RelayKey
Get started
For AI coding tools

Let Claude Code, Cursor, and Codex hit real APIs without your master keys.

Give each AI tool, developer, or workflow its own scoped, revocable RelayKey. Production credentials for OpenAI, Anthropic, Stripe, and your internal APIs never leave the dashboard. Every call logged.

Get a management API tokenllms-full.txt
One call

Bulk-import a .env file, replace real keys with RelayKeys

POST any .env contents to /api/v1/import. RelayKey detects the vendor for each key, creates a protected integration, issues a scoped RelayKey, and returns the snippets you need to apply.

POST /api/v1/import
curl -X POST https://app.relaykey.ai/api/v1/import \
  -H "Authorization: Bearer rk_mgmt_xxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "env": "OPENAI_API_KEY=sk-real\nANTHROPIC_API_KEY=sk-ant-real\nRESEND_API_KEY=re_real",
    "default_ttl_seconds": 2592000
  }'

Each entry in the response includes a proxy_token, a proxy_base_url, and a snippets object with env, node, and python changes ready to paste in.

The recipe

Four steps, every time

  1. 01

    Find the keys

    Grep .env files and source for real vendor API keys. Any key an app or agent can leak is a candidate.

    bash
    grep -RhoE '^[A-Z_]+_(API_KEY|TOKEN|SECRET)=.+' \
  .env .env.local .env.production 2>/dev/null
  2. 02

    POST to /api/v1/import

    Send the keys as a .env paste. Get back proxy URLs and per-SDK snippets.

    curl
    curl -X POST https://app.relaykey.ai/api/v1/import \
  -H "Authorization: Bearer rk_mgmt_xxxxxxxx" \
  -H "Content-Type: application/json" \
  --data-binary @- < .env
  3. 03

    Apply the SDK snippets

    For each imported key, replace the real key in .env with the RelayKey, add the *_BASE_URL var, and pass baseURL to the SDK constructor. The pattern is the same for every SDK.

    .env diff
    - OPENAI_API_KEY=sk-real-master-key
+ OPENAI_API_KEY=rk_proxy_xxxxxxxx
+ OPENAI_BASE_URL=https://proxy.relaykey.ai/conn_xxx
  4. 04

    Verify with a single curl

    Hit a known-safe upstream path through the proxy. Confirm the request appears in the audit log.

    curl
    curl -i https://proxy.relaykey.ai/conn_xxx/v1/models \
  -H "Authorization: Bearer rk_proxy_..."
Before / after

The exact one-line change, per SDK

OpenAI (Node)
before
new OpenAI({
  apiKey: process.env.OPENAI_API_KEY,
});
after
new OpenAI({
  apiKey: process.env.OPENAI_API_KEY,
  baseURL: process.env.OPENAI_BASE_URL,
});
Anthropic (Node)
before
new Anthropic({
  apiKey: process.env.ANTHROPIC_API_KEY,
});
after
new Anthropic({
  apiKey: process.env.ANTHROPIC_API_KEY,
  baseURL: process.env.ANTHROPIC_BASE_URL,
});
ElevenLabs (Node)
before
new ElevenLabsClient({
  apiKey: process.env.ELEVENLABS_API_KEY,
});
after
new ElevenLabsClient({
  apiKey: process.env.ELEVENLABS_API_KEY,
  environment: process.env.ELEVENLABS_BASE_URL,
});
Resend (Node)
before
new Resend(process.env.RESEND_API_KEY);
after
new Resend(process.env.RESEND_API_KEY, {
  baseUrl: process.env.RESEND_BASE_URL,
});
Cloudflare (curl)
before
curl https://api.cloudflare.com/client/v4/zones \
  -H "Authorization: Bearer $CF_TOKEN"
after
curl https://proxy.relaykey.ai/conn_xxx/client/v4/zones \
  -H "Authorization: Bearer rk_proxy_..."
Stripe (Python)
before
stripe.api_key = os.environ["STRIPE_SECRET_KEY"]
after
stripe.api_key = os.environ["STRIPE_SECRET_KEY"]
stripe.api_base = os.environ["STRIPE_BASE_URL"]
References

Files an agent should read

Ready to give your AI tools scoped access?

Get a management API token and post a .env. The response gives each tool its own scoped RelayKey and the code changes needed to stop using real production keys.

Get a management API token