Decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11
Report project as malware

Project description

Provider Key Decrypter

Python package to decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication with the ANY LLM backend.

Installation

Install from PyPI:

pip install any-llm-platform-client

Or install from source:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
pip install -e .

Development

For development mode using uv:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
uv sync --dev
uv run pre-commit install
uv run any-llm <provider>

Or enter a shell environment:

uv sync
uv venv
source .venv/bin/activate  # or: .\.venv\Scripts\activate on Windows
any-llm <provider>

Usage

Command Line Interface

Interactive mode (prompts for provider):

export ANY_LLM_KEY='ANY.v1.<kid>.<fingerprint>-<base64_key>'
any-llm

Direct mode (specify provider as argument):

any-llm openai

Configuring the API Base URL

By default, the client connects to http://localhost:8000/api/v1. To change this, instantiate AnyLLMPlatformClient with a custom any_llm_platform_url or set the attribute directly:

from any_llm_platform_client.client import AnyLLMPlatformClient

# Create a client that talks to a different backend
client = AnyLLMPlatformClient(any_llm_platform_url="https://api.example.com/v1")

# Now calls on `client` will use the configured base URL
challenge_data = client.create_challenge(public_key)

Or set the environment variable before running the CLI. The CLI will use the first defined of --api-base-url or ANY_LLM_PLATFORM_URL.

# Example: temporarily point CLI to a staging backend
export ANY_LLM_PLATFORM_URL="https://staging-api.example.com/v1"
any-llm openai

As a Python Library

Simple Usage (Recommended)

from any_llm_platform_client import AnyLLMPlatformClient

# Create client
client = AnyLLMPlatformClient()

# Get decrypted provider key with metadata in one call
any_llm_key = "ANY.v1.12345678.abcdef01-YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3OA=="
result = client.get_decrypted_provider_key(any_llm_key, provider="openai")

# Access the decrypted API key and metadata
print(f"API Key: {result.api_key}")
print(f"Provider Key ID: {result.provider_key_id}")
print(f"Project ID: {result.project_id}")
print(f"Provider: {result.provider}")
print(f"Created At: {result.created_at}")

Advanced Usage (Manual Steps)

For more control over the authentication flow:

from any_llm_platform_client import (
    parse_any_llm_key,
    load_private_key,
    extract_public_key,
)
from any_llm_platform_client.client import AnyLLMPlatformClient

# Parse the key
any_llm_key = "ANY.v1...."
key_components = parse_any_llm_key(any_llm_key)

# Load private key
private_key = load_private_key(key_components.base64_encoded_private_key)

# Extract public key
public_key = extract_public_key(private_key)

# Authenticate with challenge-response using the client
client = AnyLLMPlatformClient()
challenge_data = client.create_challenge(public_key)
solved_challenge = client.solve_challenge(challenge_data["encrypted_challenge"], private_key)

# Fetch and decrypt provider key
provider_key_data = client.fetch_provider_key("openai", public_key, solved_challenge)
api_key = client.decrypt_provider_key_value(provider_key_data["encrypted_key"], private_key)

print(f"API Key: {api_key}")

Async Usage

import asyncio
from any_llm_platform_client import AnyLLMPlatformClient

async def main():
    client = AnyLLMPlatformClient()
    any_llm_key = "ANY.v1...."
    result = await client.aget_decrypted_provider_key(any_llm_key, provider="openai")
    print(f"API Key: {result.api_key}")
    print(f"Provider Key ID: {result.provider_key_id}")

asyncio.run(main())

How It Works

  1. The script/library extracts the X25519 private key from your ANY_LLM_KEY
  2. Derives the public key and sends it to create an authentication challenge
  3. The backend returns an encrypted challenge
  4. Decrypts the challenge UUID using your private key
  5. Uses the solved challenge to authenticate and fetch the encrypted provider key
  6. Decrypts the provider API key using your private key

Requirements

  • Python 3.11+
  • PyNaCl (for X25519 sealed box encryption/decryption)
  • requests (for API calls)

ANY_LLM_KEY Format

ANY.v1.<kid>.<fingerprint>-<base64_32byte_private_key>

Generate your ANY_LLM_KEY from the project page in the web UI.

Security Notes

  • The private key from your ANY_LLM_KEY is highly sensitive and should never be logged or transmitted over insecure channels
  • This package uses X25519 sealed box encryption with XChaCha20-Poly1305 for strong cryptographic guarantees

Development

Run tests:

uv run pytest

Run tests with coverage:

uv run pytest --cov=src/any_llm_platform_client

Run linting:

uv run pre-commit run --all-files

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11

Release history Release notifications | RSS feed

0.4.0

0.3.0

This version

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

any_llm_platform_client-0.2.2.tar.gz (80.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

any_llm_platform_client-0.2.2-py3-none-any.whl (16.3 kB view details)

Uploaded Python 3

File details

Details for the file any_llm_platform_client-0.2.2.tar.gz.

File metadata

  • Download URL: any_llm_platform_client-0.2.2.tar.gz
  • Upload date:
  • Size: 80.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for any_llm_platform_client-0.2.2.tar.gz
Algorithm Hash digest
SHA256 57bfa9d7653af5221b3ea25d2fcfb5eeb798afa3b5eb1cb89738d2ce36d28820
MD5 cc68266e7b5032cb852ded4f42a2fad2
BLAKE2b-256 d255e0c2184ece901a9472ede034e5b37bb6b4b8967e7c67cfc7cacf06a45f5e

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.2.2.tar.gz:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file any_llm_platform_client-0.2.2-py3-none-any.whl.

File metadata

File hashes

Hashes for any_llm_platform_client-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 44c2ddc173b4541154f3c2414edcf62b554058e38f9433954c4f230547e89855
MD5 904a06aeb82124870c30dae8ec2106ac
BLAKE2b-256 bb5c6168dfce60b579a9c9f37342c3140e387075751373d673693bd123a2c8d9

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.2.2-py3-none-any.whl:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page