Skip to content
Qark Qark
Download for Mac

API Key Security

Your API keys never leave your machine. QARK stores them locally with AES-256 encryption — no cloud storage, no user accounts, no telemetry.

How keys are protected

Section titled “How keys are protected”
  • AES-256 encryption at rest — every key is encrypted before it touches disk. Keys exist in plaintext only in memory while QARK is running.
  • No cloud storage — keys live on your local filesystem. QARK has no server, no sync service, no remote database.
  • No accounts — QARK does not require registration or login. No user account exists that could be compromised.
  • No telemetry — QARK sends no usage data, analytics, or diagnostics. Keys and conversations stay on your device.

Key validation

Section titled “Key validation”

When you enter an API key, QARK tests it against the provider’s API before saving:

  • Key format correctness (prefix, length, character set)
  • Authentication against the provider’s endpoint
  • Permission level and model availability

If the key is invalid, expired, or lacks required permissions, QARK rejects it with a specific error — you find out immediately, not mid-conversation.

Key rotation

Section titled “Key rotation”

To replace a key:

  1. Open Settings → Providers → [Provider].
  2. Enter the new key.
  3. QARK validates it against the provider.
  4. On success, the old key is discarded and the new key is encrypted and stored.

The old key is overwritten — QARK does not retain previous keys.

Best practices

Section titled “Best practices”
  • Use a dedicated key for QARK — separate from keys in other tools. This gives you per-application usage tracking on the provider’s dashboard and lets you revoke the QARK key without disrupting other integrations.
  • Set provider-side spending limits — most providers (OpenAI, Anthropic, Google) let you cap monthly spend per key. Set a limit that matches your expected usage so a compromised key cannot run up an unbounded bill. You can also set limits inside QARK — see Budget Management.
  • Rotate keys periodically — replace keys on a regular schedule (e.g., every 90 days) even without reason to suspect compromise.
  • Revoke immediately if compromised — revoke the key on the provider’s dashboard first, then replace it in QARK. Revoking at the provider is what actually disables the key; removing it from QARK alone is not sufficient.

What goes where

Section titled “What goes where”
DataLocation
API keysLocal disk, AES-256 encrypted
Conversations and messagesLocal SQLite database
Prompts, agents, flowsLocal SQLite database
Documents and embeddingsLocal vector store
MCP HTTP headersLocal disk, encrypted
Usage and cost dataLocal SQLite database
Anything sent to QARK serversNothing — there are no QARK servers