BenchmarksStack Ranking
H33-VaultH33-ShareH33-ShieldH33-HealthH33-KeyH33-GatewayH33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ Video
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key

Your infrastructure touches every API key in plaintext. H33-Gateway makes that impossible.

Every API call to Stripe, AWS, Twilio, SendGrid — your servers hold plaintext credentials in memory. One memory dump, one compromised dependency, one misconfigured log, and those keys are exposed. Vaults protect storage. VPNs protect the network. But the moment the key is actually used — the API call itself — the credential is naked in your application memory.

H33-Gateway runs API calls inside a Trusted Execution Environment. Your encrypted key goes in. The plaintext exists only inside the secure enclave. The response comes back. Your infrastructure never touches the raw credential.

Start Building

VPNs protect the network. Vaults protect storage. But nothing protects the moment a key is actually used — the API call itself. Your application decrypts the credential, loads it into memory, attaches it to an HTTP header, and sends it over the wire. For that entire window, the plaintext exists in your infrastructure. H33-Gateway closes that gap. The credential is decrypted inside a hardware-isolated enclave, the API call is made from within the TEE, and the response is returned encrypted. Your servers never see the raw key.

Zero-exposure API calls. Post-quantum encrypted transit.

Here’s what happens when you proxy an API call through H33-Gateway.

Step 01 — Configure Target
Register Your Third-Party API
Register your third-party API endpoint — Stripe, AWS, any REST API. Set the base URL, auth header template, allowed paths, and rate limits. One-time setup, zero units consumed. Gateway stores the target configuration, not the credential itself.
Register your third-party API endpoint — Stripe, AWS, any REST API. Set the base URL, auth header template, allowed paths, and rate limits. One-time setup, zero units consumed. Gateway stores the target configuration, not the credential itself.
Step 02 — Encrypt Your Credential
Kyber-1024 Key Encapsulation
Use H33-Key to encrypt your API key with Kyber-1024. You get back a key_id (hk_...) — a reference, not the key itself. Store the key_id anywhere. It’s useless without H33 decryption. Even a quantum computer can’t derive the original credential from the key_id.
Use H33-Key to encrypt your API key with Kyber-1024. You get back a key_id (hk_...) — a reference, not the key itself. Store the key_id anywhere. It’s useless without H33 decryption. Even a quantum computer can’t derive the original credential from the key_id.
Step 03 — Proxy Through TEE
Hardware-Isolated API Execution
Send your API request to H33-Gateway with the key_id. Inside the TEE, the key is decrypted, the API call is made, and the response is returned. The plaintext credential exists only inside the hardware-isolated enclave. Your servers, our servers, no one outside the TEE ever sees it.
Send your API request to H33-Gateway with the key_id. Inside the TEE, the key is decrypted, the API call is made, and the response is returned. The plaintext credential exists only inside the hardware-isolated enclave. Your servers, our servers, no one outside the TEE ever sees it.
Step 04 — Audit & Compliance
Dilithium-Signed Audit Trail
Every proxied call is logged with a Dilithium-signed audit trail. Tamper-proof evidence of what was accessed, when, and by whom — without revealing the credential itself. Post-quantum signatures that satisfy SOC 2, PCI DSS, and HIPAA logging requirements.
Every proxied call is logged with a Dilithium-signed audit trail. Tamper-proof evidence of what was accessed, when, and by whom — without revealing the credential itself. Post-quantum signatures that satisfy SOC 2, PCI DSS, and HIPAA logging requirements.
< 50 ms
full encrypt + TEE decrypt + proxy + sign per operation

Kyber-1024 decapsulation + TEE execution + third-party API call + Dilithium audit signature — added overhead under 50ms.

Plaintext exists only inside TEE — never in your infrastructure.

CLIENT  Encrypt key_id + request payload
TRANSIT  Kyber-1024 encrypted envelope (post-quantum safe)
TEE  Decrypt key, execute API call inside enclave
RESPONSE  Encrypted response returned, key destroyed
AUDIT  Dilithium-signed transaction log
Total: —
Gateway Pipeline

Every integration point is an exposure point. Until now.

Payment Processing
Proxy Stripe, Adyen, Square API calls. Your payment processor credentials never exist in your application memory. PCI DSS scope reduction — the credential never touches your cardholder data environment.
Healthcare / HIPAA
EHR integrations, lab APIs, pharmacy systems. PHI-adjacent credentials protected by hardware isolation. Dilithium audit satisfies HIPAA 164.312(b) access logging requirements.
Multi-Cloud
AWS, GCP, Azure service credentials proxied through TEE. Rotate cloud keys without redeploying. Cross-cloud credential isolation — no single infrastructure layer holds all your cloud access keys.
Third-Party SaaS
Twilio, SendGrid, Salesforce, any REST API. Every integration point is a potential exposure. Gateway eliminates the exposure window entirely — credentials go from encrypted storage to TEE to API call without ever existing in your code.

One operation. Full isolation.

Gateway
35 units per operation
TEE-isolated API proxy + Kyber-1024 decrypt + Dilithium audit + encrypted response
<25K units$2.10
25K–250K$1.40
250K–2.5M$0.875
2.5M–25M$0.42
25M+$0.21
Get Started

What’s included in every operation

TEE isolation
Kyber-1024 key decapsulation
Any REST API target
Dilithium audit trail
Rate limiting per target
Encrypted response channel

Volume Unit Pricing

Monthly Volume $/Unit Gateway (35u)
<25K units $0.060 $2.10
25K–250K $0.040 $1.40
250K–2.5M $0.025 $0.875
2.5M–25M $0.012 $0.42
25M+ $0.006 $0.21

How Gateway compares

H33-Gateway Direct API Call Secrets Manager + Call HSM + Call
Plaintext in app memory Never Always During call During call
Post-quantum transit Kyber-1024 No No No
Hardware isolation TEE enclave No No HSM only (no proxy)
Audit trail Dilithium-signed App logs CloudTrail HSM logs
Credential rotation Zero-downtime Redeploy Redeploy Redeploy
Added latency <50ms 0ms ~5ms ~10ms

All units fungible — same balance as H33-Auth, H33-Vault, H33-Key, H33-Shield, and H33-Share.

Stop Exposing Your Credentials

Get API Key

35 units per operation. Volume discounts from $0.21/call.