# Local Key Vault Your Hermes Agent API keys are the most sensitive thing MIRARI touches. Our rule is simple: > **The server never stores them.** ## Where they live Keys live in the **browser's local storage**, namespaced per connection id, behind a tiny module (`src/lib/key-vault.ts`): ```ts const NS = "mirari:key:"; export function setKey(connectionId: string, value: string) { localStorage.setItem(NS + connectionId, value); } export function getKey(connectionId: string): string | null { return localStorage.getItem(NS + connectionId); } export function hasKey(connectionId: string): boolean { return !!localStorage.getItem(NS + connectionId); } export function clearKey(connectionId: string) { localStorage.removeItem(NS + connectionId); } ``` ## The lifecycle of a key 1. You paste it into the Settings form. 2. `setKey(connectionId, value)` writes it to local storage. 3. Whenever you send a chat turn or hit **Test**, the page reads it back with `getKey()` and passes it as an argument to the relevant server function. 4. The server function uses it **once**, in-memory, to call your Hermes Agent endpoint. The key is never written to any database, log, or trace. 5. Clearing the key (or signing out and revoking the browser's storage) is the only way to "rotate" — there is no server copy to scrub. ## Implications * **Multi-device** is by design *not* automatic. If you sign in from a new browser, you'll see your bindings (because metadata is in the DB) but you'll need to re-paste keys. We consider that the right tradeoff. * **No server-side cron** can call your Hermes Agent for you, because the server doesn't have the secret. Anything that needs the key has to be triggered from a tab that has it. * **Local-only providers** (e.g. an Ollama on `localhost:11434` with no auth) can leave the key field blank. ## What the server *does* see When you send a turn, the server function receives the key as a function argument inside a request body. It is held in a local variable for the duration of the outbound `fetch`, then dropped. It is not persisted, not logged, and not echoed back. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://entermirari.gitbook.io/entermirari-docs/architecture/key-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.