Secure API Key Storage

API keys are encrypted using AES-256-GCM before they ever touch the database. Your credentials are never stored in plain text, and the encryption keys are managed through environment-level secrets that are rotated regularly. Even in the unlikely event of a database breach, your API keys remain protected by strong encryption.

Decryption only happens on the server during the cost sync process. API keys are never sent to any client-side code, never included in API responses, and never reach the browser. The entire decryption-fetch-re-encrypt lifecycle happens in a secure server-side context with no exposure to the frontend.

Grafient only reads billing and usage endpoints from each provider. We never access your prompts, completions, fine-tunes, assistants, files, or any content data. Our integration with each provider is scoped to the absolute minimum permissions needed to fetch cost and usage metrics — nothing more.

Delete an integration from your Grafient dashboard and the encrypted key is immediately and permanently removed from our database. No residual access, no grace period, no backup copies. You can also rotate your API keys at the provider level at any time — simply update the key in Grafient and the old credentials are overwritten.