What is CloakAPI
CloakAPI is a privacy-preserving AI gateway. You point your existing OpenAI
or Anthropic SDK at https://api.cloakapi.io instead of
api.openai.com / api.anthropic.com, and CloakAPI handles three things
between you and the upstream model:
- Tokenises sensitive structures (names, emails, IDs, addresses, free-form
PII) using a deterministic, privacy-preserving algorithm — on your own
device, via the client-side ways: browser chat, desktop app, browser
extension, or the local proxy (point the SDK at
http://localhost:8799/v1, see Quickstart Option C). The gateway itself is a blind token relay: it never inspects, detects, or tokenises content on our servers, so a bare SDK pointed straight atapi.cloakapi.iois relayed as-is (not tokenised by us). With a client-side way in front, the provider sees<EMAIL_482>rather thanalice@meridian.example. - Routes requests with provider failover, cost-aware arbitrage, per-tenant quotas, and per-request rate limiting.
- Signs every response with an
ecdsa-p256-sha256envelope chained to the previous response, so auditors can cryptographically verify any receipt months later — using only the public JWKS athttps://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks.
Three ways to use it (plus a power-up)
The API is the foundation, but you don’t have to write code to get client-side tokenisation. There are three ways to use CloakAPI:
- API / SDK / proxy — point your OpenAI/Anthropic SDK at the gateway, or run the
localhost local proxy to tokenise on your machine with a
one-line
base_urlchange. Start with the Quickstart. - Chat — a browser chat window that tokenises your prompts on-device before relaying to Claude, GPT, Gemini, Grok or DeepSeek. No code, no install.
- Browser extension — the same privacy layer applied
directly on
chatgpt.com,claude.ai,gemini.google.comandgrok.com.
The Windows desktop app is a power-up (not a fourth way): it runs the native tokeniser for the fullest on-device coverage and complete-local models. All of them are paid, key-backed and fail-closed, priced in USD.
Architecture in one paragraph
CloakAPI ships as a Laravel-based gateway (api.cloakapi.io) backed by
PostgreSQL + Redis, fronted by a customer self-serve portal
(app.cloakapi.io), a marketing surface (cloakapi.io), and an OIDC
identity layer. Receipts are anchored against a public protocol spec at
signedreceipts.org (OpenReceipt v3) and
verifiable from any browser at
app.cloakapi.io/receipt-verifier.
Compliance posture
- HIPAA — structural non-BA argument on the client-side ways (many customers conclude no BA relationship arises; evaluate with your own counsel — not legal advice). Template BAA available on request via /enterprise. Customer must perform their own HIPAA covered-entity gap analysis.
- Data residency: EU-only (Hetzner Nuremberg) by default; US and APAC available via BYOC.
- GDPR: data minimisation by design — the gateway never persists customer payloads; only structure-level tokens.