Byoky

Encrypt your AI API keys locally. Never trust another extension with your OpenAI, Anthropic, or Gemini keys.

Your AI keys are worth $1000s. Stop pasting them into every new extension. byoky (Bring Your Own Key) is an open-source browser wallet that stores your LLM API keys and OAuth tokens in an encrypted local vault. Developers integrate via @byoky/sdk — their apps use your keys without ever seeing them. HOW IT WORKS 1. Install byoky and set a master password — your vault is encrypted on-device with AES-256-GCM. 2. Paste your API keys or sign in via OAuth. 3. Open any byoky-enabled app — approve access in one click. Your keys stay in the vault. FEATURES • Works with every major LLM provider — OAuth or API key support out of the box, plus OpenAI-compatible endpoints and custom bases. Full provider list on GitHub. • Setup tokens — use your paid chatbot subscription in addition to pay-per-use API keys. • Apps marketplace — install curated mini-apps that run sandboxed inside the wallet. Your keys stay in the vault. • Token Pool — discover free token gifts shared by the community, or publish your own. • Token gifts — share access with friends or teammates without sharing the key itself. Set budgets, expirations, revoke in one click. • Alias Groups — bucket apps by purpose (Personal, Work, Side Project) and pin each group to a specific key. Drag apps between groups to swap keys on the fly. • Cross-provider routing — drag an app between groups and the wallet transparently translates the request body, response body, and SSE streams. Apps keep calling their preferred SDK; byoky picks the upstream. • Mobile pairing — pair your iPhone or Android wallet via QR code; no extension install required for mobile users. • CLI / desktop support — route CLI tools through @byoky/bridge. Your keys never leave the browser. • Backend relay — @byoky/sdk/server lets your server make LLM calls through the user's browser. No secrets on the server. • Full audit log — every request timestamped by app, provider, status. • Spending caps — per-app and per-provider token limits, enforced in the proxy. • Encrypted export/import — back up the vault as a .byoky file. • Local-first — no cloud account, no telemetry, no tracking. SECURITY • AES-256-GCM encryption with PBKDF2 key derivation (600,000 iterations) via Web Crypto API. • Master password never leaves your device. • Keys never leave the extension — apps only receive short-lived session tokens. • Fully open source under MIT license. Audit the code: https://github.com/MichaelLod/byoky