KeyVault.

We make stolen API keys irrelevant.

KeyVault Edge started with a real breach. Our own OpenAI key ended up in a public commit and was exploited in 11 minutes. We built the tool we needed.

The problem no one was solving

API keys are the most stolen credential type in the world. 29+ million secrets leaked on GitHub in 2025 alone - AI-assisted commits made it worse.

Every existing solution - secret managers, API gateways, CDN shields - either stores secrets without proxying, manages keys you issue (not consume), or requires a centralised backend that becomes its own single point of failure.

We mapped the entire landscape and found a gap no one had filled: an edge-native system that encrypts a third-party API key into a host-bound token, decrypts it at the edge, injects the real key, and forwards the request - all transparently, in under 40ms.

Secrets leaked annually (GitHub)29M+
Avg. exploit time after leak8 min
Share of breaches from credential theft80%
Global cost of API key abuse$4.8B

How we got here

24

2024

The Problem Crystallised

GitGuardian reported 12.8M secrets leaked on GitHub. Our founding team, working on a high-traffic AI app, found their own OpenAI key in a public commit. The exploit happened within 11 minutes.

Q1

2025 Q1

Architecture Designed

We mapped every existing solution - AWS API Gateway, Kong, Zuplo, HashiCorp Vault, Azure Key Vault. None solved the problem. We designed the first host-binding encryption schema for API keys.

Q3

2025 Q3

Edge Worker Prototype

First Cloudflare Worker that could decrypt a host-bound token, inject the real key, and forward to OpenAI in under 40ms. The latency was 28ms on average. We knew this was viable.

26

2026

KeyVault Edge Launched

Public launch with support for all major API providers, a full dashboard, and breach detection. Host-bound tokens, edge-deployed, production-ready.

How we build

Security by Default

Security is not a feature you toggle on. Every decision we make defaults to the most secure option. We assume breach.

Developer-First

Security tooling shouldn't require a two-week integration. Adding a sanitized token should take under ten minutes. We sweat the details so you don't have to.

Edge-Native

Centralized systems are single points of failure. We built on Cloudflare's global edge from day one - no exceptions.

Zero Vendor Lock-in

Works with OpenAI, Stripe, GitHub, AWS, Twilio - any HTTP API. We proxy transparently. You keep your provider relationships.

The team

Engineers who've shipped and maintained production systems, been paged at 2am over a leaked credential, and spent too long recovering from a breach that shouldn't have mattered.