Security & routing
How keys are stored
Section titled “How keys are stored”- Keys are encrypted at rest with AES-256-GCM; the encryption key lives only in the backend environment, never in the database or the frontend.
- The full key is write-only: after saving, the UI shows only the last four characters.
- Keys are validated live at save time with one minimal model call, so a dead key, a key in the wrong field, or a key with no credit is rejected immediately with a specific error.
- Deleting a key removes it permanently; agents that depended on it return a clear error naming the missing key.
How a model call is routed
Section titled “How a model call is routed”Each model in the catalog maps to a provider and an API model id. When an AI Agent node runs:
- Zapito looks up the agent’s model (e.g. Claude Haiku → Anthropic,
claude-haiku-4-5). - If your workspace has a key for that provider, the call goes directly to the provider with your key.
- With no key for that provider, the turn fails with an error naming the missing key — visible in Test chat and conversation history.
There is no Zapito-owned key in this path: your traffic runs on your accounts, under your rate limits, at your provider’s prices.