OKAP - Open Key Access Protocol

The Problem

Today

Every app asks you to paste your API key. Keys end up scattered across dozens of apps with no visibility or control.

With OKAP

Your keys stay in one vault. Apps request scoped tokens. Revoke any app instantly without rotating your key.

Architecture

Code Example

# App requests access from user's vault
from okap import OkapClient

client = OkapClient("https://vault.okap.dev")
token = client.request_access(provider="openai", models=["gpt-4"])

# Use with OpenAI SDK — key never leaves the vault
ai = OpenAI(api_key=token.token, base_url=token.base_url)

The Specification

Token Request

Apps request scoped access: provider, models, limits, expiration.

API Proxying

Vault proxies requests, injecting keys and enforcing limits.

Revocation

Users revoke any token instantly without rotating keys.

Read the full specification →

Get Started

Python SDK

pip install okap

GitHub · PyPI

Hosted Vault

Store keys, issue tokens

vault.okap.dev →

FAQ

Do apps need to support OKAP?

Yes. The more apps adopt it, the more useful it becomes. Start with your own projects.

Can I self-host?

Yes! Use the reference server or Cloudflare Worker.