Interactive Demo

REST Key Injection

Users authorize access by entering their API key into a secure Gateway iframe. The key never touches the client's systems — only an opaque reference is returned. The Gateway injects the real key on every request.

Secure Key Onboarding

User authorizes access — API key captured by the Gateway, never seen by the client

Act 1/3

User:

Client:

Service:

Jordan

Horizon Tech is requesting access to your Lofty account. Enter your API key to authorize.

Your key goes directly to the Secure Gateway — Horizon Tech never sees it

authorizes

SECURE GATEWAY

Hosted by Layr8 - isolated from Horizon Tech

SECURE

Enter your Lofty API key to authorize Horizon Tech

This iframe is served directly by the Secure Gateway. Horizon Tech cannot read its contents.

returns kid_...

Horizon Tech

Waiting for Jordan to authorize access to Lofty...

How Secure Key Onboarding Works

Jordan enters their Lofty API key into a secure vault. Like Stripe's payment form, the key never passes through Horizon Tech's systems. Enter any value to see the flow.

Enter an API key above to see the secure onboarding flow.

Interactive demo: REST Key Injection via Layr8 Secure Gateway

Secure Key Capture

Users enter their API key through a Gateway-hosted iframe. Like Stripe's payment form, the secret never touches the client's systems — only an opaque reference is returned.

Just-in-Time Injection

On each API call, the Gateway decrypts the key from its KMS vault, injects it into the outbound request, and discards it. Never cached, never exposed.

Breach Containment

If the client is compromised, attackers find no API keys — only useless opaque references. Users' service data stays completely protected.