Pentographer
Docs/AI & Integrations/AI Key Management and Key Encryption

AI Key Management and Key Encryption

Configure Anthropic API credentials, understand the key resolution hierarchy, and learn how Pentographer secures credentials using AES-256-GCM.

Pentographer requires an Anthropic API key to run its drafting and review features. You can configure keys at the user, organization, or environment level. To learn how to use these credentials to draft findings and review reports, refer to the AI Drafting Assistant guide.

Key Resolution Hierarchy

When you trigger an AI operation, the application resolves which API key to use by checking the following hierarchy in order:

  1. Organization Key: If the organization owner or administrator has configured an organization-wide key, the system uses it first.
  2. User Key: If no organization key exists, the system checks for a personal key configured in your account settings.
  3. Environment Key: If neither organization nor user keys exist, the system falls back to the server environment key configured via the ANTHROPIC_API_KEY environment variable.

[!WARNING] To prevent billing abuse, the server limits environment key usage to 10 requests per user per day. Pentographer tracks these requests in the aiUsageLog table. Personal and organization-scoped keys do not face any application-level rate limits.

Configuring Keys

User-Level Key

To set a personal API key:

  1. Navigate to Account Settings (at /settings).
  2. Locate the Anthropic API key section.
  3. Click Add key.
  4. Enter your API key. The key must begin with the sk-ant- prefix.
  5. Click Save.

Once saved, the interface displays a mask and never reveals the actual secret key.

Organization-Level Key

Only organization Owners and Administrators can manage organization keys. Members and Viewers cannot access these fields.

To set an organization-wide key:

  1. Navigate to Organization Settings (at /settings/organization).
  2. Locate the Anthropic API key section.
  3. Click Add key.
  4. Enter your organization's API key (beginning with the sk-ant- prefix).
  5. Click Save.

Encryption and Security

Pentographer protects your stored API keys using database-level encryption:

  • Encryption Algorithm: The server encrypts keys using AES-256-GCM before writing them to the database.
  • Key Protection: The server decrypts keys on the fly only when making requests to the Anthropic API. Decrypted keys never pass to the client browser.
  • Key Erasure: When you delete a key from the interface, the server completely deletes the record from the database.

Was this article helpful?

Help us improve the Pentographer documentation.

Subscribe to security audits for builders

Get technical write-ups on building deterministic AI pipelines, self-hosting secure apps, and automating pentesting workflows. No marketing spam.

← Previous articleProject Lifecycle and ScopingNext article →Workspace Isolation and Swapping