Skip to main content
Your API keys are valuable: they provide access to OpenAI, Stripe, databases, and other services. The problem is that a key eventually leaks from wherever it is stored. Elding keeps it outside your application, so there is nothing there to steal. These are the leaks it prevents.

1. Your AI agent sees your keys

You code with Cursor, Claude Code, or Copilot. The AI reads your code, terminal, and logs. If your key is present, the AI can see it, and it may end up in a prompt, history, or another system.
With Elding, the AI only sees a {{OPENAI_KEY}} placeholder, never the real key.

2. You commit a key by mistake

The classic mistake is pushing a .env file to GitHub. Automated bots can find and steal the key within minutes.
No .env file and no real key in your project means nothing sensitive to commit.

3. A compromised npm package steals your keys

You install a dependency that silently reads process.env and sends your keys to an attacker-controlled server. This happens in real incidents.
The key is not inside your application, so the package finds nothing.

4. Your key appears in logs

A console.log, crash report, or monitoring service such as Sentry can write your key into logs that many people can access.
Logs only capture the placeholder.

5. Your key is sent to the wrong destination

Malicious code could try to send your OpenAI key somewhere other than api.openai.com. Without protection, the key could be exfiltrated.
Each key is locked to its domain. Sending it elsewhere is blocked.

Summary

A key leaks from wherever it lives: a file, memory, or logs. Elding ensures it does not live anywhere in your application. A gateway injects it from the outside at the last moment. Regardless of who inspects your application, there is nothing to see.

How it works

A simple explanation of the gateway.