[security]

security

How we keep your data safe. TL;DR — your keys never leave your browser.

zero-knowledge architecture

AIWorkbench uses a direct browser-to-API architecture. When you make a request, your browser connects directly to the provider endpoint (api.anthropic.com, api.openai.com, etc.). No intermediary server, no proxy, no backend. We literally cannot see your API keys, prompts, or outputs.

api key storage

Your keys are stored in sessionStorage only:

✓ Cleared automatically when you close the browser tab
✓ Never written to disk or persistent storage
✓ Never transmitted to any server we control
✓ Not accessible to other tabs or origins (same-origin policy)

network flow

your browser ──key──▶ api.anthropic.com
your browser ──key──▶ api.openai.com
your browser ──key──▶ generativelanguage.googleapis.com
your browser ──key──▶ api.deepseek.com
your browser ──key──▶ api.llama.com
your browser ──key──▶ bedrock-runtime.*.amazonaws.com
✗ no traffic flows through aiworkbench.dev servers

cors & browser security

Some providers (Anthropic) require a special header (anthropic-dangerous-direct-browser-access: true) to allow direct browser requests. This is safe because the header merely enables CORS — it does not weaken authentication. Your API key is still required and validated server-side by the provider.

what we don't do

✗ No backend server or API proxy
✗ No server-side logging of requests or responses
✗ No database storing user data
✗ No third-party analytics that track individuals
✗ No cookies for tracking or advertising

responsible disclosure

If you discover a security vulnerability, please report it responsibly via our contact page. We will acknowledge your report within 48 hours and work to resolve it promptly.