Connect your own provider accounts. Keys are encrypted at rest with AES-256-GCM and bound to your account — they survive sign-outs and you never have to re-paste them. Tokens you spend are billed by the provider directly.
Paste your key once. We encrypt it with a server-side master key (USER_KEYS_ENCRYPTION_KEY) and store only the ciphertext + a 4-character display hint. The plaintext lives in memory just long enough to call the provider.
Sign out, close the browser, come back next week — the keys are still there. Delete one and the row is removed from the database permanently.
Need to revoke compromised keys instead? Go to the provider's dashboard and rotate the secret there; the next time you sign in, replace it here.