A single leaked key is the #1 way builders get hacked, and it has ended real projects overnight. The Vault is the simple fix: paste a secret once, and it's read only at the moment it's used. No secret sitting in a file. No copy in your repo. Nothing to leak.
Free, real, runnable. No charge, no account.
One idea, and the danger is gone: paste once, read at use.
Give the Vault a secret a single time (an API key, a token, a password). It's stored encrypted, not dropped into a file or committed to your repo.
Your code and config only ever mention the name, say ANTHROPIC_API_KEY. The name is safe to share. The value never appears.
The real value is fetched in memory at the exact moment it's needed, then it's gone. It's never written to disk in plain text, never logged, never echoed.
The rules are the product. They're simple on purpose, so you can't get it wrong.
The list of secret names can live in the open. The values never can. That one split kills the most common, most painful mistake: a key sitting in a file the whole world can read.
What unlocks the Vault isn't sitting in a file waiting to be stolen. There's no plaintext copy of your secrets anywhere to leak.
Per-user, by design. Your keys never mix with anyone else's, and nobody else's vault can ever reach yours.
It exists because the founder got hacked through a leaked key. Now it quietly guards every app in the APxAI family, and it's free for you to use the same way.
Most beginners get "hacked" the same way I almost did. A key ends up somewhere public, a repo or a deploy log, and a bot finds it within minutes. APxAI is built so that can't happen by accident. Here is exactly how it works, in plain terms.
It goes into a vault on your own machine, encrypted with AES-256-GCM. The code that uses it never handles the raw key. It asks the vault, and the vault hands back only what's needed, only when it's needed.
When one of your agents calls a model (Claude, GPT, whichever you pick), your key is pulled for that single call and is never written into a log, a saved request, or anything that leaves your computer.
The vault knows you have a key called, say, OPENAI_API_KEY. It will tell you the name. It will never print the value.
Before any code is committed or deployed, a guard scans it for anything secret-shaped and stops cold if it finds one. This isn't theory: while building this very site, that guard caught and blocked a commit of mine.
The tools run locally, on your computer, with your own key. My keys are never in your download, and your key never travels to me. You and I are sealed off from each other by design.
So how does the model actually get used? Your agent reads your key from your vault at call time, talks to the model provider directly, and gets the answer back. ClaudeJr sits in front of that to cut the cost (most of my bill, around 66% measured) and to keep anything secret-shaped from sneaking into something that gets stored or sent.
No system is unhackable, and I won't pretend otherwise. What this removes is the easy way to get burned. There's no key sitting in plaintext on disk to steal, and there's a guard between your secrets and anything public. That's the difference between "I lost a key once" and "I sleep fine now."
The good news: because it's real and it's yours, you can actually use it. Bring your own agents, point them at your own keys in your own vault, and integrate. You get the same protection I built for myself.
Protect your keys like the password to your whole life, because to a hacker, they are. The Vault makes that protection a single rule you follow once, then never think about again.
Part of the free APxAI toolset, alongside ClaudeJr, CloudJr, Deploy Doctor and the VS Code extension. No charge, no account, no card. The optional Founding Supporter membership backs the mission; it gates nothing here.