Arlopass

Product Introduction

1. Definition: Arlopass is an open-source browser extension and developer SDK (Software Development Kit) designed to act as a secure, local-first middleware for Large Language Model (LLM) providers. It functions as a "Credential Vault" and "AI Router" that enables web applications to interface with third-party AI APIs—such as OpenAI, Anthropic, and local Ollama instances—without the application ever having direct access to the user's secret API keys.

2. Core Value Proposition: Arlopass exists to solve the fundamental security risk of API key leakage and the lack of user agency in the current AI landscape. By implementing a "Bring Your Own Key" (BYOK) architecture, it empowers users to maintain absolute control over their AI consumption and privacy while providing developers with a 10-line integration path that eliminates the need for expensive backend proxies, complex key management systems, and server-side credential storage.

Main Features

1. Encrypted Local Credential Vault: Arlopass utilizes industry-standard AES-256-GCM encryption to secure API credentials directly on the user's device. Unlike traditional "AI Gateways" that store keys in the cloud, Arlopass integrates with native OS-level keychains, including Windows Credential Manager, macOS Keychain, and the Linux Secret Service. This ensures that sensitive tokens for Claude, GPT, or AWS Bedrock never enter the browser's insecure local storage or transit to an external server.

2. Granular Permission & Governance Engine: The extension features a comprehensive policy-based governance system. Users can set per-app permissions, including "Autopilot mode" for consecutive AI calls, daily token consumption limits, and specific model restrictions. Every request is transparently routed through the Arlopass interface, allowing users to see the exact prompt being sent and the model responding, complete with Ed25519-signed policy bundles and JSONL audit trails for enterprise-grade compliance.

3. Multi-Provider Unified SDK: The @arlopass/web-sdk provides a standardized TypeScript interface for developers. It supports streaming responses via async iterators and Zod-validated schemas. This abstraction layer allows a web app to support dozens of providers—including OpenAI, Anthropic Claude, Google Gemini, Amazon Bedrock, Google Vertex AI, Perplexity, and local providers like Ollama and LM Studio—with a single code implementation. When a user switches models or providers, the underlying application code requires zero modifications.

Problems Solved

1. Pain Point: Security Vulnerabilities and Key Leakage: Developers often inadvertently expose API keys through client-side code, server logs, or misconfigured .env files. Arlopass eliminates this attack surface entirely by keeping credentials on the user's machine. The web app only receives the final AI response, never the authorization header or the secret key itself.

2. Target Audience:

   • Frontend & Full-stack Developers: Those looking to integrate AI features without the overhead of building backend proxy servers or managing user quotas.
   • Privacy-Conscious Power Users: Individuals who want to use AI-powered web tools but refuse to trust third-party sites with their expensive or sensitive API credentials.
   • Local AI Enthusiasts: Users of Ollama or LM Studio who want to use their local hardware to power web-based productivity tools for zero-latency, zero-cost, and offline AI processing.
   • Enterprise Teams: Organizations requiring strict governance and audit trails of how employees use AI across various web platforms.

3. Use Cases:

   • AI-Enhanced Productivity Tools: Adding AI-driven flowchart generation or text summarization to a whiteboard app (e.g., Excalimate) without the app developer paying for the user's tokens.
   • Sensitive Data Analysis: Using a web-based data visualization tool while routing all prompts to a local Ollama instance via Arlopass to ensure data never leaves the local network.
   • Cost-Efficient SaaS Development: Creating "Lite" versions of software where users bring their own AI subscriptions, removing the provider's infrastructure costs and enabling free-to-use tiers.

Unique Advantages

1. Differentiation: Traditional AI integration methods require either insecure client-side key entry (pasting keys into text boxes) or complex server-side proxies. Arlopass introduces a third way: a browser-level "Native Bridge." This allows the extension to inject credentials at the last millisecond of the network request, maintaining the security of a backend with the simplicity of a client-side library.

2. Key Innovation: The "Zero Cloud Dependency" architecture. Arlopass has no backend, no user accounts, and zero telemetry. It is a purely local tool that works offline when paired with local LLMs. Its MIT-licensed, open-source nature ensures that the security community can audit the codebase, preventing the "black box" risks associated with proprietary AI gateways.

Frequently Asked Questions (FAQ)

1. Is Arlopass safer than pasting my API key into a website? Yes. When you paste a key into a website, that site's server can store, log, or reuse your key indefinitely. With Arlopass, the website never sees your key. The extension handles the authentication locally on your device and only passes the resulting AI text back to the app, keeping your credentials encrypted and under your control.

2. Can I use Arlopass with local models like Llama 3 or Mistral via Ollama? Absolutely. Arlopass has first-class support for Ollama and LM Studio. By selecting a local provider in the Arlopass menu, you can use any web application with models running on your own hardware. This ensures that your prompts never leave your machine, providing the highest level of privacy possible.

3. How do developers benefit from using the Arlopass SDK? Developers can save weeks of engineering time by using Arlopass. It removes the need to build a backend for AI requests, manage a database of API keys, or handle user billing for AI usage. With just 10 lines of code, an app can support any major AI provider, allowing the developer to focus on features rather than infrastructure.

4. Which AI providers are currently supported by Arlopass? Arlopass supports a wide array of providers including OpenAI (GPT-4o, GPT-4), Anthropic (Claude 3.5 Sonnet), Google Gemini, Amazon Bedrock, Perplexity, and local-first solutions like Ollama and LM Studio. The modular adapter system allows for the rapid addition of any new API-based AI provider.