Settings
API keys for running your canvases. Stored only in this browser, forwarded per request, never logged.
API Keys (BYOK)
Anthropic (Claude)
Best on prompt rewriting + reasoning. Opus, Sonnet, Haiku.
OpenAI
GPT-4o, GPT-4o-mini. Cheaper at the low-end, broad ecosystem.
Encrypted Cloud Vault (Phase 18)
Cloud Vault is opt-in for signed-in accounts
Sign in to encrypt your keys with a passphrase and stash the ciphertext on our server. We literally cannot read it — only you can decrypt with the passphrase. Until then your keys live in this browser's localStorage only.
How we handle your keys
Stored only in your browser
Keys live in this browser's localStorage. They're never written to our database or any external service.
Auditable network calls
Every LLM call is visible in your browser's network tab. Inspect headers, payloads, responses — verify there's no funny business.
Server-side proxy, no logs
We proxy through our Next.js API so the call goes from server to provider. The key sits in process memory for the duration of the request — never logged, never persisted.
Browser is the trust boundary
localStorage is accessible to any JavaScript on this origin. Don't paste your key on a public computer. We never inject 3rd-party scripts that could read it.
Where your data lives
Canvases
This browser's localStorage. Up to 50 saved canvases per profile (~5 MB cap). Export to JSON for a portable copy.
API keys
Per-provider in localStorage (pc:keys:anthropic etc). Never on our server. Per-request only — see audit cards above.
Run history
Last 50 completed runs in localStorage (under pc:run-history:*). Includes the canvas snapshot + the output blob, retrievable from the Output Drawer's Save button.
Favorites
Library favorites + UI preferences in localStorage. Carries over only on this browser; sync arrives with the optional Cloud Vault (Phase 18).
Nothing on our servers. Exports give you portable copies that you own.