Oris stores your Pimlico, Circle, Turnkey, and Fireblocks API keys with envelope encryption. Each key is encrypted with a per-developer AES-256-GCM data key. That data key is encrypted by HashiCorp Vault Transit. Plaintext credentials never persist.
Register your provider keys through the API or dashboard. You submit credentials once. Oris handles storage from that point forward.
Oris generates a fresh AES-256-GCM data encryption key (DEK) unique to your account. Every developer receives an independent DEK.
The DEK encrypts your provider keys. Vault Transit encrypts the DEK. Both ciphertexts are stored. The plaintext DEK is destroyed.
When your agent initiates a payment, Oris decrypts the DEK through Vault Transit, decrypts your provider key in ephemeral memory, calls your provider, and wipes the key from the process heap at the C level via ctypes.
Register your provider key once. Every subsequent agent payment decrypts, calls, and wipes automatically. Your application code stays simple. The encryption complexity runs inside Oris.
# Register your Pimlico key
oris.provider_keys.save(
provider="pimlico",
credentials={"api_key": "pm_live_..."}
)
# Your agent pays. Oris handles the rest.
agent.pay(to="0x...", amount=12.50, chain="base")Key material never leaves HashiCorp Vault. Rotation happens inside Vault with zero application downtime. The key encrypting key (KEK) is managed entirely by Vault's Transit secrets engine.
Every developer account receives its own data encryption key. One compromised account cannot expose another. Blast radius is isolated to a single developer.
After every API call, the plaintext key is overwritten at the C level using ctypes.memset. Python garbage collection does not handle sensitive data. The wipe is deterministic.
Oris does not process payments. Oris does not hold funds. Oris does not require a payment license.
You maintain your own accounts with Pimlico, Circle, Turnkey, or Fireblocks. You own the provider relationship.
Oris encrypts, decrypts, and wipes your credentials on every request. That is the entire scope of BYOK key management.
Register your provider keys and deploy your first agent payment in under ten minutes.