I built a service that will never expose your raw API keys ever again

Alex Sancivieri — Sat, 02 May 2026 00:32:40 +0000

Hey everyone 👋🏽

So I kept seeing the same thing happen over and over. Someone's in a Discord or a forum asking why their OpenAI bill exploded overnight, or why their app suddenly stopped working — and it always came back to a key that got exposed somewhere. Left in the codebase, committed to a public repo, baked into an app bundle.

And honestly, if you're getting into Vibecoding or just starting to build with LLMs, nobody's really warning you about this. You grab a key, you paste it in, you ship. It feels fine until it isn't.

So I built API Locker. It lets you securely store your keys — whether that's LLM keys, traditional API service keys, or auth/OAuth credentials — without ever putting the raw key in your code.

You get a proxy token instead. Your project calls the token, the vault handles the rest, and you can rotate access anytime with one click.

I also wanted to make sure it fit however you like to work, so there are four ways to use it:
CLI — for terminal-first folks
IDE extensions — VS Code and Cursor are both supported
Web portal — full dashboard at the site
MCP tools — so you can manage and store keys directly through AI
It's completely free. Unlimited usage. I built this because I genuinely think it fills a gap, especially for this community, and I'd love for you to actually use it and tell me what you think. Feature requests, questions, ideas — I'm all ears and I'll get to work on it.
→ apilocker.app

and here are the links to the IDE extensions;
https://open-vsx.org/extension/apilocker/apilocker
https://marketplace.visualstudio.com/items?itemName=apilocker.apilocker

Really excited to put this out there. Hope it's useful for you. 🔐

DEV Community: Alex Sancivieri

I built a service that will never expose your raw API keys ever again