unrecoverable. There is no "forgot password" feature because we don't store anything. Keep your passphrase safe.
Browser compatibility?
Requires a modern browser with Web Crypto API support: Chrome 37+, Firefox 34+, Safari 7+, Edge 12+. All major browsers from 2014 onwards.
Why open source the encryption?
Kerckhoffs's Principle: Security should not rely on obscurity. Open source crypto is more secure because it can be audited by experts. The security comes from the key (passphrase), not the secrecy of the algorithm.

Learn More

Blog & Updates

Stay up to date with the latest security insights, feature announcements, and technical deep dives:

Visit Blog

Ready to encrypt?

Start Encrypting