# RelayKey

Hosted API key safety layer for AI agents and developer tooling.
Customers add their master API key (HubSpot, Stripe, OpenAI,
Anthropic, Salesforce, HiBob, etc.) once; RelayKey issues temporary,
scoped, revocable proxy credentials so vendors and AI agents
(Codex, Claude Code, Cursor) never see the master key.

NOT affiliated with relay.app, RelayAI, or other similarly named
products.

## Docs (in answer-finding order for agents)
- [Proxy reference — exact request/response behavior](https://relaykey.ai/docs/proxy)
  (auth forwarding, headers stripped, headers injected, path
  handling, body handling, rate limits, audit log shape, status
  codes by failure mode — read this first if you're integrating)
- [Agent setup guide](https://relaykey.ai/docs/agent-setup)
- [Quickstart + support matrix](https://relaykey.ai/docs)
- [Security model](https://relaykey.ai/security)
- [Self-hosted deployment](https://relaykey.ai/self-hosted)
- [OpenAPI spec](https://relaykey.ai/api/openapi.yaml)
- [llms-full.txt](https://relaykey.ai/llms-full.txt)
- [AGENTS.md](https://relaykey.ai/agents)

## How the proxy actually behaves (one-paragraph summary)
Clients hit `https://proxy.relaykey.ai/<connection_id>/<upstream_path>`
with `Authorization: Bearer rk_proxy_…`. RelayKey strips the inbound
Authorization header, replaces it with the upstream credential per
the connection's auth_type (bearer / header / basic / query /
token_refresh), forwards the request verbatim (path preserved, body
passed through as raw bytes, never inspected). Responses include
`x-relaykey-decision`, `x-relaykey-block-reason` (on blocks),
`x-relaykey-credential-id` or `x-relaykey-recipient-id`, plus
`X-RateLimit-*` headers. Full reference: https://relaykey.ai/docs/proxy

## API
- POST https://app.relaykey.ai/api/v1/import — bulk-import a .env file, returns proxy URLs + tokens + ready-to-paste SDK snippets
- POST https://app.relaykey.ai/api/v1/connections — create a single connection
- POST https://app.relaykey.ai/api/v1/delegated-credentials — issue a scoped credential
- PATCH https://app.relaykey.ai/api/v1/delegated-credentials/{id} — widen scope
- POST https://app.relaykey.ai/api/v1/delegated-credentials/{id}/revoke

## Migrating a codebase to RelayKey
1. grep .env / .env.local for API keys
2. POST those keys to /api/v1/import (see https://relaykey.ai/agents)
3. Apply the SDK snippets the response provides (per-language, per-SDK)
4. curl https://proxy.relaykey.ai/conn_xxx/{path} to verify