Live on Chrome Web Store

The API Key Manager Chrome Extension
That Works Where You Work

API Locker lives in your browser, so when you're on the OpenAI dashboard, your OpenAI keys are already there. AES-256 encrypted, smart site detection, 32+ providers. Zero configuration.

🔐 Add to Chrome — Free Learn more at apilocker.dev
Why the Browser

Why a Chrome Extension Is the Right Home for API Key Management

Think about when you actually need an API key. You're on a provider's dashboard creating a new key. You're building something locally and need to paste a key into a form or a config file. You're rotating a key and need to update your .env. In almost every case, you're in a browser.

The gap with existing tools: you're in one tab and your key is somewhere else. A password manager requires you to open it, search, find the entry, copy the value — multiple context switches just to grab a credential. A text file requires you to open a different app. Notes apps, Notion, Slack — all require leaving your current context.

A Chrome extension solves this at the right layer. It's in the browser, where the task is happening. It can observe which site you're on and filter the vault automatically. One click, key copied, back to work. That's the workflow improvement that makes a browser-based approach worth it.

The tradeoff is that extensions are Chrome-only (API Locker currently supports Chrome and Chromium-based browsers). But for most developers, Chrome or Brave is their primary development browser — and the productivity gain at that layer outweighs the limitation.

Core Features

What API Locker Does — And How

🎯
Smart Site Detection
API Locker reads the current tab's URL and matches it against a library of known API provider dashboards. Visit platform.openai.com — your OpenAI keys appear. Visit api.stripe.com — Stripe keys surface automatically. The matching is local, private, and instantaneous.
🔐
AES-256-GCM Encryption
Every key is encrypted with AES-256-GCM using the Web Crypto API built into Chrome. Your master password derives the encryption key via PBKDF2 with a high iteration count. Plaintext never touches disk or network on the free plan. The vault is meaningless without your master password.
🏷️
Multiple Keys Per Provider
Have 3 different OpenAI keys — production, staging, side project? Store all three under OpenAI, each with a distinct label. When you open the popup on the OpenAI dashboard, all three are listed. No naming collisions, no confusion about which key is which.
Expiry Date Tracking
Set an expiry date on any key. API Locker shows a warning badge when a key is approaching expiry and marks expired keys clearly. No more discovering in production that a key you assumed was live actually expired 3 weeks ago.
📋
One-Click Copy
Click the copy button next to any key — it's on your clipboard. No reveal step, no extra confirmation (for speed). The extension also supports a "reveal" mode if you need to verify a key. The focus is on getting the right key to your clipboard without friction.
🔒
Zero-Knowledge Architecture
Zero-knowledge means we never know your master password. There's no "forgot password" recovery because the password is never sent to any server. Your encrypted vault can only be decrypted by your password, on your device. This is a deliberate design choice, not a limitation.
How It Works

The Technical Flow — From Install to Copy

1
Install & Set Master Password
On first launch, you set a master password. API Locker runs PBKDF2 on that password with a cryptographic salt to derive an AES-256 encryption key. Your password is never stored anywhere — only the derived key is held in memory while the extension is unlocked.
2
Add Keys to Vault
When you add a key, it's encrypted with AES-256-GCM immediately. The ciphertext (encrypted key + IV + auth tag) is stored in Chrome's local extension storage. Even if someone extracted the raw storage, they'd get useless ciphertext without your master password.
3
Site Detection on Navigation
API Locker listens for tab URL changes. When you navigate to a URL that matches a known provider (e.g., platform.openai.com matches "OpenAI"), the extension badge updates and the popup pre-filters to show only that provider's keys. All matching is done in the extension's background script — the URL is never sent anywhere.
4
Decrypt on Demand
When you click a key to copy it, the extension decrypts only that key in memory, copies it to clipboard, and discards the plaintext immediately. The vault remains encrypted at rest. Auto-lock kicks in after a configurable idle period, requiring your master password again.
Security Model

AES-256-GCM Explained — Without the Jargon

AES-256-GCM is the encryption standard API Locker uses. Here's what each part means and why it matters for your keys:

🔑
AES-256: The encryption algorithm
Advanced Encryption Standard with a 256-bit key. This is what the US government uses for top-secret data. With a properly random key, brute-forcing AES-256 is computationally infeasible — the number of possible keys exceeds the atoms in the observable universe.
🛡️
GCM: Authenticated encryption
Galois/Counter Mode adds authentication to the encryption. This means the extension can detect if the ciphertext has been tampered with — an attacker can't modify your encrypted vault and have it silently accepted. You get both confidentiality and integrity.
🧂
PBKDF2 key derivation
Your master password isn't used as the encryption key directly — it's run through PBKDF2 (Password-Based Key Derivation Function 2) with 100,000+ iterations and a cryptographic salt. This makes brute-force attacks against your password orders of magnitude slower.
🌐
Web Crypto API — browser-native
API Locker uses Chrome's built-in Web Crypto API rather than a JavaScript library. The crypto operations happen in C++ native code, not JavaScript. This eliminates an entire class of supply-chain attack risks from third-party crypto libraries.
📵
Zero network access (free plan)
The free plan makes zero outbound network requests. There's no telemetry, no analytics, no key transmission. The extension works entirely offline after installation. You can verify this in Chrome's extension network tab.
🔓
Auto-lock
The vault auto-locks after a configurable idle period (default: 15 minutes). When locked, no key can be accessed without re-entering the master password. If you step away from your desk, your keys are locked.
Supported Providers

32+ API Providers with Smart Detection

API Locker ships with built-in site detection for major API providers. When you visit any of these dashboards, your keys for that provider appear automatically. You can also add any custom provider by URL pattern.

OpenAI Anthropic Stripe GitHub AWS Google Cloud Twilio SendGrid Hugging Face Replicate Cloudflare Vercel Supabase Firebase Pinecone Cohere Mistral AI Groq Together AI Mapbox Plaid Braintree Mailgun Postmark Resend Pusher Ably Algolia Elastic MongoDB Atlas Neon PlanetScale + Custom

Related Guides

API Key Manager for Developers What an API key manager is and why you need one API Key Security Best Practices 7 concrete practices every developer should follow How to Store API Keys Securely Step-by-step guide with common mistakes to avoid API Key Management Tools Compared Side-by-side comparison of all your options API Key Storage Best Practices Where to store keys — and where never to store them
Free on Chrome Web Store

Install in 30 Seconds — Your Keys Are Organized Before Your Next API Call

AES-256 encrypted. Smart site detection. 32+ providers. No account required to get started.

🔐 Add to Chrome — Free