Security

How we protect
seller credentials.

The proxy is the product. Everything below describes how we keep upstream provider keys safe between the seller’s account and the moment a request hits the upstream API.

Last updated · 2026-05-20

Encryption at rest

Provider credentials are encrypted before they hit the database. We use envelope encryption: each tenant has a unique data key that is itself wrapped by a master KMS key managed by our cloud provider. Database backups inherit the same encryption. Plaintext credentials never persist to disk.

Encryption in transit

All traffic to the API and dashboard is TLS 1.2+. Upstream calls to OpenAI, Anthropic, Grok, and Gemini are made over HTTPS using the seller's credential decrypted just-in-time inside the request handler.

Credential isolation

The proxy decrypts a seller credential only inside the in-memory scope of a single request. The plaintext is never written to logs, never exposed to the buyer, and never leaves the process boundary.

Buyer-facing keys (tk_live_…) authenticate against the proxy only — they cannot be used to call upstream providers directly.

Auth & access

We use Clerk for authentication and enforce role separation (buyer / seller / admin) at the API layer. Server-to-database connections use short-lived credentials. All admin actions are audit-logged.

Reporting a vulnerability

If you believe you've found a security issue, please email security@tokenlypro.com with a description and steps to reproduce. We acknowledge reports within 72 hours and prefer coordinated disclosure.

Questions? Reach us at hello@tokenlypro.com or read the story behind TokenlyPro.
TokenlyPro — The marketplace for AI tokens