Code Example
from okap import OkapClient client = OkapClient("https://vault.okap.dev") token = client.request_access(provider="openai", models=["gpt-4"]) ai = OpenAI(api_key=token.key, base_url=token.base_url)
The Specification
Token Request
Apps request scoped access: provider, models, limits, expiration.
API Proxying
Vault proxies requests, injecting keys and enforcing limits.
Revocation
Users revoke any token instantly without rotating keys.
FAQ
Do apps need to support OKAP?
Yes. Apps implement the OKAP client instead of asking for raw keys. The more apps adopt it, the more useful it becomes.
Can I use this with Cursor, Claude Desktop, etc?
Not yet. Those apps would need to add OKAP support. We're building the protocol so they can adopt it.
What providers are supported?
OpenAI, Anthropic, and Google. The protocol is provider-agnostic, so adding more is straightforward.
How are keys stored?
Keys are stored in Cloudflare KV (encrypted at rest), accessed only via authenticated sessions. They're never logged or exposed in responses.
Is the vault a security risk?
Your keys stay encrypted. Apps only receive scoped tokens-never your actual keys. You can set spend limits and revoke any app's access instantly.
Will OKAP get rate-limited as more users join?
No. Each user's requests use their own API key. Rate limits apply to your key, not OKAP.
What if the vault goes down?
The vault runs on Cloudflare's global edge network with automatic failover. Apps with valid tokens continue working. New token requests would fail until restored.
How does this compare to other solutions?
| OKAP | .env files | Secrets Managers | |
|---|---|---|---|
| Scoped access | ✓ | ✗ | ✗ |
| Per-app revocation | ✓ | ✗ | ✗ |
| Spend limits | ✓ | ✗ | ✗ |
| No infra needed | ✓ | ✓ | ✗ |
| AI-provider aware | ✓ | ✗ | ✗ |
Why not just use OpenRouter?
OpenRouter is great! But it's a different model. With OpenRouter, you use their unified key-they manage provider access. With OKAP, you keep your own keys (for enterprise contracts, credits, or full control) and delegate scoped access to apps.
Can I self-host?
Yes, for teams/orgs who want their own infrastructure. Deploy the reference server or Cloudflare Worker to a public URL.