Foolery integrates with OpenRouter for access to AI models. This requires an API key which is sensitive and must be protected.
- The API key is stored in the OS keychain (macOS Keychain / Linux secret-service) when available, with a fallback to
~/.config/foolery/settings.toml. - When stored on disk, the settings file is restricted to owner-only access (mode
0600). - The key is never committed to version control —
settings.tomlis in.gitignore.
- The full API key is only accessible on the server side (Next.js API routes).
- The settings API returns a masked version (e.g.,
sk-or-...xxxx) to the browser. - The browser only sends the key during initial entry or update — it never receives the full key back.
- Localhost transport: The key travels over
http://localhostbetween the browser and the Next.js dev server. This is not encrypted but is only accessible on the local machine. - Memory: The key exists in server process memory while the app is running.
- Keychain fallback: If the OS keychain is unavailable, the key falls back to plaintext file storage (with 0600 permissions).
- Use a scoped key: Create a dedicated OpenRouter API key with minimal permissions for use with Foolery. Do not reuse keys from other applications.
- Rotate regularly: Rotate your API key periodically at openrouter.ai/keys.
- Set a spend limit: Configure a spending limit on your OpenRouter account to cap unexpected usage.
- Review the in-app explainer: Click "Is This Secure?" in the OpenRouter settings section for a current assessment.