An API key is the thing that lets an app talk to Claude or OpenAI on your behalf, and it can run up a bill. So when an app asks for it, you're right to stop and ask where that key ends up. Most of the time, the answer is "on their servers," and that's the part worth thinking about.
A key that can spend money is a key that can be leaked, logged, or misused. When you paste it into a hosted app, it travels to that company's servers and sits there so the app can make calls for you. You're trusting that they store it well, don't get breached, and don't quietly use it for more than you agreed to. That trust might be well placed, but it's still trust in a company you can't see inside of.
There's a different arrangement: the key goes onto a machine you own, and never touches the app maker's servers at all. That's how Wetlether is built. Your key sits on your own box, in your own cloud, and the calls to the AI go straight from your box to the provider — the same path you'd use if you called them yourself.
Your AI provider still sees the requests you send on your key — that's unavoidable, because they're the one running the model. What you can remove is the extra company in the middle holding a copy of your key. That middleman is the part that doesn't have to exist, and removing it is most of the safety you were worried about.
Wetlether — your keys stay on a box you own.