API access control

A firewall for your API keys.

Your team and AI agents — Codex, Claude Code, Cursor — need data from your most critical systems. RelayKey gives them scoped, audited access in seconds, revocable in one click — with email confirmation on every new IP, like 2FA for an API key. Your master keys stay locked up.

Protect your first key free.Book a setup call.or try the interactive demo

agent — bash

$ curl -H "Authorization: Bearer rk_proxy_t9xQ...2vZk" \
    https://proxy.relaykey.ai/conn_hubspot/contacts

{
  "results": [
    { "id": "401", "email": "ana@example.com" },
    { "id": "402", "email": "ben@example.com" }
  ],
  "next": "405"
}

Credential

dcred_a91f_4

active

Methods: GET
Expires in: 23h 12m
Scope: /crm/v3/objects/contacts/*

One key, many tools

Onboard a person, not a key.

Issue Kate one RelayKey token. Behind it, scope her access to HiBob (read employees), Absorb (read enrollments), and Greenhouse (read jobs). She uses one credential everywhere. When the engagement ends, you revoke one token.

Per-tool scope. GET-only on HiBob, GET + POST on Greenhouse — different rules per integration, same token.
Audit per person. Every call is recorded against Kate, across tools. Filter by recipient or by integration.
One-click offboarding. Engagement over? Revoke the recipient and access to all their tools dies in the same moment.
2FA for APIs. First IP gets auto-trusted on setup; every new IP after that needs email confirmation. Stolen tokens fail at the network the recipient doesn't use.
Agent-ready. RelayKey automatically generates a copy-pasteable prompt for Codex, Cursor, Claude, or any other agent. Wired up in one step.

Recipient

Kate Mason — North Loop Automations

active

HiBob

/v1/people, /v1/employments/*

GET

Absorb

/users, /enrollments

GET

Greenhouse

/v1/jobs, /v1/applications

GET, POST

Token: rk_proxy_t9xQ…2vZkExpires in 30 days

Master keys handed to recipients: 0
Median proxy latency added: <10ms
Audited per credential: Every call
Revoke on any credential: 1-click

Compatibility

Verified compatibility with the APIs your team already uses.

Plus any REST API that uses Bearer, Basic, header-based, query-string, or OAuth 2.0 client_credentials auth — we add named vendors every week.

Absorb LMS

Anthropic

Cloudflare

ElevenLabs

Fly.io

GitHub

Greenhouse

HiBob

MedFlyt

OpenAI

PurelyHR

Ramp

Resend

Stripe

Survicate

Talkdesk

and many more

How it works

Three steps. No SDK. Plain HTTP.

Whoever needs to call the API — your engineers, an AI agent, a service account — already knows how to call a REST API. RelayKey just puts a thin, audited access layer between them and your real key.

Add the master key once

Paste your real upstream API key. RelayKey encrypts it at rest with envelope encryption and never echoes it back in the dashboard.

HubSpot — production

sk_••••••••••••••••••••••••5f81Saved

Issue a scoped credential

Pick the methods, paths, and lifetime. RelayKey runs a safety review on the scope before issuing the token.

methods: GET
paths: /crm/v3/objects/contacts/*
expires: in 24h

Calls go through the proxy

Your team or agent calls proxy.relaykey.ai with the delegated token. RelayKey enforces scope, swaps in your real key, forwards the call, and audits everything.

$ curl https://proxy.relaykey.ai/conn_xxx/contacts \
    -H "Authorization: Bearer rk_proxy_..."

Access control

Method and path allowlists, default-deny.

Every credential gets an explicit list of HTTP methods and glob path patterns. Anything outside that scope returns 403 from RelayKey before the upstream call is made — and shows up in the audit log. No more handing over keys with full account access.

credential.scope.json

{
  "allowed_methods": ["GET"],
  "allowed_paths": [
    "/crm/v3/objects/contacts/*",
    "/crm/v3/objects/companies/*"
  ],
  "deny_query_params": ["associations"],
  "ttl_seconds": 86400
}

Audit

Every request, captured.

RelayKey logs the timestamp, credential, method, path, decision, and response code for every proxied request. Filter by credential, integration, or status. Export when you need it.

Audit log

2026-05-01T14:22:18ZGET/v1/voicesallowed200198.51.100.7

2026-05-01T14:22:14ZGET/crm/v3/objects/contactsallowed200198.51.100.7

2026-05-01T14:21:56ZDELETE/crm/v3/objects/contacts/401denied403198.51.100.7

2026-05-01T14:21:43ZGET/crm/v3/objects/companiesallowed200198.51.100.7

2FA for API access

Email confirmation on every new IP.

The first IP a recipient calls from is auto-trusted on the spot — no setup friction. Every new IP after that returns 423 Locked until the recipient clicks a confirmation link in their inbox. A token leaked into a public repo or a stolen laptop on a different network fails the second check, even if the recipient never noticed it was gone.

Confirm a new IP

RelayKey · alerts@relaykey.ai

RelayKey saw a request from a new IP for your Kate Mason key. The call was blocked until you confirm.

IP: 203.0.113.42

Client: cursor/0.42

Integration: HiBob

Confirm this IP

If this wasn't you, ignore this email — the request was blocked. Link expires in 24 hours.

Provisioner role

Issue credentials from your own automations.

Give an AI agent or internal service a provisioner-scoped management key. It can mint short-lived delegated credentials within constraints you set, but it can never read or export the upstream key.

POST /api/v1/delegated-credentials

$ curl -X POST https://app.relaykey.ai/api/v1/delegated-credentials \
    -H "Authorization: Bearer rk_mgmt_provisioner_..." \
    -H "Content-Type: application/json" \
    -d '{
      "connection_id":   "conn_a1b2c3",
      "name":            "agent-run-2026-05-01",
      "allowed_methods": ["GET"],
      "allowed_paths":   ["/crm/v3/objects/contacts/*"],
      "ttl_seconds":     900
    }'

Protect your first key in under three minutes.

Sign up, add an integration, issue a scoped credential, hand the share link to your vendor. Free forever for one protected key.

Protect your first key free.Book a setup call.