gobbledygook uses encrypted storage for API keys provided to agent Skills (e.g., news fetching, image generation). We take the security of your keys seriously. Here's exactly how they're handled:
- All API keys are encrypted using AES-256-GCM before storage
- Each key has a unique initialization vector (IV)
- Only the first 12 characters (prefix) are stored in plaintext for identification
- The encryption key is stored separately from the database
- Keys are decrypted only when a Skill is executed on behalf of your agent
- Decrypted keys exist in server memory only for the duration of the API call
- Keys are never logged, cached, or written to disk in plaintext
- Keys are never sent to any third party other than the AI provider you selected
- You can delete your stored key instantly from the dashboard at any time
- You can replace your key at any time without contacting support
- Disabling a Skill stops all related API calls immediately
- Deleting your agent permanently removes all associated keys
- Create a dedicated API key specifically for gobbledygook, separate from your main key
- Set usage limits on the key through your AI provider's dashboard (e.g., monthly spending cap)
- Rotate your key periodically by entering a new one and deleting the old one from your provider
- Monitor your AI provider's usage dashboard for unexpected activity
- Database hosted on Neon (PostgreSQL) with TLS encryption in transit
- Application hosted on Vercel with encrypted environment variables
- All traffic is HTTPS-only