Decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11
Report project as malware

Project description

Provider Key Decrypter

Python package to decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication with the ANY LLM backend.

Installation

Install from PyPI:

pip install any-llm-platform-client

Or install from source:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
pip install -e .

Development

For development mode using uv:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
uv sync --dev
uv run pre-commit install
uv run any-llm <provider>

Or enter a shell environment:

uv sync
uv venv
source .venv/bin/activate  # or: .\.venv\Scripts\activate on Windows
any-llm <provider>

Usage

Command Line Interface

Interactive mode (prompts for provider):

export ANY_LLM_KEY='ANY.v1.<kid>.<fingerprint>-<base64_key>'
any-llm

Direct mode (specify provider as argument):

any-llm openai

Configuring the API Base URL

By default, the client connects to http://localhost:8000/api/v1. To change this, instantiate AnyLLMPlatformClient with a custom any_llm_platform_url or set the attribute directly:

from any_llm_platform_client.client import AnyLLMPlatformClient

# Create a client that talks to a different backend
client = AnyLLMPlatformClient(any_llm_platform_url="https://api.example.com/v1")

# Now calls on `client` will use the configured base URL
challenge_data = client.create_challenge(public_key)

Or set the environment variable before running the CLI. The CLI will use the first defined of --api-base-url or ANY_LLM_PLATFORM_URL.

# Example: temporarily point CLI to a staging backend
export ANY_LLM_PLATFORM_URL="https://staging-api.example.com/v1"
any-llm openai

As a Python Library

Simple Usage (Recommended)

from any_llm_platform_client import AnyLLMPlatformClient

# Create client
client = AnyLLMPlatformClient()

# Get decrypted provider key with metadata in one call
any_llm_key = "ANY.v1.12345678.abcdef01-YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3OA=="
result = client.get_decrypted_provider_key(any_llm_key, provider="openai")

# Access the decrypted API key and metadata
print(f"API Key: {result.api_key}")
print(f"Provider Key ID: {result.provider_key_id}")
print(f"Project ID: {result.project_id}")
print(f"Provider: {result.provider}")
print(f"Created At: {result.created_at}")

Advanced Usage (Manual Steps)

For more control over the authentication flow:

from any_llm_platform_client import (
    parse_any_llm_key,
    load_private_key,
    extract_public_key,
)
from any_llm_platform_client.client import AnyLLMPlatformClient

# Parse the key
any_llm_key = "ANY.v1...."
key_components = parse_any_llm_key(any_llm_key)

# Load private key
private_key = load_private_key(key_components.base64_encoded_private_key)

# Extract public key
public_key = extract_public_key(private_key)

# Authenticate with challenge-response using the client
client = AnyLLMPlatformClient()
challenge_data = client.create_challenge(public_key)
solved_challenge = client.solve_challenge(challenge_data["encrypted_challenge"], private_key)

# Fetch and decrypt provider key
provider_key_data = client.fetch_provider_key("openai", public_key, solved_challenge)
api_key = client.decrypt_provider_key_value(provider_key_data["encrypted_key"], private_key)

print(f"API Key: {api_key}")

Async Usage

import asyncio
from any_llm_platform_client import AnyLLMPlatformClient

async def main():
    client = AnyLLMPlatformClient()
    any_llm_key = "ANY.v1...."
    result = await client.aget_decrypted_provider_key(any_llm_key, provider="openai")
    print(f"API Key: {result.api_key}")
    print(f"Provider Key ID: {result.provider_key_id}")

asyncio.run(main())

How It Works

  1. The script/library extracts the X25519 private key from your ANY_LLM_KEY
  2. Derives the public key and sends it to create an authentication challenge
  3. The backend returns an encrypted challenge
  4. Decrypts the challenge UUID using your private key
  5. Uses the solved challenge to authenticate and fetch the encrypted provider key
  6. Decrypts the provider API key using your private key

Requirements

  • Python 3.11+
  • PyNaCl (for X25519 sealed box encryption/decryption)
  • requests (for API calls)

ANY_LLM_KEY Format

ANY.v1.<kid>.<fingerprint>-<base64_32byte_private_key>

Generate your ANY_LLM_KEY from the project page in the web UI.

Security Notes

  • The private key from your ANY_LLM_KEY is highly sensitive and should never be logged or transmitted over insecure channels
  • This package uses X25519 sealed box encryption with XChaCha20-Poly1305 for strong cryptographic guarantees

Development

Run tests:

uv run pytest

Run tests with coverage:

uv run pytest --cov=src/any_llm_platform_client

Run linting:

uv run pre-commit run --all-files

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11

Release history Release notifications | RSS feed

0.4.0

0.3.0

0.2.2

0.2.1

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

any_llm_platform_client-0.2.0.tar.gz (80.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

any_llm_platform_client-0.2.0-py3-none-any.whl (16.0 kB view details)

Uploaded Python 3

File details

Details for the file any_llm_platform_client-0.2.0.tar.gz.

File metadata

  • Download URL: any_llm_platform_client-0.2.0.tar.gz
  • Upload date:
  • Size: 80.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for any_llm_platform_client-0.2.0.tar.gz
Algorithm Hash digest
SHA256 0870e16b6d203699a9653d5c8ced155295d8125bdfe3ab05b8bdacf01c1ceb46
MD5 62e0755e4881f49bdcfa85dce7c626d0
BLAKE2b-256 fa9b1b66cb7ed99fbad810518cf0a0d89c0f721f50031b1b6eaffc307a10a74e

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.2.0.tar.gz:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file any_llm_platform_client-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for any_llm_platform_client-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 560c0deb3297f1edb5724bce1358361f3b48d14a11ac7830e060b440bc58b6f8
MD5 32f4797601feaf51d3da616b0779abe6
BLAKE2b-256 57c55f8c8dd438ce7d20274829fe49778c94dcb1e63f277ed68eb6f500e02a0c

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.2.0-py3-none-any.whl:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page