Open Source API Gateway

Control your keys,
secure your apps.

KeyControl allows you to take any private API key and generate restricted virtual keys. Limit permissions, set quotas, and manage everything through a simple Docker container.

View on GitHub

Press Ctrl+D to bookmark this page for updates

Virtual Key Generation

Don't expose your master keys. Create virtual keys with specific scopes for your microservices or frontend apps.

Docker First

Self-host your own API gateway in seconds. Your keys never leave your infrastructure.

Permission Scoping

Granular control over what each virtual key can access. Limit keys to specific HTTP methods (GET, POST, etc.) or specific endpoints, ensuring the principle of least privilege.

Key Expiry

Set automatic key expiry by date or by call limit. Keys automatically revoke when they reach their expiration date or usage limit, ensuring temporary access stays temporary.

Key Rotation

Rotate keys directly via API without downtime. Seamlessly replace old keys with new ones, maintaining security without disrupting your services.

Fast Integration

Keep your current payload and headers. Just replace the URL with the gateway URL and the API key with the virtual key. The gateway takes care of the rest.

Why KeyControl?

Others

1Password, Vault, AWS Secrets, Bitwarden

  • Hard to setup
  • Deep learning curve
  • Not optimized for APIs
  • No request logging

KeyControl

The API-First Alternative

  • Zero learning curve
  • Built specifically for APIs
  • Real-time request logs
  • Instant Docker deployment

The "Master Key" Problem

These platforms provide powerful master keys but often lack granular permission scoping. KeyControl fixes this.

bunny.net
Bunny.net ❌ Critical
Same password allows DELETE of all files; purge entire storage zone
claude
Claude ✅ Well-Scoped
Keys limited to API calls only, cannot access console data
mailchimp
Mailchimp ❌ Critical
Token inherits user role; can create admin accounts, delete all lists, access customer data
twilio
Twilio ❌ Critical
Same Auth Token can access all customer phone numbers in logs, trigger calls, modify rates
pusher
Pusher ⚠️ Partial
App Secret can view all private channel data, trigger fake events impersonating users
digitalocean
DigitalOcean ✅ Improved
Custom Scopes now allow granular CRUD per resource type
sendgrid
SendGrid ⚠️ Partial
API key sends from any verified domain on account; access to all unsubscribe lists
intercom
Intercom ⚠️ Partial
Access Token inherits full user workspace permissions; can read all conversations, modify pricing
shopify
Shopify ❌ Critical
Admin token reads all customer orders, access payment methods, modify product prices
vercel
Vercel ⚠️ Partial
Team token can redeploy all projects, access all environment variables, modify domains
netlify
Netlify ⚠️ Partial
Token allows deleting all sites, accessing all deployment logs with exposed environment variables
loom
Loom ❌ Critical
API key grants access to all workspace videos, can delete recording libraries
monday
Monday.com ❌ Critical
Token grants account-wide access to all boards, items, can delete data, modify permissions
jira
Jira ⚠️ Partial
Legacy token provides full project admin, can delete issues, modify permissions, export backlog
supabase
Supabase ❌ Critical
Service key bypasses Row Level Security (RLS) entirely; reads all rows from all tables
calendly
Calendly ❌ Critical
API key grants access to all calendars, can delete events, modify availability, view attendee details
bitly
Bitly ❌ Critical
Generic access token grants access to all links in account, can delete/modify URLs, access analytics

...including (probably all) the APIs you developed for internal use.

Planned Launch: Second week of February

We're currently building the core engine. Follow our progress on GitHub or bookmark this site to stay in the loop!