The gateway is now a pure blind token relay
Now that tokenisation runs on the customer side across every way of using CloakAPI, the gateway no longer does any content processing of its own — it is a literal blind byte relay. It cannot see raw PII, because personal data is tokenised on your device before the request ever reaches us.
- Removed the server-side detectors, the Presidio pass, and the residual-scan 422 enforcer from the gateway: it no longer inspects, detects, or tokenises content on our servers.
- The gateway forwards only what your device sends, signs the receipt, and meters token counts — never content. Billing reads provider-returned usage, not your prompts.
- To tokenise with a plain SDK, point it at the local proxy (Quickstart Option C) so tokenisation stays on your own machine — the gateway blind-relays whatever it receives.
CloakAPI Chat — a private front door you can try without signing up
A client-side chat is now the easiest way to try CloakAPI: open it, type, and personal data is tokenised in your browser before anything is sent. Streaming replies, no account required to start.
- Try free, no signup — an anonymous demo pool is available immediately, protected by per-IP and global daily caps so it stays up for everyone.
- Names, emails, and IDs are tokenised on your device before the request leaves the browser; the gateway is a blind token relay that forwards only those tokens and never sees your data in the clear.
- Streaming responses, token by token.
- Register to claim $2 in credit and lift the demo caps.
Local proxy, browser extension, and Complete-local desktop
Three ways to keep tokenisation on your own machine — so only tokens ever leave it (and in the desktop app's Complete-local mode, nothing leaves at all). The homepage now lays out the three ways to use CloakAPI side by side.
- Local proxy (drop-in): point your OpenAI- or Anthropic-compatible SDK at a localhost port and PII is tokenised on your machine by the native Rust engine — only tokens leave. Default port 8799, configurable via CLOAK_PROXY_LISTEN.
- Local proxy ships as a Docker image and a Linux binary on the downloads page; macOS and Windows builds are coming soon via CI.
- Browser extension: files you attach to claude.ai (pdf / docx / xlsx) are extracted and tokenised entirely in your browser, so the file itself never reaches our gateway. Store listings are pending review; sideload builds are available now.
- Desktop app adds a Complete-local mode — the model runs on your own hardware, so your prompt never leaves your machine — alongside the existing Gateway mode. Windows build refreshed; macOS and Linux via CI.
- Homepage gains a first-class "Three ways to use CloakAPI" section: API (drop-in proxy / SDK), Chat (browser chat, with the desktop app as a power-up), and the browser extension.
Pre-tokenised passthrough, fail-closed backstop, and wider coverage
The gateway now trusts client-tokenised traffic end to end — issuing signed receipts and billing without ever tokenising or storing raw PII itself — while adding a fail-closed backstop for anything that still arrives with personal data in the clear.
- Pre-tokenised passthrough: traffic already tokenised on your device gets a signed receipt and metered billing, with the gateway relaying only tokens.
- Fail-closed backstop: if the gateway still detects raw PII in a sensitive category, it blocks the request rather than forwarding it, and monitor-alarms the rest — defence in depth.
- International coverage hardened across roughly 20 markets — national IDs, tax and VAT IDs, IBAN, cards, and phone numbers are tokenised with the correct categories.
- Honest privacy wording across the site: personal data is tokenised on your device; the gateway relays only tokens and blocks detected raw PII.
- Fixed: the $2 signup trial credit is now reliably granted on email verification.
Launch readiness sweep — iter-14
Nine-wave audit run the day of open access. Every finding was fixed, dispatched, or gated behind a feature flag. Zero fake company names, zero fixture credentials, zero hardcoded numbers remain in user-visible code.
- Receipt verifier shipped on signedreceipts.org — valid, tampered body, swapped signature, and expired-key cases all return the correct HTTP status + reason code.
- 4 backend gaps closed: compliance-pack lifecycle, audit-log filter + CSV export, transparency-log toggle + auto-advance, privacy-tier preview / cancel / commit state machine.
- IP allowlist enforcement on API keys — CIDR validation, per-request middleware, audit-log event on block.
- Sanctum abilities + Spatie permissions on 63 mutation routes — read-only tokens correctly 403 on writes.
- F1–F6 auth flow audit — invite-signup security holes patched: token consumption, email/token binding, expiry enforcement.
- Concurrent dashboard sessions — 10-token retention window + 30-day stale-prune scheduled task.
- SES outbound mail in production — Stockholm region; DMARC alignment via custom MAIL FROM mail.cloakapi.io.
- Stripe live keys + webhook endpoint with HMAC signature verification.
- Trust portal: CAIQ-lite, SLA, BCP, and insurance-status pages published.
- BAA template + HIPAA structural non-BA primer published.
- Threat model, key-rotation policy, transparency-log spec, detection-coverage doc, and reproducibility roadmap published at docs.cloakapi.io/security/threat-model/.
- OpenReceipt + cloakapi-cli reference implementations — Python + JS verifiers, conformance suite, Apache-2.0 licensed.
- Chrome + Firefox extension builds complete (v0.1.0); store submission (Chrome Web Store / Mozilla AMO) is pending, so install today from the downloads page (signed build) — store install links land there once each listing is approved. Linux desktop binary (AppImage + .deb) is in progress; targeting iter-15.
- Mobile-responsive portal shell — sidebar collapses below 768 px with hamburger toggle.
- 30+ admin and portal surfaces stripped of fixture data; empty states show graceful copy.
- Fake compliance-auditor claims removed from /trust — now honest "not yet engaged".
Pre-launch sweep — iter-13
Wave-5 walkthrough preparation: role-based test accounts seeded and two auth regressions fixed ahead of the iter-14 launch-readiness run.
- 11 role-based test accounts seeded (admin, owner, billing, developer, read-only, partner-L1/L2, API-only, SSO-only, auditor, org-member).
- Admin gate fixed — user.roles array threaded through shapeUser(); admin layout now reads it correctly.
- Login race condition fixed — await invalidateAll() before goto('/dashboard') prevents stale-data layout bounce.
Production deployment — Hetzner CX43, Nuremberg
All seven public subdomains go live on dedicated bare-metal in Nuremberg. SES SMTP, Cloudflare DNS, and TLS certs provisioned in a single pass.
- Initial deployment of gateway, portal, docs, signedreceipts.org, status, demo, and marketing-site containers.
- SES SMTP wired — Stockholm region, custom MAIL FROM, SPF + DKIM + DMARC aligned.
- Cloudflare DNS configured for the full cloakapi.io zone.
- TLS certificates issued for all subdomains via Let's Encrypt.
Trust
DPA, sub-processor list, and trust portal first cut
trust.cloakapi.io ships the full GDPR Article 28 DPA template, a 21-row sub-processor list with change-notification subscription, and the live per-tenant transparency-log toggle (opt-in / opt-out in settings).
Portal
Onboarding wizard + privacy posture model
Six-step onboarding wizard shipped with provider validation and API-key generation at the final step. Privacy posture model (Max / Balanced / Continuity / No Tokenization) lands as the first configurable privacy tier in the portal.