Security

API Key Security

Learn how ARKA-AI protects your API keys with encryption, secure storage, and privacy-focused practices.

Our Security Commitment

Your API keys are sensitive credentials that provide access to paid AI services. We take their protection seriously with multiple layers of security.

Keys are encrypted with AES-256-GCM before being stored in our database.

Your actual key values are never written to logs or error reports.

All API communications use TLS 1.3 encryption in transit.

Keys are only decrypted when making requests to AI providers.

When you add an API key to ARKA-AI:

Client-Side Validation

Your key is validated by making a test request to the provider's API.

AES-256-GCM Encryption

The key is encrypted using AES-256-GCM with a unique initialization vector (IV).

Secure Storage

Only the encrypted ciphertext is stored in our database. The encryption key is stored separately in environment variables.

On-Demand Decryption

Keys are only decrypted at runtime when making API requests, then immediately discarded from memory.

Equally important is what we don't do with your API keys:

Never log keys - Your actual key values never appear in application logs
Never expose in responses - API responses only show masked versions (sk-***)
Never share with third parties - Keys are only used to communicate with the providers you choose
Never use for our purposes - Your keys are exclusively for your requests

Help keep your keys secure by following these recommendations:

Use Dedicated Keys

Create a separate API key specifically for ARKA-AI. This makes it easy to revoke if needed without affecting other applications.

To rotate an API key:

When you update a key in ARKA-AI, the old encrypted value is immediately overwritten. There's no way to recover a previous key from our system.