Kubock

Security

Last updated: April 23, 2026

Kubock is a Bring Your Own Keys (BYOK) platform. You bring your own API keys for fal.ai, Google Gemini, Anthropic, OpenAI and Civitai, and generations bill directly to your accounts at each provider. This page explains how we protect those keys and what you can verify yourself.

1. How your API keys are stored

When you save a key in your profile, it travels to our server over HTTPS and is immediately encrypted with AES-256-GCM — the same symmetric cipher used by banks and government agencies. Each key gets a unique initialisation vector, so two users saving the same value produce completely different ciphertexts.

The encrypted blob, the IV and an authentication tag are the only things written to our database. Your plaintext key is never stored at rest, never written to logs, and never sent back to your browser — not even to you.

2. The master key

The secret used to encrypt and decrypt user keys (BYOK_MASTER_KEY) lives only in Vercel environment variables. It is not part of the codebase, not shipped to the browser, and not accessible from any public endpoint. Only our server-side code, running inside Vercel, can use it to decrypt a key for the duration of a single AI request.

Decryption happens in memory and is never persisted. As soon as the request to the AI provider returns, the plaintext key is discarded.

3. Where your keys are sent

Your keys are only used to authenticate calls to the provider that issued them. We never relay them to third parties, analytics tools or telemetry services. Specifically:

  • fal.ai key — used to call fal.run / fal.media only.
  • OpenAI key — used to call api.openai.com only.
  • Anthropic key — used to call api.anthropic.com only.
  • Google Gemini key — used to call generativelanguage.googleapis.com only.
  • Civitai key — used to call orchestration.civitai.com only.

You can verify this yourself — see section 8 below.

4. Authentication and access control

Kubock uses Google OAuth via NextAuth. Every API route that touches your data checks your session before responding. Every row in our database is tagged with your email and filtered on every read and write; a logged-in user cannot see or touch another user's projects, media, prompts or keys. Supabase Row Level Security is enabled on all thirteen tables.

5. Data in transit and at rest

All traffic between your browser, our servers and our providers (Vercel, Supabase, AI vendors) runs over HTTPS with TLS 1.2 or higher. Your media (images, videos, audio, voice) lives in a Supabase storage bucket and is referenced by long, unguessable random IDs — the URLs are never listed publicly and are only ever rendered inside your own session. Direct-from-browser uploads use short-lived signed tokens scoped to a single object path.

6. What we commit to

  • We will never log, store or transmit your API keys in plaintext.
  • We will never sell your data or use your content to train AI models.
  • We will never share your keys or content with third parties outside the minimum required to run the service.
  • If we ever detect a security breach that affects you, we will notify you by email within 72 hours.

These commitments are legally binding through our Privacy Policy.

7. Account deletion

When you request account deletion, we purge every row associated with your email across thirteen tables (projects, canvases, media, prompts, styles, LoRAs, checkpoints, preferences and encrypted API keys) and delete the corresponding files from storage. Residual copies in rolling backups rotate out within 30 days.

8. Verify it yourself

You do not have to trust us on any of this. You can confirm it in your browser:

  1. Open your browser's DevTools (F12) and go to the Network tab.
  2. Open your profile, paste a key and press Save.
  3. You will see a single PUT /api/user-keys request — nothing else. No third-party telemetry, no analytics ping, no background call.
  4. Refresh the page. The GET /api/user-keys response only tells you which services are configured — the key value is not returned.
  5. Launch a generation. Watch the request go to /api/ai/..., then our server calls the provider on your behalf. Your key never leaves Kubock's infrastructure in a response body.

9. Responsible disclosure

If you discover a vulnerability, please report it privately before making it public. Email support@kubock.com with a description and, if possible, steps to reproduce. We will acknowledge within 48 hours and aim to fix high-severity issues within 14 days.

A machine-readable contact is also available at /.well-known/security.txt following RFC 9116.

10. If something goes wrong

In the event of a suspected breach, we recommend you rotate the affected key at the provider's dashboard immediately (fal.ai, OpenAI, Anthropic, Google, Civitai) and then update it in your Kubock profile. Rotation at the source is the single most effective safeguard and takes less than a minute.

11. Contact

Security questions and reports: support@kubock.com or the contact form.

Privacy PolicyTerms of ServiceBack to Kubock