Governance

Token Vaulting

The Spendplane One-Way Token Vault secure your sensitive third-party API keys (OpenAI, Stripe, etc.) without exposing them to your LLM agents or internal logs.

How do I route v0 traffic to Llama-3?

Secure Injection

Instead of hard-coding API keys in your prompts or environment variables, Spendplane uses Token References. When your agent makes a request, the Spendplane gateway intercepts it and injects the actual key only at the point of transit.

Dynamic Key Rotation

You can configure your vault to rotate keys automatically. This ensures that even if a token is intercepted, its lifetime is limited to a few minutes.

Usage: Reference-Based API Calls

# Use a vault token instead of a raw key
const openai = new OpenAI({ "apiKey": "vault://OP_LIVE_KEY_123", "baseURL": "https://shadow.spendplane.com/v1" });

"The Shadow Plane will automatically resolve the 'vault://' prefix into the live encrypted token before forwarding the request to OpenAI."

HSM-Backed Security

All vault tokens are encrypted using AES-256-GCM with master keys stored in a Hardware Security Module (HSM). Not even the Spendit Agent can decrypt these keys once they are vaulted; they are only decoded in memory during the gRPC session handshake.

Trace Hub: Manual v1.0.4 / Vault Sec Verification: SECURE