Permanent keys
Raw credentials keep living in tools, scripts, and machines after the task ends.
Controlled AI access for task-bound workflows
Issue AI grants instead of API keys.
Boundkeys gives people, apps, contractors, and agents controlled AI access with budgets, expiry, audit logs, and provider keys kept safely in the vault.
- Keys
- Vaulted
- Access
- Scoped
- Spend
- Bounded
- Calls
- Audited
Task
support.ticket.summary
Budget
$2.00
Expires
45m
Models
2 allowed
Provider key
vaulted
scope matched support.reply
reserved 100 tokens
provider called through vault
crm.write needs approval
Why this exists
AI access is spreading faster than teams can control it.
Support systems, document workflows, internal apps, browser assistants, and agent frameworks all need model access. Most teams start by copying provider keys into tools, scripts, and temporary workflows.
Open-ended spend
Usage is difficult to limit by ticket, contractor, app, user, team, or month.
Thin accountability
Model calls and tool actions are hard to inspect when workflows run across systems.
The control layer
One AI control layer for task-bound workflows.
Boundkeys combines AUG with a lightweight AI gateway and BYOK or managed models. It turns provider credentials into limited grants that can be issued, enforced, audited, expired, and revoked.
Provider key vault
Keep provider API keys out of daily workflows while grants carry runtime limits.
Temporary usage grants
Issue access envelopes for a task, app route, contractor, user, team, or agent run.
Per-task budgets
Bound usage with exact and reserved meters before provider forwarding starts.
Expiry and revocation
Let access end by time window, lease controls, heartbeat, termination, or policy.
Model and tool limits
Use provider constraints, model allowlists, tool posture, and scope checks together.
Audit logs
Record issuance, admission, denial, replay, reservation, and finalization decisions.
Example grants
Control AI usage by task, team, and time.
Grant
Give each support ticket a $2 AI budget.
The support workflow can summarize, draft, and classify inside a ticket-scoped budget. If the budget is exhausted, the provider call is denied before forwarding.
- Scope
- support.reply
- Budget
- $2 per ticket
- Expiry
- 45 minutes
- Audit
- Every model and tool call
Where it fits
Built for workflows where access needs limits.
Support-ticket summaries
Per-ticket task budgets.
Invoice and document analysis
Scoped document-processing grants.
Sales email drafting
Team budgets and model allowlists.
Internal knowledge Q&A
App grants without raw provider keys.
Browser and SaaS assistants
Tool scopes and approval gates.
Contractor AI access
Temporary access and revocation.
Department-wise budgets
Monthly usage limits and audit logs.
Agent framework execution
Task-bound model and tool enforcement.
Trust model
Keep provider keys locked away.
Provider API keys stay in the vault. People, apps, contractors, and agents receive scoped grants with budgets, expiry, model limits, and audit logs.
- No raw provider keys in daily workflows.
- Every grant has a budget.
- Every grant can expire.
- Every model and tool call is logged.
- Every workflow can have its own limits.
Why Boundkeys
Access control before model execution.
Instead of
Use Boundkeys for
Sharing API keys
Issuing AI grants
Unlimited usage
Per-task and team budgets
Manual tracking
Audit logs
Permanent access
Expiry and revocation
Provider lock-in
BYOK or managed models
Start narrow
Start with one workflow and a clear limit.
Boundkeys can begin as a BYOK control layer, managed AI credits, a scenario pack, contractor access, or agent runtime control.
BYOK control layer
Managed AI credits
Scenario packs
Contractor access packs
Agent runtime control
Technical anchors
AUG source links for runtime claims.
The public claims above are grounded in the AUG docs and should stay aligned with the implementation before publication.
Controlled AI access