FAQ & API Key Setup

AnonAI is a relay — it anonymizes your prompt and forwards it to the AI provider on your behalf. Each provider charges for API usage, so you use your own account and key. This also means your usage goes directly through your account rather than a shared pool.

No. Your API key is submitted with each request, used to make the call to the provider, and immediately discarded. It is never written to the database, session, or logs.

Privacy and security are the foundation AnonAI is built on. Here is a full account of the protections in place:

Your prompt data

PII is stripped from your prompt before it ever leaves the application. The AI provider receives only anonymized text — your names, addresses, email addresses, phone numbers, and other identifiers are replaced with opaque tokens and restored locally after the response is received. The provider never sees your raw input.

API keys

Your AI provider API key is used per-request and immediately discarded. It is never written to the database, the session store, or any log file. It exists in server memory only for the duration of the outbound request.

Passwords

Account passwords are hashed using bcrypt with a cost factor of 12 before storage. The original password is never retained. Even in the unlikely event of a database breach, stored hashes cannot be reversed into usable passwords without significant computational effort.

Encryption in transit

All traffic between your browser and the AnonAI server is encrypted via TLS (HTTPS). All outbound requests from AnonAI to AI providers are made over HTTPS. No data travels over unencrypted connections at any point in the request lifecycle.

Encryption at rest

The underlying infrastructure encrypts stored data at rest, including the database and any associated storage volumes. This ensures that physical access to storage media does not expose readable data.

Session security

Sessions are signed with a strong secret, stored server-side in the database rather than in the browser, and scoped with HttpOnly and SameSite=Lax cookie flags. In production, the Secure flag is enforced, meaning session cookies are only transmitted over HTTPS.

Secrets management

Infrastructure secrets — database credentials, session secrets, and API configuration — are managed as environment variables injected at runtime and are never committed to source code or container images. Access to these values is restricted to the runtime environment only.

HTTP security headers

All responses include a strict set of security headers via Helmet.js, including a Content Security Policy that prevents cross-site scripting, X-Frame-Options to block clickjacking, and X-Content-Type-Options to prevent MIME sniffing.

Rate limiting

All endpoints are rate-limited to protect against brute-force and denial-of-service attacks. Authentication endpoints have tighter limits than general API endpoints.

Audit logging

All significant account and prompt actions — logins, registrations, password changes, prompt relays, and deletions — are recorded in an audit log. This provides a traceable record of activity without logging any sensitive values such as passwords or API keys.

All eight providers produce high-quality responses. Claude and GPT-4o are strong general-purpose choices. Gemini 2.5 Flash is fast and cost-effective. Grok 3 has real-time web access. Llama 3.3 via Groq is the fastest option and has a generous free tier — a good starting point if you're new to AI APIs. Mistral Large is a strong European alternative with excellent reasoning. Command R+ from Cohere is optimised for document-heavy and enterprise use cases. Sonar Pro from Perplexity includes live web search in every response.

Only the anonymized version of your prompt. Names, email addresses, phone numbers, physical addresses, and other personal identifiers are replaced with opaque tokens (e.g. [[ANON_EMAIL_A1B2C3D4]]) before the request leaves AnonAI. The provider never sees your raw input. Use the Preview button in the dashboard to see exactly what will be sent before committing.

AnonAI's automatic detection covers common PII patterns, but you may have context-specific information — internal project names, custom identifiers, or personal details that don't match a standard pattern — that you still want to protect.

For these cases, use manual selection anonymization in the dashboard:

1. Type or paste your prompt in the prompt field.
2. Click Preview to open the Anonymized Preview window.
3. Back in the prompt field, select the text you want to anonymize (up to 64 characters).
4. A small popup will appear — click Anonymize.
5. The preview updates immediately, showing the selected text replaced with a user token (e.g. [[ANON_USER_TOKEN_A1B2C3D4]]).
6. Repeat for any other text you want to protect, then click Relay Prompt Anonymously.

User tokens are highlighted in amber in the preview to distinguish them from automatically detected PII. You can click any user token in the preview to remove it and restore the original text.

User tokens are rehydrated in the AI response just like automatically detected PII — the original text is restored before the response is shown to you.

Yes — as of v2.0, AnonAI exposes a REST API so you can integrate the anonymization and relay pipeline directly into your own code. An active subscription is required.

Getting started

Generate an API key from the API Keys option in the dashboard menu. The key is shown once — store it securely.

Authentication

Pass your key as a Bearer token in the Authorization header on every request.

Endpoints

POST /v1/relay — anonymize and relay a prompt to an AI provider, returning the rehydrated response.

POST /v1/preview — anonymize a prompt without calling any AI provider, useful for testing.

Full documentation is available in API.md in the project repository.

Creating an account and logging in is always free. A subscription is required to relay anonymized prompts to AI providers. You can preview how your prompt will be anonymized at no cost before subscribing.

AnonAI subscriptions are $3 CAD per month, billed monthly. There are no setup fees, no usage caps, and no long-term commitment — you can cancel at any time.

After logging in, click the Subscribe now link in the dashboard. You will be taken to a secure Stripe-hosted checkout page where you can enter your payment details. Once payment is confirmed you are redirected back to the dashboard with full relay access immediately activated.

All billing is managed through Stripe. From the dashboard, click Manage Billing to open the Stripe Customer Portal, where you can update your payment method, view invoices, or cancel your subscription at any time. Cancellation takes effect at the end of the current billing period.

No. AnonAI never handles or stores card details. All payment processing is handled entirely by Stripe, a PCI-compliant payment provider. AnonAI only stores your Stripe customer ID and subscription status — never any financial data.

If a renewal payment cannot be processed, your subscription status will be set to past due and relay access will be suspended. A notification will appear in the dashboard with a link to update your billing details in the Stripe Customer Portal. Once payment is resolved, access is restored automatically.