BenchmarksStack Ranking
H33-VaultH33-ShareH33-ShieldH33-HealthH33-KeyH33-128H33-CKKSH33-256H33-FHE-IQFHE OverviewH33-CompileZK LookupsBiometricsH33-3-KeyH33-MPCZK-TrustlessZK-PhishZK-VerifyPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key

Your infrastructure touches every API key in plaintext. H33-Gateway makes that impossible.

Every API call to Stripe, AWS, Twilio, SendGrid — your servers hold plaintext credentials in memory. One memory dump, one compromised dependency, one misconfigured log, and those keys are exposed. Vaults protect storage. VPNs protect the network. But the moment the key is actually used — the API call itself — the credential is naked in your application memory.

H33-Gateway runs API calls inside a Trusted Execution Environment. Your encrypted key goes in. The plaintext exists only inside the secure enclave. The response comes back. Your infrastructure never touches the raw credential.

Start Building

VPNs protect the network. Vaults protect storage. But nothing protects the moment a key is actually used — the API call itself. Your application decrypts the credential, loads it into memory, attaches it to an HTTP header, and sends it over the wire. For that entire window, the plaintext exists in your infrastructure. H33-Gateway closes that gap. The credential is decrypted inside a hardware-isolated enclave, the API call is made from within the TEE, and the response is returned encrypted. Your servers never see the raw key.

Zero-exposure API calls. Post-quantum encrypted transit.

Here’s what happens when you proxy an API call through H33-Gateway.

Step 01 — Configure Target
Register Your Third-Party API
Register your third-party API endpoint — Stripe, AWS, any REST API. Set the base URL, auth header template, allowed paths, and rate limits. One-time setup, zero units consumed. Gateway stores the target configuration, not the credential itself.
Register your third-party API endpoint — Stripe, AWS, any REST API. Set the base URL, auth header template, allowed paths, and rate limits. One-time setup, zero units consumed. Gateway stores the target configuration, not the credential itself.
Step 02 — Encrypt Your Credential
Kyber-1024 Key Encapsulation
Use H33-Key to encrypt your API key with Kyber-1024. You get back a key_id (hk_...) — a reference, not the key itself. Store the key_id anywhere. It’s useless without H33 decryption. Even a quantum computer can’t derive the original credential from the key_id.
Use H33-Key to encrypt your API key with Kyber-1024. You get back a key_id (hk_...) — a reference, not the key itself. Store the key_id anywhere. It’s useless without H33 decryption. Even a quantum computer can’t derive the original credential from the key_id.
Step 03 — Proxy Through TEE
Hardware-Isolated API Execution
Send your API request to H33-Gateway with the key_id. Inside the TEE, the key is decrypted, the API call is made, and the response is returned. The plaintext credential exists only inside the hardware-isolated enclave. Your servers, our servers, no one outside the TEE ever sees it.
Send your API request to H33-Gateway with the key_id. Inside the TEE, the key is decrypted, the API call is made, and the response is returned. The plaintext credential exists only inside the hardware-isolated enclave. Your servers, our servers, no one outside the TEE ever sees it.
Step 04 — Audit & Compliance
Dilithium-Signed Audit Trail
Every proxied call is logged with a Dilithium-signed audit trail. Tamper-proof evidence of what was accessed, when, and by whom — without revealing the credential itself. Post-quantum signatures that satisfy SOC 2, PCI DSS, and HIPAA logging requirements.
Every proxied call is logged with a Dilithium-signed audit trail. Tamper-proof evidence of what was accessed, when, and by whom — without revealing the credential itself. Post-quantum signatures that satisfy SOC 2, PCI DSS, and HIPAA logging requirements.
< 50 ms
full encrypt + TEE decrypt + proxy + sign per operation

Kyber-1024 decapsulation + TEE execution + third-party API call + Dilithium audit signature — added overhead under 50ms.

Plaintext exists only inside TEE — never in your infrastructure.

CLIENT  Encrypt key_id + request payload
TRANSIT  Kyber-1024 encrypted envelope (post-quantum safe)
TEE  Decrypt key, execute API call inside enclave
RESPONSE  Encrypted response returned, key destroyed
AUDIT  Dilithium-signed transaction log
Total: —
Gateway Pipeline

Every integration point is an exposure point. Until now.

Payment Processing
Proxy Stripe, Adyen, Square API calls. Your payment processor credentials never exist in your application memory. PCI DSS scope reduction — the credential never touches your cardholder data environment.
Healthcare / HIPAA
EHR integrations, lab APIs, pharmacy systems. PHI-adjacent credentials protected by hardware isolation. Dilithium audit satisfies HIPAA 164.312(b) access logging requirements.
Multi-Cloud
AWS, GCP, Azure service credentials proxied through TEE. Rotate cloud keys without redeploying. Cross-cloud credential isolation — no single infrastructure layer holds all your cloud access keys.
Third-Party SaaS
Twilio, SendGrid, Salesforce, any REST API. Every integration point is a potential exposure. Gateway eliminates the exposure window entirely — credentials go from encrypted storage to TEE to API call without ever existing in your code.

Choose your isolation level.

Gateway-0
15 units per operation
Kyber-1024 encrypted transit. Single API target. Basic audit log.
<25K units$0.90
25K–250K$0.60
250K–2.5M$0.375
2.5M–25M$0.18
25M+$0.09
Get Started
Gateway-1
25 units per operation
+ TEE isolation. Rate limiting per target. Dilithium-signed audit trail.
<25K units$1.50
25K–250K$1.00
250K–2.5M$0.625
2.5M–25M$0.30
25M+$0.15
Get Started
Gateway-2
35 units per operation
+ Multi-target routing. Encrypted response channel. Compliance reports.
<25K units$2.10
25K–250K$1.40
250K–2.5M$0.875
2.5M–25M$0.42
25M+$0.21
Get Started

Volume Unit Pricing

Monthly Volume $/Unit Gateway-0 (15u) Gateway-1 (25u) Gateway-2 (35u)
<25K units $0.060 $0.90 $1.50 $2.10
25K–250K $0.040 $0.60 $1.00 $1.40
250K–2.5M $0.025 $0.375 $0.625 $0.875
2.5M–25M $0.012 $0.18 $0.30 $0.42
25M+ $0.006 $0.09 $0.15 $0.21

How Gateway compares

H33-Gateway Direct API Call Secrets Manager + Call HSM + Call
Plaintext in app memory Never Always During call During call
Post-quantum transit Kyber-1024 No No No
Hardware isolation TEE enclave No No HSM only (no proxy)
Audit trail Dilithium-signed App logs CloudTrail HSM logs
Credential rotation Zero-downtime Redeploy Redeploy Redeploy
Added latency <50ms 0ms ~5ms ~10ms

All units fungible — same balance as H33-Auth, H33-Vault, H33-Key, H33-Shield, and H33-Share.

Frequently Asked Questions

How does H33-Gateway differ from a standard API proxy?
Standard API proxies handle API keys in plaintext memory. H33-Gateway runs inside a Trusted Execution Environment (TEE) where your plaintext API key exists only within a hardware-isolated enclave. Even the host operating system cannot read the key from TEE memory.
What is a Trusted Execution Environment (TEE)?
A TEE is a hardware-enforced secure enclave (such as Intel SGX or ARM TrustZone) that isolates code and data from the rest of the system. Memory inside the TEE is encrypted by the CPU. Even a root-level compromise of the host cannot access TEE-protected data.
Does my plaintext API key ever leave the TEE?
No. Your API key is decrypted inside the TEE, used to make the outbound API call, and never written to disk or exposed to host memory. The key is Zeroize-on-drop within the TEE, meaning it is cryptographically wiped from enclave memory after each request.
What is the latency overhead of TEE proxying?
The TEE proxying adds approximately 1-3 milliseconds of overhead per request. This covers TEE entry, key decryption, API call construction, and Dilithium attestation of the request event. For most API calls, this overhead is negligible compared to network round-trip time.
Can H33-Gateway forward to multiple API targets?
Yes. You can configure multiple target endpoints with separate encrypted API keys. H33-Gateway routes requests based on path prefix or custom headers. Each target key is independently encrypted and isolated within the TEE.
How does the Dilithium audit trail protect against insider threats?
Every API call proxied through H33-Gateway produces a Dilithium (ML-DSA) signed attestation recording the timestamp, target endpoint, request hash, and TEE attestation proof. An insider cannot make unauthorized API calls without generating a tamper-proof audit record.
Is the TEE attestation verifiable by third parties?
Yes. H33-Gateway generates remote attestation proofs that can be independently verified by any party. The attestation proves that the correct code is running inside a genuine TEE, and that the API key was handled according to the security policy. No trust in H33 is required.
What happens if the TEE hardware is compromised?
TEE compromise is an extremely high-difficulty attack requiring physical access to the CPU. In the event of a TEE breach, the Dilithium audit trail would show anomalous request patterns. API keys can be rotated instantly via the management API. The Gateway supports automatic key rotation on compromise detection.
Can I route different API keys to different targets?
Yes. H33-Gateway supports multi-key, multi-target routing. Each API key is independently encrypted with Kyber (ML-KEM) and stored in the TEE key store. Routing rules map request paths or headers to specific key-target pairs. Key isolation is enforced at the TEE level.
How does H33-Gateway handle API rate limits and retries?
H33-Gateway respects upstream rate limit headers (429 responses, Retry-After, X-RateLimit-Remaining). It implements exponential backoff with jitter for retries. Rate limit state is tracked per-target within the TEE. All retry events are included in the Dilithium audit attestation.
TECHNICAL DEEP DIVES

Go Deeper

🔒 API SECURITY
Quantum-Safe API Security
Every API call through H33-Gateway runs inside a TEE with Kyber-1024 transit encryption. Here's the security model.
Read Full Article →
🛡️ ZERO TRUST
Zero Trust Architecture Guide
Never trust, always verify, always encrypt. How encrypted API gateways fit into zero-trust infrastructure.
Read Full Article →
🔑 KYBER
CRYSTALS-Kyber: Post-Quantum Key Exchange
H33-Gateway uses Kyber-1024 for all credential transit. Understand the lattice math that makes it quantum-safe.
Read Full Article →

Stop Exposing Your Credentials

Get API Key

From 15 units per operation. Volume discounts from $0.09/call.