For builders running 2+ AI tools

Stop re-entering AI credentials
in every app and agent.
Set once. Route everywhere.

21pins is a local gateway for model access. Whether you're using provider API keys from your paid subscriptions or direct BYOK, your apps use scoped tokens while secrets stay on your machine.

Install 21pins CLI → See 2-minute setup

Works with subscription API keys + BYOK · OpenAI-compatible · Keys stay local by default

Your AI tools
OpenClaw iconOpenClaw Kilo Code iconKilo Code Roo Code iconRoo Code Hermes Agent iconHermes Agent Cline iconCline
↓ ↓ ↓ ↓
127.0.0.1:8787 / 21pins gateway
↓ ↓ ↓ ↓ ↓
Provider routing
openai anthropic openrouter gemini ollama
7 pins
checked before every model call
5 providers
ready today: OpenAI, Anthropic, OpenRouter, Gemini, Ollama
1 endpoint
drop-in baseURL for existing SDK flows
0 cloud
no SaaS key custody required

The problem

Your AI credentials are in too many places.

OpenClaw OpenClaw sk-or-v1-••••••
Kilo Code Kilo Code sk-openai-•••••
Cline Cline sk-ant-••••••••
Roo Code Roo Code AIza••••••••••
Hermes Agent Hermes Agent sk-or-v1-••••••

Every new tool asks for your keys.
That's not a workflow — it's sprawl.

Multi-provider workflows are normal now, but key handling is still fragmented. You paste the same expensive keys across multiple products with no shared control plane.

  • Key rotation means chasing updates across every tool
  • You lose visibility into which app used which model
  • Spend controls are inconsistent or missing
  • Local scripts quietly accumulate secrets in .env files

How it works

Three commands to route everything.

Step 01
Store your keys once

Set each provider key with the CLI. They're stored locally in ~/.config/21pins/ with 0600 file permissions. Never in env vars. Never in SaaS.

21pins key set anthropic --value "$ANTHROPIC_API_KEY"
21pins key set openrouter --value "$OR_KEY"
21pins key set gemini --value "$GEMINI_KEY"
Step 02
Issue app tokens

Create scoped bearer tokens for each of your apps. Each token limits which providers, models, and actions that app is allowed to use. Revoke at any time.

21pins token create my-agent-app \
  --scopes proxy:chat,proxy:providers

# Token issued once. Copy it now.
Step 03
Start the gateway

Run the local daemon. Your apps point their baseURL to 127.0.0.1:8787 and use their token as the API key. That's it — the gateway handles routing, policy, and receipts.

21pins serve --port 8787

# OpenAI-compatible endpoint ready.
# PINS21_BASE_URL=http://127.0.0.1:8787/v1

The policy model

Seven pins. Every request.

Every request is checked against all seven control pins. If one fails, the request is denied or escalated for approval.

01
Identity
Who is making this request? Verified via ConsentKeys OIDC.
ConsentKeys
02
Delegation
Who issued the grant? Signed export with 15-min default TTL.
Active
03
Scope
What actions is this token allowed to perform?
Active
04
Data boundary
Which data classes can this request touch?
Planned
05
Budget
Spend limit and time window per token, per run.
Active
06
Vendor
Which API targets and providers are this token allowed to reach?
Active
07
Approval
Human-in-loop escalation. Requests above threshold require manual sign-off.
Active
Quickstart

From zero to routed in under two minutes.

Build from source, initialise the config, add your keys, and start routing. Any app that speaks OpenAI-compatible chat will work immediately.

terminal
# 1. Build $ git clone https://github.com/automatethething/21pins.git $ cd 21pins && go build -o 21pins ./cmd/21pins # 2. Init $ ./21pins init # 3. Set provider keys $ ./21pins key set anthropic --value "$ANTHROPIC_API_KEY" $ ./21pins key set openrouter --value "$OR_KEY" $ ./21pins key set gemini --value "$GEMINI_KEY" # 4. Create an app token $ ./21pins token create my-app --scopes proxy:chat,proxy:providers # 5. Start the gateway $ ./21pins serve --port 8787 # ✓ Gateway running at http://127.0.0.1:8787 # 6. Point your app at the gateway PINS21_BASE_URL=http://127.0.0.1:8787/v1 PINS21_TOKEN=<token-from-step-4>

Supported providers

All major providers. One place.

Use provider/model format in the model field — 21pins handles the routing and key injection automatically.

Anthropic claude-3-5-sonnet, opus-4…
OpenAI gpt-4o, o3, o4-mini…
OpenRouter 500+ models via one key
Gemini gemini-2.0-flash, pro…
Ollama local models, no key needed

Who it's for

Built for people who run multiple AI tools.

Technical founder
You run multiple AI apps and scripts with overlapping model keys.

Keep keys in one place, route through one endpoint, and rotate once when needed.

AI builder / operator
You build internal tools and refuse to embed provider keys everywhere.

Issue scoped app tokens. 21pins enforces provider and budget policy while apps never see raw keys.

Team lead / operator
Your team uses many AI tools, but spend and approval are opaque.

Execution receipts capture grant, decision, and spend data. Approval thresholds gate expensive requests.

Ready to stop key sprawl?
Install and route in minutes.

Keep keys local, issue scoped app tokens, and plug into one endpoint. Start with your existing toolchain — no rewrite required.

Build from source (Go)
go build -o 21pins ./cmd/21pins
Start the gateway
./21pins serve --port 8787
View repo ↑ Full quickstart