{"id":318886,"date":"2026-05-30T19:11:19","date_gmt":"2026-05-30T19:11:19","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/syncific-vault-api-key-protection\/"},"modified":"2026-05-30T19:34:36","modified_gmt":"2026-05-30T19:34:36","slug":"syncific-vault","status":"publish","type":"plugin","link":"https:\/\/hsb.wordpress.org\/plugins\/syncific-vault\/","author":14646867,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.1","stable_tag":"1.0.1","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"Syncific Vault \u2014 API Key Protection & Security","header_author":"Syncific","header_description":"Protect your API keys from database exposure. Keys are stored in an encrypted off-site vault \u2014 never in your WordPress database. Supports OpenAI, Anthropic, Google AI, Stripe, and any API.","assets_banners_color":"030303","last_updated":"2026-05-30 19:34:36","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/syncific.com\/vault","header_author_uri":"https:\/\/syncific.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":67,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.1":{"tag":"1.0.1","author":"tagteamdesign","date":"2026-05-30 19:34:36"}},"upgrade_notice":{"1.0.1":"<p>Adds per-site token binding and broker callback verification, expands the credential scanner to 20 patterns across three tables, and hardens admin input validation. Recommended for all users.<\/p>","1.0.0":"<p>First release \u2014 protect your API keys from database exposure.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3554965,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3554965,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3554965,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3554965,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3554965,"resolution":"1","location":"assets","locale":"","width":1280,"height":800},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3554965,"resolution":"2","location":"assets","locale":"","width":1280,"height":800},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3554965,"resolution":"3","location":"assets","locale":"","width":1280,"height":800}},"screenshots":{"1":"Add and manage protected API keys for OpenAI, Anthropic, Google AI, OpenRouter, and custom API domains","2":"Placeholder keys paste into any plugin \u2014 Vault transparently injects the real key on every request","3":"Built-in database scanner checks wp_options, wp_postmeta, and wp_usermeta against 20 credential patterns (OpenAI, Anthropic, Google AI, OpenRouter, xAI, Stripe, GitHub, AWS, and more)"}},"plugin_section":[],"plugin_tags":[2353,246286,174467,194533,600],"plugin_category":[54],"plugin_contributors":[260644,253481],"plugin_business_model":[],"class_list":["post-318886","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-api-keys","plugin_tags-credentials","plugin_tags-openai","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-lightsyncpro","plugin_contributors-tagteamdesign","plugin_committers-tagteamdesign"],"banners":{"banner":"https:\/\/ps.w.org\/syncific-vault\/assets\/banner-772x250.png?rev=3554965","banner_2x":"https:\/\/ps.w.org\/syncific-vault\/assets\/banner-1544x500.png?rev=3554965","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/syncific-vault\/assets\/icon-128x128.png?rev=3554965","icon_2x":"https:\/\/ps.w.org\/syncific-vault\/assets\/icon-256x256.png?rev=3554965","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/syncific-vault\/assets\/screenshot-1.png?rev=3554965","caption":"Add and manage protected API keys for OpenAI, Anthropic, Google AI, OpenRouter, and custom API domains"},{"src":"https:\/\/ps.w.org\/syncific-vault\/assets\/screenshot-2.png?rev=3554965","caption":"Placeholder keys paste into any plugin \u2014 Vault transparently injects the real key on every request"},{"src":"https:\/\/ps.w.org\/syncific-vault\/assets\/screenshot-3.png?rev=3554965","caption":"Built-in database scanner checks wp_options, wp_postmeta, and wp_usermeta against 20 credential patterns (OpenAI, Anthropic, Google AI, OpenRouter, xAI, Stripe, GitHub, AWS, and more)"}],"raw_content":"<!--section=description-->\n<p>WordPress stores API keys in your database in plain text by default. If your database is compromised through SQL injection, a backup leak, or a vulnerable plugin, every API key is exposed. WordPress 7.0's new Connectors API stores AI provider keys the same way (core ticket #64789).<\/p>\n\n<p><strong>Syncific Vault fixes this.<\/strong> Your API keys are moved to an encrypted vault hosted off-site. Your WordPress database stores only a reference \u2014 the real key is injected at request time and never persists locally.<\/p>\n\n<p><strong>One vault for all your AI plugins.<\/strong> Store your API keys in Syncific Vault \u2014 not in your database. Paste the secure placeholder into AI Engine, ClassifAI, Elementor AI, or any plugin that needs it. When you rotate a key with your provider, update it once in Syncific Vault \u2014 every plugin gets the new key instantly.<\/p>\n\n<h4>How it works<\/h4>\n\n<ol>\n<li>Paste your API key in the Syncific Vault settings page<\/li>\n<li>The key is encrypted and sent to the Syncific Vault (AES-256, never in your database)<\/li>\n<li>A secure placeholder key is generated \u2014 paste it into your other plugins' settings<\/li>\n<li>When any plugin makes an API call, Syncific Vault intercepts it and injects the real key<\/li>\n<li>Other plugins work normally \u2014 they don't know the key was swapped<\/li>\n<li>If your database is dumped or compromised, no API keys are exposed<\/li>\n<\/ol>\n\n<h4>Supports any AI API key<\/h4>\n\n<ul>\n<li><strong>AI providers:<\/strong> OpenAI, Anthropic, Google AI, OpenRouter<\/li>\n<li><strong>Any API<\/strong> that uses header-based authentication (custom domain support included)<\/li>\n<\/ul>\n\n<h4>Security<\/h4>\n\n<ul>\n<li>Keys encrypted with AES-256 in an isolated vault file \u2014 not a database<\/li>\n<li>Vault file stored outside the web root with strict file permissions<\/li>\n<li>Patent-pending broker architecture (US App. No. 19\/440,404)<\/li>\n<li>Keys never stored in wp_options, wp_postmeta, or any WordPress table<\/li>\n<li>In-memory key retrieval only \u2014 credentials are not persisted in any WordPress storage layer (database, transients, or options)<\/li>\n<li>One-click key rotation \u2014 update a key once, every plugin gets the new key instantly<\/li>\n<li>Rate-limited vault access (60 requests\/minute per site)<\/li>\n<li>Fails open by design \u2014 vault outages never break your WordPress site, though AI features dependent on protected keys will fail authentication until the vault is reachable again<\/li>\n<\/ul>\n\n<h4>Protects against<\/h4>\n\n<ul>\n<li>Database dumps and backup file exposure<\/li>\n<li>SQL injection attacks<\/li>\n<li>Compromised plugins that read wp_options<\/li>\n<li>Unauthorized phpMyAdmin or database client access<\/li>\n<li>Hosting provider data breaches<\/li>\n<\/ul>\n\n<h4>External Service<\/h4>\n\n<p>This plugin relies on the <strong>Syncific Vault API<\/strong>, an external broker service operated by <a href=\"https:\/\/syncific.com\">Syncific<\/a>, to store and retrieve encrypted API keys. All requests are sent to the broker endpoint at <code>https:\/\/lightsyncpro.com\/wp-json\/lsp-broker\/v1\/<\/code> \u2014 the broker host that Syncific operates for this service.<\/p>\n\n<p><strong>What the service does:<\/strong> Syncific Vault provides encrypted off-site storage for API keys. Keys are encrypted with AES-256 and stored in an isolated vault file on the Syncific broker server (<code>lightsyncpro.com<\/code>) \u2014 not in your WordPress database.<\/p>\n\n<p><strong>What data is sent and when:<\/strong><\/p>\n\n<ul>\n<li><strong>When you store a key:<\/strong> Your site URL, a hash of your site URL, a per-site authentication token, a single-use verification nonce, the API domain, the API key, a label, and the authentication header name are sent to the broker (<code>lightsyncpro.com<\/code>) via HTTPS. The broker then calls your site back once at <code>\/wp-json\/svault\/v1\/verify<\/code> to confirm site ownership before binding the key.<\/li>\n<li><strong>When a plugin makes an API call to a protected domain:<\/strong> Your site URL hash, per-site token, and the API domain are sent to the broker (<code>lightsyncpro.com<\/code>) to retrieve the real key. The key is held in PHP memory only for the duration of the request and is never written to your database.<\/li>\n<li><strong>When you remove a key (or uninstall the plugin):<\/strong> Your site URL hash, per-site token, and the API domain are sent to the broker (<code>lightsyncpro.com<\/code>) to remove the key from the vault.<\/li>\n<\/ul>\n\n<p>No other user data, site content, or visitor information is ever transmitted.<\/p>\n\n<p><strong>Service links:<\/strong><\/p>\n\n<ul>\n<li><a href=\"https:\/\/syncific.com\/terms.html\">Syncific Terms of Service<\/a><\/li>\n<li><a href=\"https:\/\/syncific.com\/privacy.html\">Syncific Privacy Policy<\/a><\/li>\n<\/ul>\n\n<h4>Supported AI Providers<\/h4>\n\n<p>Syncific Vault includes preset support for the following AI provider APIs. <strong>This plugin does not connect to these services directly.<\/strong> They are the destination domains whose API keys are protected by Vault. When another plugin on your site makes a request to one of these domains, Syncific Vault intercepts the request and injects the protected key. The traffic to these providers originates from your other plugins (such as AI Engine, ClassifAI, or any plugin you've configured), not from Syncific Vault itself.<\/p>\n\n<ul>\n<li><strong>OpenAI<\/strong> (api.openai.com) \u2014 <a href=\"https:\/\/openai.com\/policies\/terms-of-use\">Terms of Use<\/a> | <a href=\"https:\/\/openai.com\/policies\/privacy-policy\">Privacy Policy<\/a><\/li>\n<li><strong>Anthropic<\/strong> (api.anthropic.com) \u2014 <a href=\"https:\/\/www.anthropic.com\/legal\/consumer-terms\">Consumer Terms<\/a> | <a href=\"https:\/\/www.anthropic.com\/legal\/privacy\">Privacy Policy<\/a><\/li>\n<li><strong>Google AI \/ Gemini<\/strong> (generativelanguage.googleapis.com) \u2014 <a href=\"https:\/\/ai.google.dev\/gemini-api\/terms\">API Terms<\/a> | <a href=\"https:\/\/policies.google.com\/privacy\">Privacy Policy<\/a><\/li>\n<li><strong>OpenRouter<\/strong> (openrouter.ai) \u2014 <a href=\"https:\/\/openrouter.ai\/terms\">Terms<\/a> | <a href=\"https:\/\/openrouter.ai\/privacy\">Privacy<\/a><\/li>\n<\/ul>\n\n<p>You may also add any other domain through the \"Add Custom Domain\" option in the plugin settings. Whatever domain you add becomes a protected destination \u2014 your other plugins continue to send requests to that domain as they normally would, and Syncific Vault transparently provides the credentials.<\/p>\n\n<h4>Free and open source<\/h4>\n\n<p>Syncific Vault is completely free. No limits on the number of keys you can protect.<\/p>\n\n<h4>Made by Syncific<\/h4>\n\n<p>Syncific Vault is built by the team behind <a href=\"https:\/\/syncific.com\">Syncific<\/a> \u2014 the creative asset sync platform. The same patent-pending broker architecture that protects OAuth credentials for Lightroom, Figma, Canva, and Dropbox now protects your API keys.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>syncific-vault<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>Go to Settings \u2192 Syncific Vault<\/li>\n<li>Select a preset (OpenAI, Anthropic, etc.) or enter a custom domain<\/li>\n<li>Paste your API key and click \"Store in Vault\"<\/li>\n<li>Copy the placeholder key and paste it into your other plugins' key fields<\/li>\n<li>Done \u2014 your key is now protected and every plugin works through the vault<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"where%20are%20my%20keys%20stored%3F\"><h3>Where are my keys stored?<\/h3><\/dt>\n<dd><p>Your keys are encrypted with AES-256 and stored in an isolated vault file on the Syncific broker server. The vault file is not a database \u2014 it's an encrypted file on disk with strict permissions (0600). The encryption key is separate from the vault file. Your WordPress database never contains your real API keys.<\/p><\/dd>\n<dt id=\"how%20is%20this%20different%20from%20a%20plugin%20that%20encrypts%20keys%20in%20the%20wordpress%20database%3F\"><h3>How is this different from a plugin that encrypts keys in the WordPress database?<\/h3><\/dt>\n<dd><p>Encryption-in-database plugins still leave the encrypted keys and the encryption key on your WordPress server. If an attacker gains access through SQL injection, a backup leak, or a vulnerable plugin, they can extract both the encrypted keys and the means to decrypt them. Syncific Vault is architecturally different: the keys aren't on your WordPress server at all. There's nothing to decrypt because there's nothing there.<\/p><\/dd>\n<dt id=\"will%20my%20existing%20plugins%20still%20work%3F\"><h3>Will my existing plugins still work?<\/h3><\/dt>\n<dd><p>Yes. Syncific Vault uses WordPress's <code>http_request_args<\/code> filter to intercept outgoing API calls and inject the real key before the request is sent. The calling plugin (AI Engine, ClassifAI, Elementor AI, WooCommerce, etc.) works exactly as before \u2014 it doesn't know the key was swapped.<\/p><\/dd>\n<dt id=\"how%20do%20i%20rotate%20a%20key%3F\"><h3>How do I rotate a key?<\/h3><\/dt>\n<dd><p>Click \"Rotate Key\" next to any protected key in the Syncific Vault settings page, paste your new key, and you're done. Every plugin on your site that uses that key gets the new one instantly \u2014 no need to update settings in each individual plugin.<\/p><\/dd>\n<dt id=\"what%20happens%20if%20the%20vault%20is%20unreachable%3F\"><h3>What happens if the vault is unreachable?<\/h3><\/dt>\n<dd><p>The plugin fails open \u2014 it never blocks your WordPress site from loading. During a Syncific Vault outage, API calls from your other plugins will proceed with the placeholder key and fail authentication at the provider (OpenAI, Anthropic, etc.). Your site remains fully functional; only the AI features dependent on protected keys are temporarily affected. Once the broker is reachable, key injection resumes automatically.<\/p><\/dd>\n<dt id=\"is%20this%20compatible%20with%20wordpress%207.0%27s%20connectors%20api%3F\"><h3>Is this compatible with WordPress 7.0's Connectors API?<\/h3><\/dt>\n<dd><p>Yes. Syncific Vault intercepts the HTTP requests that the Connectors API makes to AI providers, injecting the real key from the vault instead of the one stored in the WordPress database.<\/p><\/dd>\n<dt id=\"what%20about%20multisite%3F\"><h3>What about multisite?<\/h3><\/dt>\n<dd><p>Each site in a multisite network gets its own vault entry (keyed by site URL hash). Sites cannot access each other's keys.<\/p><\/dd>\n<dt id=\"can%20i%20verify%20my%20keys%20are%20protected%3F\"><h3>Can I verify my keys are protected?<\/h3><\/dt>\n<dd><p>Yes. Syncific Vault includes a built-in database scanner that checks wp_options for common AI API key patterns (OpenAI, Anthropic, Google AI, OpenRouter). Run it anytime from the settings page to confirm no keys are exposed.<\/p><\/dd>\n<dt id=\"do%20you%20store%20my%20keys%20forever%3F\"><h3>Do you store my keys forever?<\/h3><\/dt>\n<dd><p>Keys remain in the vault until you remove them. You can remove any key from the Syncific Vault settings page at any time. On plugin uninstall, local references are cleaned up. To remove keys from the vault itself, use the Remove button before uninstalling.<\/p><\/dd>\n<dt id=\"what%20if%20syncific%20shuts%20down%3F%20will%20i%20lose%20access%20to%20my%20ai%20services%3F\"><h3>What if Syncific shuts down? Will I lose access to my AI services?<\/h3><\/dt>\n<dd><p>No. Syncific Vault doesn't replace your provider relationship \u2014 OpenAI, Anthropic, Google AI, and OpenRouter all let you retrieve or regenerate keys from your provider dashboard at any time. We recommend keeping an off-vault backup of any business-critical API key. The plugin is designed so you can leave at any time: deactivate Syncific Vault, paste your original keys directly into your plugins, and continue normally. Your provider accounts and keys are always yours.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Added per-site token binding \u2014 every vault operation is authenticated by a site-specific secret stored locally, HMAC-verified on the broker<\/li>\n<li>Added broker-to-site callback verification on first registration \u2014 proves site ownership before binding (DNS-pinned, SSRF-protected on the broker)<\/li>\n<li>Expanded credential scanner from 5 to 20 patterns across wp_options, wp_postmeta, and wp_usermeta \u2014 now detects OpenAI, Anthropic, Google AI, OpenRouter, xAI, Replicate, HuggingFace, Stripe, GitHub, AWS, DigitalOcean, Slack, and SendGrid credential shapes<\/li>\n<li>Hardened input validation across admin AJAX handlers<\/li>\n<li>Normalized site URL handling to match broker canonical form (lowercase scheme\/host, default ports stripped)<\/li>\n<li>Expanded preset AI provider documentation with provider terms and privacy policy links<\/li>\n<li>Clarified that the plugin does not connect to AI provider APIs directly \u2014 it protects keys for other plugins that do<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Support for AI API keys (OpenAI, Anthropic, Google AI, OpenRouter) and any custom API<\/li>\n<li>AES-256 encrypted off-site vault<\/li>\n<li>Automatic key injection via WordPress http_request_args filter<\/li>\n<li>Secure placeholder keys for cross-plugin compatibility<\/li>\n<li>One-click key rotation<\/li>\n<li>Built-in database scanner to verify protection<\/li>\n<li>Admin UI with domain presets and custom domain support<\/li>\n<li>Rate-limited vault access (60 requests\/minute per site)<\/li>\n<\/ul>","raw_excerpt":"WordPress stores AI API keys in your database in plain text. Syncific Vault moves your OpenAI, Anthropic, Google AI, and OpenRouter keys to an encrypt &hellip;","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/318886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=318886"}],"author":[{"embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/tagteamdesign"}],"wp:attachment":[{"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=318886"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=318886"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=318886"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=318886"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=318886"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/hsb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=318886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}