Skip to content

What is CloakAPI

CloakAPI is a privacy-preserving AI gateway. You point your existing OpenAI or Anthropic SDK at https://api.cloakapi.io instead of api.openai.com / api.anthropic.com, and CloakAPI handles three things between you and the upstream model:

  1. Tokenises sensitive structures (names, emails, IDs, addresses, free-form PII) using a deterministic, privacy-preserving algorithm — on your own device, via the client-side ways: browser chat, desktop app, browser extension, or the local proxy (point the SDK at http://localhost:8799/v1, see Quickstart Option C). The gateway itself is a blind token relay: it never inspects, detects, or tokenises content on our servers, so a bare SDK pointed straight at api.cloakapi.io is relayed as-is (not tokenised by us). With a client-side way in front, the provider sees <EMAIL_482> rather than alice@meridian.example.
  2. Routes requests with provider failover, cost-aware arbitrage, per-tenant quotas, and per-request rate limiting.
  3. Signs every response with an ecdsa-p256-sha256 envelope chained to the previous response, so auditors can cryptographically verify any receipt months later — using only the public JWKS at https://api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkeys.jwks.

Three ways to use it (plus a power-up)

The API is the foundation, but you don’t have to write code to get client-side tokenisation. There are three ways to use CloakAPI:

  1. API / SDK / proxy — point your OpenAI/Anthropic SDK at the gateway, or run the localhost local proxy to tokenise on your machine with a one-line base_url change. Start with the Quickstart.
  2. Chat — a browser chat window that tokenises your prompts on-device before relaying to Claude, GPT, Gemini, Grok or DeepSeek. No code, no install.
  3. Browser extension — the same privacy layer applied directly on chatgpt.com, claude.ai, gemini.google.com and grok.com.

The Windows desktop app is a power-up (not a fourth way): it runs the native tokeniser for the fullest on-device coverage and complete-local models. All of them are paid, key-backed and fail-closed, priced in USD.

Architecture in one paragraph

CloakAPI ships as a Laravel-based gateway (api.cloakapi.io) backed by PostgreSQL + Redis, fronted by a customer self-serve portal (app.cloakapi.io), a marketing surface (cloakapi.io), and an OIDC identity layer. Receipts are anchored against a public protocol spec at signedreceipts.org (OpenReceipt v3) and verifiable from any browser at app.cloakapi.io/receipt-verifier.

Compliance posture

  • HIPAA — structural non-BA argument on the client-side ways (many customers conclude no BA relationship arises; evaluate with your own counsel — not legal advice). Template BAA available on request via /enterprise. Customer must perform their own HIPAA covered-entity gap analysis.
  • Data residency: EU-only (Hetzner Nuremberg) by default; US and APAC available via BYOC.
  • GDPR: data minimisation by design — the gateway never persists customer payloads; only structure-level tokens.