ORIS
Home How It Works BYOK
vpn_key BYOK Key Management

Your keys. Your providers. Your infrastructure.

Oris stores your Turnkey, Fireblocks, and Circle API keys with envelope encryption. Each key is encrypted with a per-developer AES-256-GCM data key. That data key is encrypted by HashiCorp Vault Transit. Plaintext credentials never persist.

Envelope Encryption Flow
vpn_key
Your API Key
arrow_forward
enhanced_encryption
AES-256-GCM DEK
arrow_forward
security
Vault Transit KEK
lock
Plaintext exposure 0ms persistent
3
Providers
AES-256-GCM
Encryption Standard
0ms
Persistent Exposure
Per-Dev
Isolated DEK
Envelope Encryption
01

How it works

Four steps between your raw API key and a double-encrypted ciphertext stored in Vault Transit.

01

Register Keys

Register your provider keys through the API or dashboard. You submit credentials once. Oris handles storage from that point forward.

02

Generate DEK

Oris generates a fresh AES-256-GCM data encryption key (DEK) unique to your account. Every developer receives an independent DEK.

03

Double Encrypt

The DEK encrypts your provider keys. Vault Transit encrypts the DEK. Both ciphertexts are stored. The plaintext DEK is destroyed.

04

Decrypt and Wipe

When your agent initiates a payment, Oris decrypts the DEK through Vault Transit, decrypts your provider key in ephemeral memory, calls your provider, and wipes the key from the process heap at the C level via ctypes.

Provider Key Status
02
vpn_key Provider Keys
3 registered
C
Circle
cir_sk_****e91b
DEK v1 Active
T
Turnkey
tk_prod_****3d8f
DEK v2 Active
F
Fireblocks
fb_api_****a4c2
DEK v1 Rotating
Last audit: 12 seconds ago Vault Transit: Healthy

Full visibility over every key

The Oris dashboard displays the status of every registered provider key. You see which keys are active, which DEK version protects them, and when the last Vault Transit health check completed.

Key rotation triggers are surfaced in real time. When Vault Transit rotates the KEK, every DEK is re-wrapped automatically. The dashboard confirms re-wrap completion for each provider.

Developer Experience
03

Two API calls. Full encryption.

Register your provider key once. Every subsequent agent payment decrypts, calls, and wipes automatically. Your application code stays simple. The encryption complexity runs inside Oris.

Get API Key Read the Docs
byok_example.py 
# Register your Turnkey key
oris.provider_keys.save(
    provider="turnkey",
    credentials={"api_key": "tk_prod_..."}
)

# Your agent pays. Oris handles the rest.
agent.pay(to="0x...", amount=12.50, chain="base")
Security Architecture
04

Three layers of protection

Every credential passes through three independent security boundaries before reaching storage.

key

Vault Transit KEK

Key material never leaves HashiCorp Vault. Rotation happens inside Vault with zero application downtime. The key encrypting key (KEK) is managed entirely by Vault's Transit secrets engine.

person

Per-Developer DEK

Every developer account receives its own data encryption key. One compromised account cannot expose another. Blast radius is isolated to a single developer.

memory

Ephemeral Memory

After every API call, the plaintext key is overwritten at the C level using ctypes.memset. Python garbage collection does not handle sensitive data. The wipe is deterministic.

Scope Definition
05
info

What Oris does not do

Oris does not process payments. Oris does not hold funds. Oris does not require a payment license.

You maintain your own accounts with Turnkey, Fireblocks, or Circle. You own the provider relationship.

Oris encrypts, decrypts, and wipes your credentials on every request. That is the entire scope of BYOK key management.

T
Turnkey
Distributed MPC
F
Fireblocks
Institutional MPC
C
Circle
Programmable Wallets
Get Started

Start building with BYOK

Register your provider keys and deploy your first agent payment in under ten minutes.

Get API Key Read the Docs