Decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11
Report project as malware

Project description

Provider Key Decrypter

Python package to decrypt provider API keys using X25519 sealed box encryption and challenge-response authentication with the ANY LLM backend.

Installation

Install from PyPI:

pip install any-llm-platform-client

Or install from source:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
pip install -e .

Development

For development mode using uv:

git clone https://github.com/mozilla-ai/any-api-decrypter-cli
cd any-api-decrypter-cli
uv sync --dev
uv run pre-commit install
uv run any-llm <provider>

Or enter a shell environment:

uv sync
uv venv
source .venv/bin/activate  # or: .\.venv\Scripts\activate on Windows
any-llm <provider>

Usage

Command Line Interface

Interactive mode (prompts for provider):

export ANY_LLM_KEY='ANY.v1.<kid>.<fingerprint>-<base64_key>'
any-llm

Direct mode (specify provider as argument):

any-llm openai

Configuring the API Base URL

By default, the client connects to http://localhost:8000/api/v1. To change this, instantiate AnyLLMPlatformClient with a custom any_llm_platform_url or set the attribute directly:

from any_llm_platform_client.client import AnyLLMPlatformClient

# Create a client that talks to a different backend
client = AnyLLMPlatformClient(any_llm_platform_url="https://api.example.com/v1")

# Now calls on `client` will use the configured base URL
challenge_data = client.create_challenge(public_key)

Or set the environment variable before running the CLI. The CLI will use the first defined of --api-base-url or ANY_LLM_PLATFORM_URL.

# Example: temporarily point CLI to a staging backend
export ANY_LLM_PLATFORM_URL="https://staging-api.example.com/v1"
any-llm openai

As a Python Library

Simple Usage (Recommended)

from any_llm_platform_client import AnyLLMPlatformClient

# Create client
client = AnyLLMPlatformClient()

# Get decrypted provider key with metadata in one call
any_llm_key = "ANY.v1.12345678.abcdef01-YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3OA=="
result = client.get_decrypted_provider_key(any_llm_key, provider="openai")

# Access the decrypted API key and metadata
print(f"API Key: {result.api_key}")
print(f"Provider Key ID: {result.provider_key_id}")
print(f"Project ID: {result.project_id}")
print(f"Provider: {result.provider}")
print(f"Created At: {result.created_at}")

Advanced Usage (Manual Steps)

For more control over the authentication flow:

from any_llm_platform_client import (
    parse_any_llm_key,
    load_private_key,
    extract_public_key,
)
from any_llm_platform_client.client import AnyLLMPlatformClient

# Parse the key
any_llm_key = "ANY.v1...."
key_components = parse_any_llm_key(any_llm_key)

# Load private key
private_key = load_private_key(key_components.base64_encoded_private_key)

# Extract public key
public_key = extract_public_key(private_key)

# Authenticate with challenge-response using the client
client = AnyLLMPlatformClient()
challenge_data = client.create_challenge(public_key)
solved_challenge = client.solve_challenge(challenge_data["encrypted_challenge"], private_key)

# Fetch and decrypt provider key
provider_key_data = client.fetch_provider_key("openai", public_key, solved_challenge)
api_key = client.decrypt_provider_key_value(provider_key_data["encrypted_key"], private_key)

print(f"API Key: {api_key}")

Async Usage

import asyncio
from any_llm_platform_client import AnyLLMPlatformClient

async def main():
    client = AnyLLMPlatformClient()
    any_llm_key = "ANY.v1...."
    result = await client.aget_decrypted_provider_key(any_llm_key, provider="openai")
    print(f"API Key: {result.api_key}")
    print(f"Provider Key ID: {result.provider_key_id}")

asyncio.run(main())

How It Works

  1. The script/library extracts the X25519 private key from your ANY_LLM_KEY
  2. Derives the public key and sends it to create an authentication challenge
  3. The backend returns an encrypted challenge
  4. Decrypts the challenge UUID using your private key
  5. Uses the solved challenge to authenticate and fetch the encrypted provider key
  6. Decrypts the provider API key using your private key

Requirements

  • Python 3.11+
  • PyNaCl (for X25519 sealed box encryption/decryption)
  • requests (for API calls)

ANY_LLM_KEY Format

ANY.v1.<kid>.<fingerprint>-<base64_32byte_private_key>

Generate your ANY_LLM_KEY from the project page in the web UI.

Security Notes

  • The private key from your ANY_LLM_KEY is highly sensitive and should never be logged or transmitted over insecure channels
  • This package uses X25519 sealed box encryption with XChaCha20-Poly1305 for strong cryptographic guarantees

Development

Run tests:

uv run pytest

Run tests with coverage:

uv run pytest --cov=src/any_llm_platform_client

Run linting:

uv run pre-commit run --all-files

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mzai from gravatar.com mzai

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Requires: Python >=3.11

Release history Release notifications | RSS feed

0.4.0

This version

0.3.0

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

any_llm_platform_client-0.3.0.tar.gz (80.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

any_llm_platform_client-0.3.0-py3-none-any.whl (16.3 kB view details)

Uploaded Python 3

File details

Details for the file any_llm_platform_client-0.3.0.tar.gz.

File metadata

  • Download URL: any_llm_platform_client-0.3.0.tar.gz
  • Upload date:
  • Size: 80.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for any_llm_platform_client-0.3.0.tar.gz
Algorithm Hash digest
SHA256 46b7ffd589fd94804ce677c045b0ab180979f0b01ccb8efbcbbc91e14ba1de84
MD5 d99085f2a099723d45d21663319108b1
BLAKE2b-256 fbeb89e99366cb4a12c569c7ede355c7a7b396621b0d78ffde5085141982ee22

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.3.0.tar.gz:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file any_llm_platform_client-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for any_llm_platform_client-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7ad9ad99449affa4657500ee20cb774786fd61f409017d3684ac8a6cb215359d
MD5 aec871916fee44b1c4ab12596f8e0202
BLAKE2b-256 e1f2a9161164e65f3685fe2e7bea006c4238afdd81f839c9d068e78f4ec0c1b1

See more details on using hashes here.

Provenance

The following attestation bundles were made for any_llm_platform_client-0.3.0-py3-none-any.whl:

Publisher: publish.yml on mozilla-ai/any-llm-platform-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page