vAPI — Virtual API Gateway

Local-first API key management, virtual key generation, request auditing, and provider proxying for AI applications.

vAPI is a local-first desktop application and proxy gateway designed to protect your real AI provider API keys.

Instead of embedding OpenAI or Gemini API keys directly into scripts, local tools, experiments, and open-source applications, you store your real provider credentials inside vAPI's encrypted local vault and generate unlimited virtual keys (vapi-sk-...) for your applications.

If a virtual key is leaked, abused, or shared accidentally, it can be revoked instantly without rotating your real provider key.

Why vAPI?

Most AI applications require direct access to provider API keys. This creates several problems:

• Real API keys become scattered across multiple projects.
• Revoking a compromised key often requires updating every application that uses it.
• Open-source tools frequently ask users to paste sensitive API credentials directly into the application.
• Monitoring usage across multiple applications becomes difficult.

vAPI solves this by acting as a secure local gateway between your applications and AI providers.

---

Architecture

sequenceDiagram
    participant App as Client Application
    participant Gateway as vAPI Gateway
    participant Vault as SQLite Vault
    participant Provider as Upstream Provider

    App->>Gateway: Request using vapi-sk-...
    Gateway->>Vault: Validate Virtual Key
    Vault-->>Gateway: Provider + Restrictions

    Gateway->>Vault: Fetch Encrypted Provider Key
    Vault-->>Gateway: Encrypted Secret

    Gateway->>Gateway: Decrypt Provider Key
    Gateway->>Gateway: Validate Model Restrictions

    Gateway->>Provider: Forward Request
    Provider-->>Gateway: Response

    Gateway-->>App: Return Response
    Gateway->>Vault: Log Request

Loading

---

Features

Virtual API Keys

Generate unlimited virtual keys for any configured provider.

vapi-sk-7f4b...
vapi-sk-a129...
vapi-sk-94cd...

Each key can be revoked independently without affecting your real provider credentials.

Multi-Provider Support

Currently supported:

• Google Gemini
• OpenAI

Additional providers can be added through future gateway adapters.

Model Restrictions

Restrict virtual keys to specific models.

Examples:

• Allow only Gemini Flash models
• Block expensive models
• Limit internal tools to approved endpoints

Wildcard Proxying

vAPI forwards requests transparently to the upstream provider.

Supports:

• Standard requests
• Streaming responses
• Arbitrary endpoints
• Future model releases without requiring gateway updates

Usage Auditing

Track every request including:

• Timestamp
• Provider
• Virtual key used
• Endpoint
• HTTP status code
• Latency

Gateway Diagnostics

Built-in diagnostics verify:

• Database availability
• Encryption vault status
• Internet connectivity
• Provider reachability
• Gateway health

Secure Local Storage

Provider credentials are encrypted before being stored locally.

vAPI uses the Python cryptography library and encrypted local storage to protect provider secrets at rest.

Automatic Retry Logic

Transient upstream failures are handled automatically.

Retries are performed for:

• HTTP 429
• HTTP 502
• HTTP 503

using exponential backoff.

---

Desktop Client

The desktop application is built with:

• PySide6
• FastAPI
• SQLite
• SQLAlchemy

Features include:

• Provider management
• Virtual key generation
• Usage monitoring
• Diagnostics
• Import/export functionality
• Gateway control

The desktop client automatically starts and manages the local gateway.

---

Local Installation

Requirements

• Python 3.11+
• Windows, Linux, or macOS

Clone Repository

git clone https://github.com/sxwik/vAPI.git
cd vAPI

Install Dependencies

pip install -r requirements.txt

Launch Application

python main.py

On first launch, vAPI will:

1. Create the SQLite database.
2. Generate encryption secrets.
3. Start the FastAPI gateway.
4. Launch the desktop interface.

The gateway runs locally on:

http://127.0.0.1:8000

---

Docker Deployment

For headless deployments:

docker compose up -d

The Docker image runs only the gateway component without the desktop UI.

Configuration persists through mounted volumes:

vapi.db
.env

This allows vAPI to be deployed on:

• Servers
• NAS systems
• Home labs
• Cloud VPS instances

---

Using Virtual Keys

After creating a provider and generating a virtual key:

vapi-sk-1234abcd...

configure your applications to point at:

http://127.0.0.1:8000

---

Google Gemini SDK

from google import genai

client = genai.Client(
    api_key="vapi-sk-1234abcd...",
    http_options={
        "base_url": "http://127.0.0.1:8000"
    }
)

response = client.models.generate_content(
    model="gemini-2.5-flash",
    contents="Hello world"
)

print(response.text)

---

OpenAI SDK

from openai import OpenAI

client = OpenAI(
    api_key="vapi-sk-1234abcd...",
    base_url="http://127.0.0.1:8000/v1"
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[
        {"role": "user", "content": "Hello world"}
    ]
)

print(response.choices[0].message.content)

---

Current Status

Version 1.0.0

Supported providers:

• Gemini
• OpenAI

Current focus:

• Additional provider integrations
• Improved installer experience
• Enhanced authentication controls
• Expanded gateway diagnostics

---

Security Notes

• Never commit .env to version control.
• Never commit vapi.db to version control.
• Use separate virtual keys for different applications.
• Revoke compromised virtual keys immediately.

vAPI is designed to minimize exposure of real provider credentials, but users remain responsible for securing their local system and backups.

---

License

Licensed under the Apache License 2.0.