Reference implementation of an OKAP vault - self-host your API key manager.
- Secure key storage: Master keys never leave the vault
- Token management: Issue, list, and revoke tokens
- API proxy: Forward requests using your master keys
- Fast: Built on FastAPI + async
- Docker ready: Easy deployment
git clone https://github.com/openkeyprotocol/server.git
cd server
pip install -e .Create .env:
# Required: Set your API keys
OKAP_OPENAI_API_KEY=sk-...
OKAP_ANTHROPIC_API_KEY=sk-ant-...
OKAP_GOOGLE_API_KEY=AIza...
# Optional
OKAP_BASE_URL=https://vault.yourdomain.com
OKAP_PORT=8000python -m app.main
# or
uvicorn app.server:app --reloadServer runs at http://localhost:8000
GET /POST /okap/request
Content-Type: application/json
{
"okap": "1.0",
"provider": "openai",
"models": ["gpt-4"],
"capabilities": ["chat"],
"limits": {
"monthly_spend": 10.00
}
}GET /okap/tokensDELETE /okap/tokens/{token_id}POST /v1/openai/chat/completions
Authorization: Bearer okap_abc123...
Content-Type: application/json
{
"model": "gpt-4",
"messages": [{"role": "user", "content": "Hello"}]
}from openai import OpenAI
# Get token from vault first, then:
client = OpenAI(
api_key="okap_abc123...",
base_url="http://localhost:8000/v1/openai"
)
response = client.chat.completions.create(
model="gpt-4",
messages=[{"role": "user", "content": "Hello!"}]
)docker build -t okap-vault .
docker run -p 8000:8000 \
-e OKAP_OPENAI_API_KEY=sk-... \
okap-vault┌──────────────┐ okap token ┌──────────────┐ real key ┌──────────────┐
│ App │ ──────────────────▶ │ OKAP Vault │ ────────────────▶ │ OpenAI │
│ │ ◀────────────────── │ │ ◀──────────────── │ Anthropic │
└──────────────┘ response └──────────────┘ response │ Google │
└──────────────┘
# Install dev deps
pip install -e ".[dev]"
# Run tests
pytest
# Run with reload
uvicorn app.server:app --reloadMIT