AbolitusManaging API Keys
Understand where provider credentials live, what syncs, and how to keep keys safe.
Provider keys are one of the easiest places for privacy tools to quietly fail. Abolitus avoids that by keeping provider credentials device-local.
If you type a provider key into Abolitus, that key is intended for the current device. It is not treated like general profile data, and it is not meant to follow you automatically across all devices.
Where Keys Live
Provider credentials live in the local workspace on the device where you entered them.
That means:
- They stay on the current device.
- They are used directly by the browser when calling your chosen provider route.
- They are not part of the creative settings that sync across devices.
What This Protects You From
This design avoids a common trust problem:
- Abolitus does not need to hold your provider key on its own backend.
- A synced settings restore on another device does not silently expose your provider credentials there.
- Losing access to one device does not automatically reveal keys everywhere else.
What This Means in Real Use
If you use Abolitus on a desktop and a phone, you should expect to enter provider credentials on both devices separately.
This is normal.
Creative settings can sync. Provider secrets do not.
What Syncs and What Does Not
Can sync
- Prompt wrappers and presets.
- Sampler presets.
- Personas and default persona selection.
- Quick replies and custom slash commands.
- Group-chat defaults and other creative behavior settings.
Does not sync
- Provider API keys.
- Local provider base URLs.
- Device-specific active provider setup.
- TTS provider credentials.
Best Practices for Key Safety
Use separate keys when practical
If your provider allows multiple keys, consider using different keys for different devices. This makes it easier to rotate access without disrupting every machine you use.
Remove keys from shared devices
If a device is shared, temporary, or not under your full control, do not leave provider credentials stored there longer than necessary.
Prefer a password-protected local vault on devices you travel with
This does not sync your keys, but it reduces the chance that someone opening your device session can immediately use the workspace.
Rotate keys after exposure, not just after suspicion
If you pasted a key somewhere you should not have, or used it on a device you no longer trust, rotate it at the provider first and then update Abolitus.
How Requests Actually Leave the Device
When you send a message:
- Abolitus assembles the prompt locally.
- Your browser sends the request directly to the provider route you configured.
- The reply streams back to your browser.
The important point is that the request path is browser-to-provider. Abolitus is not acting like a middleman provider relay for your normal model traffic.
Deleting or Replacing a Key
If you replace a provider key in Settings, future requests use the new value. If you delete a provider entry, the key is removed from the current device's local workspace.
This is why a device cleanup matters. If you are retiring a machine, clear provider keys on that machine instead of assuming cloud settings changes will do it for you.
Common Misunderstandings
"I bought Premium, so my keys should sync too."
No. Premium adds encrypted sync convenience for creative state and vault-level flows. Provider credentials remain local by design.
"If I lose this device, Abolitus can re-send my keys from the cloud."
No. Plan as if the current device is the only place those credentials live unless you manually store them elsewhere.
"If my provider route stops working on mobile, cloud sync is broken."
Not necessarily. The most common cause is simply that the mobile device does not have the provider configured locally yet.