HuGR  /  Vault

Your keys stay in the cloud.
Your code stays clean.

Import your .env file. HuGR absorbs every credential into an encrypted vault, replaces them with proxy keys, and handles authentication entirely on Cloudflare's edge. Your real keys never reach your machine.

Download for macOS Download for Windows
Before & After

One import. Everything changes.

This is what happens to your .env when you point HuGR at it.

.env — before
# Your real credentials — exposed OPENAI_API_KEY=sk-proj-4f8a...K9xT STRIPE_SECRET_KEY=sk_live_51Hf...qR7p ANTHROPIC_API_KEY=sk-ant-api03...Wv2Q AWS_SECRET_ACCESS_KEY=wJalr...4EXAMPLE DATABASE_URL=postgres://admin:[email protected]
.env — after hugr import
# Proxy keys — safe to commit, share, leak OPENAI_API_KEY=hugrw_openai_api_key_a8f2_c1d9 STRIPE_SECRET_KEY=hugrw_stripe_secret_key_3b7e_f4a1 ANTHROPIC_API_KEY=hugrw_anthropic_api_key_d2c5_8e3b AWS_SECRET_ACCESS_KEY=hugrw_aws_secret_key_7f1a_b6d2 DATABASE_URL=hugrw_database_url_e9c4_2a8f # Real keys are in the vault. # These proxy keys only work when your wallet is active.
Proxy

Your app talks to HuGR.
HuGR talks to the API.

When your application makes a request with a proxy key, HuGR Cloud resolves it, authenticates with the real credential on Cloudflare's edge, and returns the response. The real key never leaves the cloud infrastructure. Your machine only ever sees the proxy key and the cleaned response.

proxy in action
$ curl api.humangr.com/v1/chat/completions \ -H "Authorization: Bearer hugrw_openai_..." → HuGR Cloud resolves proxy key → Decrypts real key on Cloudflare edge → Calls api.openai.com with sk-proj-... → Redacts real key from response → Returns clean response to your app 200 OK (real key never reached your machine)
leaked proxy key
# Someone finds your proxy key in a GitHub repo $ curl api.humangr.com/v1/models \ -H "Authorization: Bearer hugrw_openai_a8f2_c1d9" 401 Unauthorized { "error": "invalid_api_token", "detail": "Token requires active wallet session" } # No wallet running = key is inert. # Nothing to rotate. Nothing to worry about.
Wallet-bound

Leaked key?
It's already dead.

Every proxy key is cryptographically bound to your wallet session. If the wallet isn't active on your machine, the key is inert — it can't authenticate, it can't proxy, it can't do anything. A leaked proxy key is not a security incident. It's a string.

Features

Everything in the vault.

.env import

Point HuGR at any .env file. Every key is absorbed into the vault and replaced with a proxy key. One action, zero config.

Wallet-bound keys

Proxy keys are tied to your active session. No wallet running, no access. Leaked keys are inert by design.

Token rotation

Revoke or rotate any proxy key instantly. The old key stops working immediately. No downstream coordination needed.

Temporary grants

Share a secret with a teammate or AI agent for a limited time. Access expires automatically. Full audit trail.

SSE streaming

Proxy LLM requests and stream responses in real time. Use your OpenAI or Anthropic key without exposing it to any client.

Response redaction

The proxy strips your real credential from every upstream response — raw, URL-encoded, hex, and base64. Zero leakage.

Audit trail

Every proxy call, rotation, toggle, and grant is logged with timestamp and hashed IP. Retention from 7 to 365 days by tier.

Toggle & organize

Disable a key without deleting it. Re-enable when ready. Rename, label, and group secrets for fast access.

Wallet addresses

Each account gets a unique address (hugr_username). Use it to share secrets via grants or receive credentials from teammates.

MCP integration

AI agents operate the vault via Model Context Protocol. 24 tools, Claude Code bootstrap, and full API access under the same audit trail.

AES-256-GCM

Secrets encrypted at rest with per-user keys derived from the server's master secret. Decrypted only on Cloudflare's edge for the upstream call.

Cloudflare edge

Runs on Cloudflare Workers globally. No single server. No shell access. No /proc. The V8 isolate is destroyed after every request.

Plans

What you get on each tier.

Feature Free Budget — $9/mo Pro — $29/mo
Vault secrets 5 15 Unlimited
Proxy requests / day 200 2,000 Unlimited
SSE streaming (LLMs) Yes Yes
Response redaction Yes Yes Yes
Token rotation Yes Yes Yes
Temporary grants Yes Yes
MCP integration Yes Yes
Audit log retention 7 days 30 days 90 days
Custom domains Yes

Your .env is a liability.
Fix it in one import.

Download HuGR Wallet. Import your secrets. Ship with confidence.

Download for macOS Download for Windows