Perishable / skelfresearch
About

Tokens have shelf lives. Treat them that way.

Perishable is a small piece of dev infrastructure: a Node proxy plus a browser SDK that lets a client-side app call an OpenAI-compatible API without learning the secret key. It is maintained by Skelf-Research and is MIT licensed.

Why "perishable"

Long-lived secrets in client binaries are the dairy aisle at room temperature. They look fine for a while; then someone notices and the whole shelf goes bad. The job of this project is to make tokens behave like items with an expiry sticker — fresh enough to be useful in the next few minutes, useless to a stranger who finds them next week.

What it actually does

  • Runs as a process you control (CLI npx perishable-proxy or programmatically via new server.PerishableServer({…})).
  • Holds the upstream OPENAI_API_KEY (or OPENAI_BASE_URL-redirected equivalent) in server-side env.
  • Exposes POST /session to mint short-lived JWTs after checking client fingerprint and collected entropy.
  • Proxies POST /openai/* through to the upstream with your real key attached, after verifying the JWT and rate limit.
  • Ships a TypeScript client SDK (client.PerishableOpenAI) that handles initEntropyCollection, session refresh, retries.

What it does not do

  • It is not a hosted service. We do not see your traffic. There is no Perishable cloud.
  • It is not a per-user auth system. If you need "this is logged-in user 42", you still need your own auth in front of (or behind) the proxy.
  • It is not a billing meter. Cost dashboards belong elsewhere.
  • It does not claim to defeat a determined attacker with a real browser. It defeats casual scraping and key-extraction-from-binary attacks, which is the actual common failure mode.

Who it's for

  • Teams shipping a browser, iOS, or Electron app that wants to call OpenAI / Anthropic / OpenRouter and would rather not stand up a bespoke backend just to hide a key.
  • Indie devs whose CI just rotated a key for the third time this month after a scraper found it in a JS bundle.
  • Security-conscious AI startups who want defense-in-depth between their users and their model bill.

Project status

Published on npm as perishable. Source on GitHub. Issues and PRs go there. Docs live at docs.skelfresearch.com/perishable/.

How to read this site

  • Notes — long-form writing on client-side AI key safety, short-lived tokens, and why proxies beat serverless functions for this specific job.
  • Compare — honest, dimension-by-dimension comparisons with adjacent tools. We will tell you when something else is the better fit.
  • Docs — the reference. API endpoints, config, deployment.