KeyVault.

Simple, honest pricing

Cancel anytime. We'll give you a full data export.

Developer

$9/month

Solo developers shipping to production.

  • 10 sanitized tokens
  • 5,000,000 proxied requests/month
  • 5 domain bindings per token
  • Real-time breach detection
  • Email support
  • Analytics dashboard
  • 1 webhook destination
  • 7-day audit log
  • Team members
  • SLA guarantee
Most Popular

Starter

$39/month

Production apps and small teams.

  • 50 sanitized tokens
  • 50,000,000 proxied requests/month
  • 10 domain bindings per token
  • Real-time breach detection + anomaly alerts
  • Priority email support
  • Full analytics dashboard
  • 5 webhook destinations
  • 30-day audit log
  • Up to 5 team members
  • SLA guarantee

Pro

$149/month

Engineering teams with compliance requirements.

  • 200 sanitized tokens
  • 500,000,000 proxied requests/month
  • Unlimited domain bindings
  • Breach detection, anomaly alerts + cost caps
  • Priority support + live chat
  • Full analytics + CSV export
  • All webhook events + SIEM export
  • 90-day audit log
  • Up to 20 team members
  • 99.9% SLA

Enterprise

Custom

Unlimited scale, compliance, and dedicated support.

  • Unlimited tokens + requests
  • Customer-managed encryption keys (CMK)
  • Private edge node in your VPC (BYOP)
  • SSO (SAML) + SCIM provisioning
  • Dedicated account manager
  • Custom analytics + data export
  • All webhooks + SIEM (Splunk, Datadog, Elastic)
  • 1-year audit log retention
  • Unlimited team members
  • 99.99% SLA + custom MSA + DPA

All paid plans include overage billing at $0.20 per 1,000 requests above your limit, so you never get cut off mid-launch.

Frequently asked questions

What counts as a proxied request?

Every API call that passes through the KeyVault Edge network counts as one proxied request. That includes token validation, decryption, key injection, and forwarding to your upstream provider.

Can I use KeyVault Edge with any API provider?

Yes. KeyVault Edge is provider-agnostic. It works with OpenAI, Anthropic, Stripe, GitHub, AWS, Twilio, and any HTTP-based API. You point your request at our proxy endpoint instead of the provider's endpoint.

What happens if I exceed my monthly request limit?

We apply overage billing at $0.20 per 1,000 additional requests above your plan limit, or you can upgrade to the next tier. You will receive an alert before overages begin.

How does host-binding work?

When you create a sanitized token, you specify which domains or IP ranges are authorised to use it. The token is cryptographically bound to those hosts using AES-256-GCM. If the token is used from any other host, decryption fails and the request is blocked - even if the attacker has the token.

Do you store my real API keys?

Your real API keys are stored encrypted at rest using AES-256-GCM with per-key envelope encryption. They are never logged in plaintext and are only decrypted transiently in isolated V8 memory during request processing.

What is a Customer-Managed Encryption Key (CMK)?

On the Enterprise plan, you can provide your own AWS KMS, GCP Cloud KMS, or Azure Key Vault key. KeyVault Edge uses your key to wrap each per-token DEK - meaning we hold only ciphertext. Even a full database breach gives an attacker nothing they can decrypt without your KMS key.

Need a custom arrangement?

We work with security teams, compliance-heavy environments, and high-volume applications. SOC 2, custom DPA, CMK, and private edge nodes available on Enterprise.