Stop sharing raw API keys.
Your team is already sending API keys through Slack, email, docs, and vendor forms. Put those keys behind a safer access layer. Create temporary, scoped, revocable API credentials for vendors, contractors, developers, and AI agents. They get the access they need. They never get the master key.
$ curl -H "Authorization: Bearer rk_proxy_t9xQ...2vZk" \ https://proxy.relaykey.ai/v1/conn_hubspot/crm/v3/objects/contacts { "results": [ { "id": "401", "properties": { "email": "ana@example.com", ... } }, { "id": "402", "properties": { "email": "ben@example.com", ... } }, ... ], "paging": { "next": { "after": "405" } } }
- Methods
- GET
- Expires in
- 23h 12m
- Scope
- /crm/v3/objects/contacts/*
- Master keys leaked
- 0
- Median proxy latency added
- <10ms
- Audited requests
- 100%
- Revoke on any credential
- 1-click
Verified compatibility with the APIs your team already uses.
Three steps. No SDK. Plain HTTP.
The vendor already knows how to call a REST API. RelayKey just puts a thin, audited access layer between them and your real key.
Add the master key once
Paste your real upstream API key. RelayKey encrypts it at rest with envelope encryption and never echoes it back in the dashboard.
Issue a scoped credential
Pick the methods, paths, and lifetime. RelayKey runs a safety review on the scope before issuing the token.
- methods: GET
- paths: /crm/v3/objects/contacts/*
- expires: in 24h
Vendor calls the proxy
The vendor uses proxy.relaykey.ai with the delegated token. RelayKey enforces scope, swaps in the real key, forwards the call, and audits everything.
$ curl https://proxy.relaykey.ai/v1/conn/.../contacts \
-H "Authorization: Bearer rk_proxy_..."Method and path allowlists, default-deny.
Every credential gets an explicit list of HTTP methods and glob path patterns. Anything outside that scope returns 403 from RelayKey before the upstream call is made — and shows up in the audit log. No more handing over keys with full account access.
{
"allowed_methods": ["GET"],
"allowed_paths": [
"/crm/v3/objects/contacts/*",
"/crm/v3/objects/companies/*"
],
"deny_query_params": ["associations"],
"ttl_seconds": 86400
}Every request, captured.
RelayKey logs the timestamp, credential, method, path, decision, and response code for every proxied request. Filter by credential, connection, or status. Export when you need it.
Issue credentials from your own automations.
Give an AI agent or internal service a provisioner-scoped management key. It can mint short-lived delegated credentials within constraints you set, but it can never read or export the upstream key.
$ curl -X POST https://relaykey.ai/api/v1/delegated-credentials \ -H "Authorization: Bearer rk_mgmt_provisioner_..." \ -H "Content-Type: application/json" \ -d '{ "connection_id": "conn_a1b2c3", "name": "agent-run-2026-05-01", "allowed_methods": ["GET"], "allowed_paths": ["/crm/v3/objects/contacts/*"], "ttl_seconds": 900 }'
“Our clients used to send us their HubSpot keys over email. Now we just send them a RelayKey link. It's the difference between asking for the keys to the kingdom and asking for a visitor badge.”
Protect your first key in under three minutes.
Sign up, add a connection, issue a scoped credential, hand the share link to your vendor. Free forever for one protected key.