🔒 Security Guide

Secure Your Groq API Key with Nexus

Learn how Nexus uses AES-256 encryption, domain whitelisting, and a zero-trust proxy architecture to keep your Groq API key safe from exposure.

📅 July 18, 2026 ⏱️ 5 min read 👤 By Kaif Ansari

TL;DR: Nexus never exposes your Groq API key to the frontend. Your key is encrypted with AES-256, stored in a secure vault, and only decrypted server-side through a domain-verified proxy. Your key is safe.

Why API Key Security Matters

When you add an AI assistant to your website, you typically need an API key from a provider like Groq. The biggest security risk is exposing this key in your frontend code. Anyone can inspect your website's source code, find the key, and use it to make unauthorized requests — potentially costing you thousands of dollars.

⚠️ The Problem: Most AI widgets require you to embed your API key directly in JavaScript. This key is visible to anyone who opens your browser's developer tools. A single exposed key can lead to API abuse, billing surprises, and security breaches.

How Nexus Solves This Problem

Nexus uses a zero-trust security model with three layers of protection:

🔐

AES-256 Encryption

Your Groq key is encrypted before it ever touches the database.

🛡️

Domain Whitelisting

Only authorized domains can use your Nexus key.

Secure Proxy

The key is decrypted server-side, never exposed to the browser.

How It Works – Step by Step

1

You Store Your Groq Key in the Dashboard

When you paste your Groq API key into the Nexus Dashboard, it is immediately encrypted using AES-256 — the same standard used by banks and governments. The encrypted key is stored in Firestore. Encrypted at Rest

2

You Generate a Nexus API Key

Nexus creates a separate domain-restricted API key for your frontend. This key is safe to embed in your HTML because it only works for origins you have explicitly authorized in the Domains tab. Domain Restricted

3

The Widget Sends Your Nexus Key to Our Proxy

When a user asks a question, the widget sends your Nexus API key to our secure proxy. The proxy validates the request origin against your whitelisted domains. If the domain doesn't match, the request is rejected immediately. Origin Verified

4

Your Groq Key is Decrypted and Used

Only after domain verification does the proxy decrypt your Groq key (using AES-256 decryption) and forward the request to Groq's servers. The Groq key is never sent back to the browser or exposed in any client-side code. Never Exposed

🔑 Key Takeaway: Your Groq API key never leaves our secure backend. The browser only sees a domain-restricted Nexus key that is useless outside your authorized origins.

Additional Security Measures

Best Practices for API Key Security

💡 Pro Tip: Never commit your Groq API key to GitHub or any public repository. Always use environment variables or the Nexus vault.

  1. Use Separate Keys for Development and Production: Create different Nexus keys for staging and production environments.
  2. Regularly Rotate Your Keys: Generate new Groq API keys periodically and update them in the Nexus Dashboard.
  3. Monitor Usage: Check your Dashboard regularly to spot any unusual request patterns.
  4. Revoke Unused Keys: If a key is no longer needed, revoke it immediately.
  5. Whitelist Only Necessary Domains: Don't add domains you don't control.

Frequently Asked Questions

Is my Groq key stored in plain text anywhere?

No. Your Groq key is encrypted with AES-256 before storage. It is never stored in plain text in the database, logs, or any other system.

Can Nexus employees see my Groq key?

No. The encryption key is managed by Firebase. Even we cannot decrypt your key without your explicit authorization. The encryption is transparent and secure.

What happens if someone steals my Nexus key?

A stolen Nexus key is useless without a matching whitelisted domain. The proxy validates the origin of every request. You can also revoke the key instantly from the Dashboard.

Is the proxy open source?

Yes. The entire Nexus codebase, including the proxy logic, is open source under the MIT license. You can audit the code or self-host the entire stack.

Ready to Secure Your API Keys?

Nexus makes it easy to protect your Groq API keys while providing a powerful AI assistant for your users. Get started with 1,000 free requests per month.

Start Securing Your API Keys Today

Add your Groq key to the Nexus vault in minutes.

Get Started for Free