ShellYard

BYO key

Where Magellan provider keys are stored, how to rotate, why this is the model. Free seals keys in a local AES-256-GCM SQLite vault on disk with the master key in your OS keychain. Pro and above envelope-encrypt them with AWS KMS in our account (per-user EncryptionContext) and sync across machines. Prompts go directly from your client to your AI provider — never through us.

ShellYard supports bring-your-own keys on every tier.

Where keys live

  • Free — AES-256-GCM-encrypted SQLite vault on the device. The master key sealing that vault is held in the OS keychain (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). Nothing syncs off the machine.
  • Pro and above — DynamoDB, envelope-encrypted with a shared AWS KMS CMK in ShellYard’s AWS account; EncryptionContext={userSub} gates kms:Decrypt to your Cognito identity. Same path as Personal credentials and HTTP environment secrets — syncs across every machine you sign in to. Not zero-knowledge: we hold the CMK.

Where requests go

Once Magellan calls a provider, the HTTPS request goes from the desktop binary directly to the provider’s official API hostapi.anthropic.com, api.openai.com, generativelanguage.googleapis.com, or whatever Base URL you configured for an OpenAI-compatible endpoint (commonly a local Ollama at http://localhost:11434/v1). No ShellYard server sits in between. Your API key, your prompts, your completions, and your tool calls are never seen by us in transit.

Rotating

Settings → AI → <provider> — overwrite the key value. The next request uses the new key.

OpenAI-compatible

The OpenAI-compatible provider takes both an API key and a Base URL, so you can point at any OpenAI-API-compatible endpoint without changing keys.