Why We Keep Your API Keys in Your Browser — From the Person Who Worries About It
- ByteChat stores API keys in your own browser, never on its servers -- there is deliberately no database of customer keys.
- When you send a message, a thin proxy forwards the request to the provider and then forgets the key; ByteChat cannot see your keys or chats.
- The reasoning: the safest data to hold is the data you never hold -- with no central store, a breach exposes nothing.
- Local-only storage is the safest practical design, not magic: avoid shared computers, beware device malware, and set a provider spending cap anyway.
The question I get asked more than any other about ByteChat is some version of: "Wait — if I paste my API key in, where does it go?" It's the right question to ask, and frankly I'd be wary of anyone who couldn't answer it plainly. So here's the straight version, in my own words, including the reasoning we argued over while building it.
A quick disclaimer so this is honest: I work on ByteChat, so I'm not a neutral party. But that's also why I can tell you exactly how it works rather than hand-wave at it.
The short answer
Your API keys live in your own browser, on your own device, and never on our servers. We don't have a database of customer keys, because we deliberately never built one. When you send a message, your browser hands the key to a thin proxy that forwards the request to the AI provider and then forgets it. We can't see your keys, and we can't see your chats.
Why we chose it the harder way
I'll be candid: storing keys on our servers would have been easier for us in some ways. It makes a few features simpler to build. We didn't do it, and the reasoning came down to a question I kept asking in our discussions: "If we got breached tomorrow, what could someone steal?"
If we stored your keys, the answer would be "everyone's keys." That's a tempting target and a permanent liability — for you and for us. By keeping keys only in your browser, the answer becomes "nothing," because there's no central pile to steal. The safest data to hold is the data you never hold. So we don't.
What "in your browser" actually means
Your key sits in your browser's local storage — a private space tied to our site and to your device. A few things follow from that:
- It stays on your machine between visits, so you don't re-paste it every time.
- No other website can read it.
- If you clear your browser data, the key is simply gone from there — and you still have the original in your provider dashboard.
When a message goes out, the key is used to make that one request and isn't logged or retained on our side.
The part where I tell you we're not magic
Local-only storage is the safest practical design, but I'm not going to pretend it makes you invincible, because nothing does. A few honest caveats:
- Don't use a shared or public computer for your keys. Local storage means local — including to the next person on that machine.
- Malware on your own device can read browser data. That's true of everything you do, not just us, but it's true.
- Set a spending cap in your provider's dashboard anyway. I do, on every key. It costs you thirty seconds and means that even in some worst case you didn't imagine, the damage is bounded by a number you chose.
I mention these not to scare you off but because a security pitch that only lists strengths isn't a security pitch, it's marketing.
How to check us — and anyone else
You shouldn't take my word for it just because I wrote a friendly blog post. Here's how I'd verify any tool that asks for an API key, ours included:
- Does it state plainly that keys are stored locally and never on its servers? Vagueness is the red flag.
- Is every request over HTTPS?
- Can you revoke access instantly from the provider's own dashboard? (You always can — that's the real backstop, and it's in your hands, not ours.)
If a tool can't give you clean answers to those three, I wouldn't paste a key into it. That standard is exactly the one we held ourselves to.
Why I care about getting this right
I'm the person who'd have to explain it if we ever mishandled a key, and that's a conversation I never want to have. So the design isn't a marketing choice we reverse-engineered — it's the thing that lets me sleep. Your key is yours. We built ByteChat so it stays that way, and so that the most truthful answer to "what could you leak about me?" is "nothing we ever had."
Frequently asked questions
Where does ByteChat store my API key?
Only in your browser's local storage, on your own device -- never on ByteChat's servers. A thin proxy forwards each request to the provider and does not retain the key.
Why not store keys on the server?
Because a server-side store of everyone's keys is a tempting target and a permanent liability. With keys kept only in your browser, a breach exposes nothing -- the safest data to hold is the data you never hold.
Is browser storage completely safe?
It is the safest practical design, but not magic. Avoid shared or public computers, keep your device free of malware, and set a spending cap in your provider dashboard so any worst case is bounded.
I'm Chris, I work on ByteChat. We keep your keys in your browser, proxy requests without storing them, and add zero markup on usage. Try it free — and set a spending cap first, like I do.