The problem
When you code with AI tools such as Cursor, Claude Code, or Copilot, your API keys often sit in a plaintext.env file. The AI agent reads your code, so it can see your keys.
A compromised dependency can see them too.
The solution
Elding is a local gateway between your application and the APIs it calls. Your code uses placeholders; the gateway injects the real key into the outgoing request at the last possible moment. The key only passes through the gateway and never enters your application.The gateway (proxy)
Injects the real key into the outgoing request. Your application only sees a placeholder.
Domain locking
A key can only be sent to its authorized domain. Even if stolen, it is useless elsewhere.
CLI & SDK
Run
elding proxy -- node app.js and you are ready. No .env file.The vault
Your keys are stored encrypted with AES-256-GCM, organized into sets, and served to the gateway.
More than AI protection
Because the key is never inside your application, nothing there can read it: not your AI agent, a compromised npm package, your logs, or a.env file committed by mistake. The gateway
keeps it outside and injects it at the last moment.
This is what makes Elding different: other tools return the key to your application.
Elding prevents it from entering the application in the first place.
The promise
Your keys never touch your application. The gateway injects them from the outside: never on
your disk, never in your application’s memory, never available to commit, and invisible even
to an AI coding agent.
Quickstart
Go from zero to injected secrets in four commands.