Can VaultProof read my API key?

VaultProof stores encrypted shares separately and does not store whole plaintext API keys at rest. During a proxied call, the key is assembled briefly in memory, used for the upstream request, and then cleared.

Does VaultProof work with existing SDKs?

Yes. The init flow rewrites environment variables so supported SDKs keep using their existing API key and base URL settings while requests route through VaultProof.

How is VaultProof different from a traditional vault?

Traditional vaults usually return the whole secret to the application. VaultProof is designed to keep the raw provider key out of application code and AI agent context by routing calls through a proxy.

Active Key Protection

Stop leaked API keys from becoming incidents

VaultProof protects provider keys, keeps raw keys out of apps and deployment workflows, and gives you usage visibility plus fast revocation when something looks wrong.

Get started

vaultproof.dev/app/dashboard/routes

2.1B

Requests today

+12.4%

0.4ms

p99 latency

-8.2%

99.99%

success rate

+0.01%

213

active routes

Route	Method	Upstream	p99	Req/s	Status
/api/v1/openai	GET	openai-proxy	0.8ms	3,241	Healthy
/api/v1/anthropic	POST	claude-proxy	1.2ms	1,847	Healthy
/api/v1/stripe	POST	billing-proxy	2.1ms	892	Healthy
/api/v1/notion	PUT	workspace-proxy	1.8ms	167	Review
/api/v1/custom	GET	internal-api	0.3ms	524	Healthy

All systems operational213 routes protectedLast sync: 2s ago

Built for anyone using

OpenAI

Anthropic

Google AI

Notion

Runway

Vercel

Arc

99.9%

proxy uptime target

shares required

SSE

streaming ready

plaintext keys at rest

VS THE FIELD

One column of dots, for a reason.

VaultProof is for anyone who needs API keys to be usable without being handed directly to apps, build logs, agents, or context windows.

Capability

VaultProof

Doppler

HCP Vault

1Password

Key never sits whole in app config

Split-key storage before upload

Proxy URL for AI agents

Per-call audit log

Dedicated enterprise runtime

Enterprise

Available

04 / PRICING

Scan is free. Proxy is metered.

free

$0/mo

Scan + try the proxy

calls/mo10,000

key slots3

audit log7d

get started

starter

$5/mo

Side projects

calls/mo50,000

key slots10

audit log30d

get started

pro

recommended

$20/mo

Growing projects

calls/mo500,000

key slots50

audit log1y

get started

enterprise

talk

Custom SLA & audit

calls/mo∞

key slots1,000

audit logcustom

FAQ

Questions before switching.

Short answers first. The longer versions live in the docs and security architecture pages.

What if VaultProof goes down?

Your fallback depends on your chosen deployment and policy. Enterprise deployments can use dedicated runtime options, and you can define operational procedures for break-glass access. The public docs cover the proxy and runtime model.

Can VaultProof itself read my key?

VaultProof is designed so raw keys are not stored whole at rest. During proxy use, the key is assembled briefly in memory to call the upstream provider, then cleared. The security page documents that boundary directly.

How is this different from Vault or Doppler?

Traditional secret managers protect values at rest and then hand the full secret to the app. VaultProof focuses on keeping the raw provider key out of the app and agent context by using a proxy URL and split shares.

Does it work with Claude Code, Cursor, or Codex?

Yes. The agent gets a proxy credential and provider-compatible base URL. It can call the model while the real provider key stays out of prompts, logs, and local environment files.

What is the latency overhead?

There is an extra proxy hop. The practical impact depends on provider, region, and workload. For LLM calls, the model response usually dominates total request time, and VaultProof supports streaming responses.

HOW IT WORKS

Split before storage. Reconstruct only to call.

The workflow is intentionally boring: scan env files, split keys, rewrite config, route calls through a provider-compatible proxy.

STEP 01

You split.

The CLI finds API keys and creates separate shares before the whole secret is uploaded anywhere.

STEP 02

We store one encrypted share.

The stored share is policy controlled and mathematically insufficient on its own.

STEP 03

The proxy calls upstream.

The key is assembled for the request, sent to the provider, then removed from memory.

WORKS WITH

250 provider signatures · custom APIs · NetOps env secrets

Start with the built-in provider catalog, or define a custom HTTP provider for internal services.

OpenAI

Anthropic

Google AI

Mistral

Cohere

Groq

Perplexity

DeepSeek

Fireworks

Together

Replicate

Custom

FOR AI AGENTS

Your agent gets a proxy URL. Never the key.

Hand Claude, Codex, Cursor, or another AI coding workflow a VaultProof project token and provider-compatible base URL. The agent does its work without seeing the raw sk- value.

Dashboard

agent.env

# Agent prompt
# Use this proxy URL. Do not log secrets.
OPENAI_API_KEY=vp-proj_7b3a9f1c8e
OPENAI_BASE_URL=https://proxy.vaultproof.dev/v1

# Agent makes a normal provider call.
curl https://proxy.vaultproof.dev/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{"model":"gpt-4o","messages":[...]}'