boundkeys

Issue AI grants instead of API keys.

Boundkeys gives people, apps, contractors, and agents controlled AI access with budgets, expiry, audit logs, and provider keys kept safely in the vault.

See controlled AI access View example grants
Keys
Vaulted
Access
Scoped
Spend
Bounded
Calls
Audited
Grant policy active

support.ticket.summary

Spend meter $0.08 spent, $0.25 reserved
Token reserve 820 used, 20,000 reserved
Time window 14 minutes elapsed, 45 minutes reserved
Vault exposure 0 keys exposed

scope matched support.ticket.summary

budget held $0.25

model call approved

usage recorded $0.08

Why this exists

AI access is spreading faster than teams can control it.

Support systems, document workflows, internal apps, browser assistants, and agent frameworks all need model access. Most teams start by copying provider keys into tools, scripts, and temporary workflows.

Permanent keys

Raw credentials keep living in tools, scripts, and machines after the task ends.

Open-ended spend

Usage is difficult to limit by ticket, contractor, app, user, team, or month.

Thin accountability

Model calls and tool actions are hard to inspect when workflows run across systems.

The control layer

One AI control layer for task-bound workflows.

Boundkeys combines AI Usage Grants with a lightweight AI gateway and BYOK or managed models. It turns provider credentials into limited grants that can be issued, enforced, audited, expired, and revoked.

01

Provider key vault

Keep provider API keys out of daily workflows while grants carry runtime limits.

02

Temporary usage grants

Issue access envelopes for a task, app route, contractor, user, team, or agent run.

03

Per-task budgets

Bound usage with exact and reserved meters before provider forwarding starts.

04

Expiry and revocation

Let access end by time window, lease controls, heartbeat, termination, or policy.

05

Model and tool limits

Use provider constraints, model allowlists, tool posture, and scope checks together.

06

Audit logs

Record issuance, admission, denial, replay, reservation, and finalization decisions.

Example grants

Control AI usage by task, team, and time.

Grant

Give each support ticket a $0.25 AI budget.

The support workflow can summarize, draft, and classify inside a ticket-scoped budget. If the budget is exhausted, the provider call is denied before forwarding.

Scope
support.reply
Budget
$0.25 per ticket
Expiry
45 minutes
Audit
Every model and tool call

Trust model

Keep provider keys locked away.

Provider API keys stay in the vault. People, apps, contractors, and agents receive scoped grants with budgets, expiry, model limits, and audit logs.

  • No raw provider keys in daily workflows.
  • Every grant has a budget.
  • Every grant can expire.
  • Every model and tool call is logged.
  • Every workflow can have its own limits.

Why Boundkeys

Access control before model execution.

Instead of Use Boundkeys for
Sharing API keys Issuing AI grants
Unlimited usage Per-task and team budgets
Manual tracking Audit logs
Permanent access Expiry and revocation
Provider lock-in BYOK or managed models

Controlled AI access

Give your workflows safe AI access.

Contact boundkeys