Interactive Demo

REST Key Injection

Users authorize access by entering their API key into a secure Gateway iframe. The key never touches the client's systems — only an opaque reference is returned. The Gateway injects the real key on every request.

Secure Key Onboarding

User authorizes access — API key captured by the Gateway, never seen by the client

Act 1/3

User:

Client:

Service:

Taylor

Apex Digital is requesting access to your SyncWorks account. Enter your API key to authorize.

Your key goes directly to the Secure Gateway — Apex Digital never sees it

authorizes

SECURE GATEWAY

Hosted by Layr8 - isolated from Apex Digital

SECURE

Enter your SyncWorks API key to authorize Apex Digital

This iframe is served directly by the Secure Gateway. Apex Digital cannot read its contents.

returns kid_...

Apex Digital

Waiting for Taylor to authorize access to SyncWorks...

How Secure Key Onboarding Works

Taylor enters their SyncWorks API key into a secure vault. Like Stripe's payment form, the key never passes through Apex Digital's systems. Enter any value to see the flow.

Enter an API key above to see the secure onboarding flow.

Interactive demo: REST Key Injection via Layr8 Secure Gateway

Secure Key Capture

Users enter their API key through a Gateway-hosted iframe. Like Stripe's payment form, the secret never touches the client's systems — only an opaque reference is returned.

Just-in-Time Injection

On each API call, the Gateway decrypts the key from its KMS vault, injects it into the outbound request, and discards it. Never cached, never exposed.

Breach Containment

If the client is compromised, attackers find no API keys — only useless opaque references. Users' service data stays completely protected.