What happens when you make an API request

OneKey is a stateless pass-through. Your request arrives, we validate your API key, select the right provider channel, and forward the request body as-is. The response streams back to you. At no point is the content of your request or response written to disk, database, or log file.

What we log

Every API request generates one metadata record:

This metadata exists for one reason: billing accuracy. It is retained for up to 90 days for billing verification.

Cryptocurrency payments generate additional metadata: transaction hash, chain (Base or Ethereum), token type (USDC/USDT), amount, and wallet address. This is retained alongside billing transactions for payment verification.

What we never log

• Prompt content (your messages, instructions, questions)
• System prompts
• Assistant responses (model outputs)
• Function calls and tool definitions
• Images, files, or any binary content
• Request or response bodies in any form

Body logging is disabled by default at the infrastructure level in the routing engine. The log schema's content field stores only billing metadata (model name, token ratios, cost calculations) — not request or response payloads.

Try before you trust

Every new account starts with 20 free requests across all 40+ models. No credit card required. Connect your favorite tool, send a request, verify that OneKey works exactly like a direct API call. When you're ready, add credits.

Encryption

• Client → OneKey: HTTPS via Cloudflare tunnel. All traffic is TLS-encrypted before it reaches our servers.
• OneKey → Provider: HTTPS/TLS to every provider API endpoint. No plaintext hops.
• At rest: Account data stored in MongoDB Atlas (encrypted at rest, SOC 2 Type II compliant). No request content is stored at all.

Dashboard assistant

The OneKey dashboard includes an AI assistant powered by Anthropic (Claude). When you use the assistant, your conversation is sent to Anthropic for processing. The assistant is a convenience feature for account questions — it cannot modify your account, and assistant conversations are separate from your API proxy requests. Anthropic's data policy (no training on API data) applies.

API key security

• Keys are scoped per project. You can create multiple projects, each with its own key.
• Keys are revocable instantly from your dashboard. Regenerating a key invalidates the old one immediately.
• Your API key is shown once at generation time. Regenerating a key creates a new one — the old key cannot be recovered.
• All API traffic is authenticated per-request: invalid or revoked keys are rejected before reaching any provider.

Authentication

OneKey supports three sign-in methods:

• Google OAuth (One-Tap and redirect flow)
• GitHub OAuth
• Magic links (passwordless email)

There is no password storage. Session tokens are SHA-256 hashed, stored as httpOnly, Secure cookies with SameSite=Lax, and expire after 7 days. Expired sessions are automatically purged via database TTL indexes.

Infrastructure

• Google Analytics 4 (via GTM) loads only after explicit cookie consent via Cookiebot. No consent = no analytics cookies, no data sent to Google.
• The only always-present cookie is a session authentication cookie (httpOnly, Secure, SameSite=Lax).
• MongoDB Atlas is SOC 2 Type II compliant with encryption at rest.

Provider data policies

When OneKey forwards your request to a provider, that provider's data handling policies apply to the content of your request:

OneKey forwards requests as-is — we do not modify, inspect, or cache request content. Your relationship with each provider's data policy is the same as if you called their API directly.

Questions?

Contact [email protected] with any security questions.