Your credentials are sacred
APIClaw is built from the ground up with security as the foundation. Your API keys are encrypted, isolated, and never exposed to agents.
How We Protect Your Data
Four pillars of security that make APIClaw safe for your most sensitive integrations.
AES-256-GCM Encryption
All stored credentials are encrypted using AES-256-GCM — the same encryption standard used by governments and financial institutions. Your API keys never exist in plaintext.
- 256-bit encryption keys
- Authenticated encryption prevents tampering
- Keys derived using secure KDF
- Encryption at rest for all sensitive data
Zero Payload Logging
We never log request or response payloads. Your data passes through — we don't peek, store, or analyze the content of your API calls.
- No request body logging
- No response content storage
- Metadata-only analytics (call counts, latency)
- GDPR-compliant data handling
Tenant Isolation
Each workspace is completely isolated. Your credentials, usage data, and API configurations are separated at the database level — no cross-tenant data access.
- Database-level isolation
- Separate encryption keys per tenant
- No shared credential pools
- Audit logs per workspace
Server-Side Proxy
Direct Call requests are proxied server-side. Your agent never sees the actual API credentials — they stay on our secure infrastructure.
- Credentials never sent to agents
- TLS 1.3 for all connections
- Request signing and verification
- IP allowlisting available (Enterprise)
Direct Call: Secure by Design
Your agent calls APIs without ever seeing credentials.
Key Insight
Your agent sends a request like call_api('replicate', 'flux-schnell', {...}). APIClaw adds the real credentials server-side. The agent never sees or stores any API key — even if compromised, your credentials remain safe.
Security Practices
Infrastructure Security
- Hosted on Vercel Edge Network with automatic DDoS protection
- Database on Convex with built-in encryption
- No single points of failure
- Automatic security patches
Access Control
- API key authentication for all requests
- Rate limiting to prevent abuse
- Workspace-level permissions
- Session management with secure tokens
Development Practices
- Security-first code reviews
- Dependency vulnerability scanning
- No secrets in version control
- Principle of least privilege
Security FAQ
Where are credentials stored?
All credentials are stored in our Convex database, encrypted with AES-256-GCM before storage. We use secure key derivation and rotation practices.
Can agents access my raw API keys?
No. Agents only send instructions (provider, action, parameters). APIClaw injects the real credentials server-side. Your keys never leave our infrastructure.
Do you log API request/response content?
No. We log only metadata: call counts, latency, success/failure status. The actual payloads — your prompts, images, data — are never logged or stored.
What happens if APIClaw is breached?
Even in a breach scenario, credentials are encrypted at rest. Without the encryption keys (stored separately), raw database access yields only ciphertext.
Are you SOC 2 compliant?
SOC 2 Type II certification is on our roadmap for 2026. We currently follow SOC 2-aligned practices and are preparing for formal audit.
Can I use my own API keys instead of Direct Call?
Yes! You can bring your own keys (BYOK) for any of the 22,000+ indexed APIs. Direct Call is optional — it's there when you want zero-config convenience.
Questions about security?
We're happy to discuss our security practices in detail. Enterprise customers get dedicated security reviews.