WordPress.org

Portugal

Obter o WordPress
WordPress.org

Plugin Directory

Syncific Vault — API Key Protection & Security

Syncific Vault — API Key Protection & Security

Por tagteamdesign
Descarregar

Descrição

WordPress stores API keys in your database in plain text by default. If your database is compromised through SQL injection, a backup leak, or a vulnerable plugin, every API key is exposed. WordPress 7.0’s new Connectors API stores AI provider keys the same way (core ticket #64789).

Syncific Vault fixes this. Your API keys are moved to an encrypted vault hosted off-site. Your WordPress database stores only a reference — the real key is injected at request time and never persists locally.

One vault for all your AI plugins. Store your API keys in Syncific Vault — not in your database. Paste the secure placeholder into AI Engine, ClassifAI, Elementor AI, or any plugin that needs it. When you rotate a key with your provider, update it once in Syncific Vault — every plugin gets the new key instantly.

How it works

  1. Paste your API key in the Syncific Vault settings page
  2. The key is encrypted and sent to the Syncific Vault (AES-256, never in your database)
  3. A secure placeholder key is generated — paste it into your other plugins’ settings
  4. When any plugin makes an API call, Syncific Vault intercepts it and injects the real key
  5. Other plugins work normally — they don’t know the key was swapped
  6. If your database is dumped or compromised, no API keys are exposed

Supports any AI API key

  • AI providers: OpenAI, Anthropic, Google AI, OpenRouter
  • Any API that uses header-based authentication (custom domain support included)

Security

  • Keys encrypted with AES-256 in an isolated vault file — not a database
  • Vault file stored outside the web root with strict file permissions
  • Patent-pending broker architecture (US App. No. 19/440,404)
  • Keys never stored in wp_options, wp_postmeta, or any WordPress table
  • In-memory key retrieval only — credentials are not persisted in any WordPress storage layer (database, transients, or options)
  • One-click key rotation — update a key once, every plugin gets the new key instantly
  • Rate-limited vault access (60 requests/minute per site)
  • Fails open by design — vault outages never break your WordPress site, though AI features dependent on protected keys will fail authentication until the vault is reachable again

Protects against

  • Database dumps and backup file exposure
  • SQL injection attacks
  • Compromised plugins that read wp_options
  • Unauthorized phpMyAdmin or database client access
  • Hosting provider data breaches

External Service

This plugin relies on the Syncific Vault API, an external broker service operated by Syncific, to store and retrieve encrypted API keys. All requests are sent to the broker endpoint at https://lightsyncpro.com/wp-json/lsp-broker/v1/ — the broker host that Syncific operates for this service.

What the service does: Syncific Vault provides encrypted off-site storage for API keys. Keys are encrypted with AES-256 and stored in an isolated vault file on the Syncific broker server (lightsyncpro.com) — not in your WordPress database.

What data is sent and when:

  • When you store a key: Your site URL, a hash of your site URL, a per-site authentication token, a single-use verification nonce, the API domain, the API key, a label, and the authentication header name are sent to the broker (lightsyncpro.com) via HTTPS. The broker then calls your site back once at /wp-json/svault/v1/verify to confirm site ownership before binding the key.
  • When a plugin makes an API call to a protected domain: Your site URL hash, per-site token, and the API domain are sent to the broker (lightsyncpro.com) to retrieve the real key. The key is held in PHP memory only for the duration of the request and is never written to your database.
  • When you remove a key (or uninstall the plugin): Your site URL hash, per-site token, and the API domain are sent to the broker (lightsyncpro.com) to remove the key from the vault.

No other user data, site content, or visitor information is ever transmitted.

Service links:

Supported AI Providers

Syncific Vault includes preset support for the following AI provider APIs. This plugin does not connect to these services directly. They are the destination domains whose API keys are protected by Vault. When another plugin on your site makes a request to one of these domains, Syncific Vault intercepts the request and injects the protected key. The traffic to these providers originates from your other plugins (such as AI Engine, ClassifAI, or any plugin you’ve configured), not from Syncific Vault itself.

You may also add any other domain through the “Add Custom Domain” option in the plugin settings. Whatever domain you add becomes a protected destination — your other plugins continue to send requests to that domain as they normally would, and Syncific Vault transparently provides the credentials.

Free and open source

Syncific Vault is completely free. No limits on the number of keys you can protect.

Made by Syncific

Syncific Vault is built by the team behind Syncific — the creative asset sync platform. The same patent-pending broker architecture that protects OAuth credentials for Lightroom, Figma, Canva, and Dropbox now protects your API keys.

Ecrãs

  • Add and manage protected API keys for OpenAI, Anthropic, Google AI, OpenRouter, and custom API domains
  • Placeholder keys paste into any plugin — Vault transparently injects the real key on every request
  • Built-in database scanner checks wp_options, wp_postmeta, and wp_usermeta against 20 credential patterns (OpenAI, Anthropic, Google AI, OpenRouter, xAI, Stripe, GitHub, AWS, and more)

Instalação

  1. Upload the syncific-vault folder to /wp-content/plugins/
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Go to Settings Syncific Vault
  4. Select a preset (OpenAI, Anthropic, etc.) or enter a custom domain
  5. Paste your API key and click “Store in Vault”
  6. Copy the placeholder key and paste it into your other plugins’ key fields
  7. Done — your key is now protected and every plugin works through the vault

Perguntas frequentes

Where are my keys stored?

Your keys are encrypted with AES-256 and stored in an isolated vault file on the Syncific broker server. The vault file is not a database — it’s an encrypted file on disk with strict permissions (0600). The encryption key is separate from the vault file. Your WordPress database never contains your real API keys.

How is this different from a plugin that encrypts keys in the WordPress database?

Encryption-in-database plugins still leave the encrypted keys and the encryption key on your WordPress server. If an attacker gains access through SQL injection, a backup leak, or a vulnerable plugin, they can extract both the encrypted keys and the means to decrypt them. Syncific Vault is architecturally different: the keys aren’t on your WordPress server at all. There’s nothing to decrypt because there’s nothing there.

Will my existing plugins still work?

Yes. Syncific Vault uses WordPress’s http_request_args filter to intercept outgoing API calls and inject the real key before the request is sent. The calling plugin (AI Engine, ClassifAI, Elementor AI, WooCommerce, etc.) works exactly as before — it doesn’t know the key was swapped.

How do I rotate a key?

Click “Rotate Key” next to any protected key in the Syncific Vault settings page, paste your new key, and you’re done. Every plugin on your site that uses that key gets the new one instantly — no need to update settings in each individual plugin.

What happens if the vault is unreachable?

The plugin fails open — it never blocks your WordPress site from loading. During a Syncific Vault outage, API calls from your other plugins will proceed with the placeholder key and fail authentication at the provider (OpenAI, Anthropic, etc.). Your site remains fully functional; only the AI features dependent on protected keys are temporarily affected. Once the broker is reachable, key injection resumes automatically.

Is this compatible with WordPress 7.0’s Connectors API?

Yes. Syncific Vault intercepts the HTTP requests that the Connectors API makes to AI providers, injecting the real key from the vault instead of the one stored in the WordPress database.

What about multisite?

Each site in a multisite network gets its own vault entry (keyed by site URL hash). Sites cannot access each other’s keys.

Can I verify my keys are protected?

Yes. Syncific Vault includes a built-in database scanner that checks wp_options for common AI API key patterns (OpenAI, Anthropic, Google AI, OpenRouter). Run it anytime from the settings page to confirm no keys are exposed.

Do you store my keys forever?

Keys remain in the vault until you remove them. You can remove any key from the Syncific Vault settings page at any time. On plugin uninstall, local references are cleaned up. To remove keys from the vault itself, use the Remove button before uninstalling.

What if Syncific shuts down? Will I lose access to my AI services?

No. Syncific Vault doesn’t replace your provider relationship — OpenAI, Anthropic, Google AI, and OpenRouter all let you retrieve or regenerate keys from your provider dashboard at any time. We recommend keeping an off-vault backup of any business-critical API key. The plugin is designed so you can leave at any time: deactivate Syncific Vault, paste your original keys directly into your plugins, and continue normally. Your provider accounts and keys are always yours.

Avaliações

Este plugin não tem avaliações.

Contribuidores e programadores

“Syncific Vault — API Key Protection & Security” é software de código aberto. As seguintes pessoas contribuíram para este plugin:

Contribuidores

Traduza o “Syncific Vault — API Key Protection & Security” para o seu idioma.

Interessado no desenvolvimento?

Consulte o código, consulte o repositório SVN, ou subscreva o registo de alterações por RSS.

Registo de alterações

1.0.1

  • Added per-site token binding — every vault operation is authenticated by a site-specific secret stored locally, HMAC-verified on the broker
  • Added broker-to-site callback verification on first registration — proves site ownership before binding (DNS-pinned, SSRF-protected on the broker)
  • Expanded credential scanner from 5 to 20 patterns across wp_options, wp_postmeta, and wp_usermeta — now detects OpenAI, Anthropic, Google AI, OpenRouter, xAI, Replicate, HuggingFace, Stripe, GitHub, AWS, DigitalOcean, Slack, and SendGrid credential shapes
  • Hardened input validation across admin AJAX handlers
  • Normalized site URL handling to match broker canonical form (lowercase scheme/host, default ports stripped)
  • Expanded preset AI provider documentation with provider terms and privacy policy links
  • Clarified that the plugin does not connect to AI provider APIs directly — it protects keys for other plugins that do

1.0.0

  • Initial release
  • Support for AI API keys (OpenAI, Anthropic, Google AI, OpenRouter) and any custom API
  • AES-256 encrypted off-site vault
  • Automatic key injection via WordPress http_request_args filter
  • Secure placeholder keys for cross-plugin compatibility
  • One-click key rotation
  • Built-in database scanner to verify protection
  • Admin UI with domain presets and custom domain support
  • Rate-limited vault access (60 requests/minute per site)

Metadados

Classificações

Ainda não foram submetidas avaliações.

Your review

See all reviews

Suporte

Tem algo a dizer? Precisa de ajuda?

Ver fórum de suporte