Oracle Icon

Introduction

Oracle is a developer-first companion for working with API keys and HTTP services. It does three things really well: verifies if a key is valid and what it's for, tests any HTTP endpoint with a familiar request builder, and answers questions about your API stack with an integrated AI assistant.

Designed for DevOps engineers, security teams, and product developers, Oracle helps you move faster while keeping credentials secure. No accounts. No per-request fees. No keys ever stored server-side.

Key Features

  • Three Modes In One Tool: Verify keys (Check), test APIs (Postman), and ask questions (Chat) — all from a single input.
  • Multi-Provider Validation: Native support for 29 services across AI, cloud, infrastructure, communications, and developer tooling.
  • Context-Aware Analysis: Detects mismatches between variable names (e.g. OPENAI_KEY) and the actual key vendor — preventing config drift before it hits production.
  • Granular Error Reporting: Distinguishes between Invalid (401), Forbidden (403), and Quota Exceeded (429) instead of returning a generic "failed".
  • SSRF-Hardened Postman Proxy: Outbound HTTP requests run through a sandboxed proxy with DNS rebinding protection, redirect caps, and response-size limits.
  • Smart Format Fallbacks: Identifies cross-provider key collisions (e.g. Google / Firebase / Gemini share AIza…; Stripe / Clerk both start with sk_…).
  • ⌘K Command Palette: Linear-style universal search — switch modes, navigate pages, and run actions without touching the mouse.
  • Shareable Permalinks: Encode any Postman request into a URL hash and share it. Opening the link auto-loads the editor — perfect for PR reviews and Slack threads.
  • 5-Language Code Export: One-click conversion of any request to cURL, JS/fetch, Python, Go, or HTTPie.

Check Mode

Paste any API key or an entire .env snippet. Oracle returns provider, validity, permissions where available, and a verification level (verified / format_only / unknown).

# Input (paste anything) OPENAI_API_KEY=sk-proj-abc123... # Oracle Result provider: OpenAI status: Valid (200) verificationLevel: verified keyType: project permissions: chat.completions, embeddings, images

Use Check when you want a fast, definitive answer about a credential without writing any code or curl commands.

Chat Mode

A built-in AI assistant grounded in API knowledge. Ask about provider quirks, key formats, error codes, or how to debug an integration. Powered by Google Gemini (gemini-2.5-flash for speed; gemini-2.5-pro for depth — toggle in the input).

  • Fast model — sub-second responses, ideal for quick lookups.
  • Quality model — deeper reasoning for migration plans, security reviews, and debugging.
  • Conversations stay in your browser session; nothing is persisted server-side.

Configure the model via GOOGLE_API_KEY (or GEMINI_API_KEY) in your environment.

Postman Mode

A full-featured request builder for any HTTP API — without leaving Oracle. Supports headers, query params, four authorization types (None / Bearer / Basic / API Key), JSON bodies, redirects, and timing metrics.

  • cURL import / export — paste a cURL command to instantly populate the editor.
  • Floating editor window — open the macOS-style canvas to edit headers, auth, body, and params with full keyboard support (ESC closes, click-outside to dismiss).
  • Live response card — color-coded status pill, response time, payload size, headers tab.
  • Sandboxed proxy — all outbound calls flow through /api/postman which blocks private/loopback IPs and limits responses to 1 MB.

Power Features

Three workflow accelerators that make Oracle uniquely fast to use:

⌘K Command Palette

Press ⌘K (or Ctrl+K) anywhere in the dashboard to open a Linear-style search bar. Switch modes, navigate pages, focus the input, clear the conversation, or toggle Fast/Quality model — all without touching the mouse.

  • Filter — type any word to narrow results.
  • Navigate/ to move, Enter to select, Esc to dismiss.
  • Quick actions — Switch to Chat / Check / Postman, Open Editor, Clear Conversation, Focus Input.

Shareable Request Permalinks

After running any Postman request, click Share in the response card. Oracle generates a URL with the full request encoded in the hash — paste it in Slack, GitHub PRs, or bug reports and anyone who opens it gets the editor auto-populated and ready to send.

# Example permalink https://oracle.app/dashboard#r=eyJ2IjoxLCJtIjoiR0VUIiwidS... # What's encoded: - Method (GET/POST/...) - URL + query params - Non-sensitive headers - Request body # What's stripped (security): - Authorization headers - Cookies, X-API-Key, X-Auth-Token - All auth fields (Bearer / Basic / API Key)

Code Export — Five Languages

Click Code in the response card to convert your request into ready-to-paste snippets for:

  • cURL — single-line shell command
  • JS / fetch — modern await fetch(...)
  • Pythonrequests library
  • Gonet/http with imports
  • HTTPie — terminal-friendly format

Auth headers, query params, and bodies are properly resolved into each language's idioms — no manual translation needed.

Bring Your Own Key (BYOK)

Open the command palette (⌘K) and select API Key Settings to paste your own Google Gemini API key. The key is encrypted with AES-GCM in your browser using a per-device key derived via PBKDF2 + Web Crypto. It is never sent to Oracle servers — only attached as a header to the chat request you initiate.

  • Storage: Encrypted in localStorage only on this device.
  • Transport: Sent as X-Oracle-LLM-Key header on chat calls; never logged.
  • Fallback: If you don't set a personal key, Oracle uses the server key (if configured).
  • Get a key: aistudio.google.com/apikey — free, 30 seconds.

Supported Providers (29)

The list below reflects the providers Oracle currently has dedicated validation logic for. Format-only matches still surface for unrecognized keys with a format_only verification level.

AI & LLM Services

OpenAI
Anthropic
Google Gemini
Groq
Cohere
Mistral
HuggingFace

Infrastructure & Cloud

AWS
Google Cloud
Firebase
Supabase
Heroku
Cloudinary
Upstash
Postgres / Database

DevOps & Payments

GitHub
GitLab
NPM
Stripe
Clerk
Pusher
Shodan

Communication & Utilities

Slack
SendGrid
Mailgun
MailChimp
Resend
Twilio
Telegram
Mapbox
Bitly

Context-Aware Validation

Environment variables are often copy-pasted incorrectly. Oracle reads the variable name AND the key prefix, then flags mismatches before they reach production.

# Bad Configuration Example GROQ_API_KEY="AIzaSyB..." <-- This is a Google key, not Groq! # Oracle Result: [WARNING] Detected: Google (labelled as Groq) "Key matches Google's AIza... format. Groq keys start with 'gsk_'."

Security Architecture

Oracle uses a defense-in-depth model with strict verification semantics and production-safe defaults.

  • Strict Verification Levels: Every result includes verificationLevel (verified, format_only, unknown). Format-only matches are never reported as "working".
  • SSRF Hardening: The Postman proxy resolves DNS, blocks private and loopback IP ranges, caps redirects at 5, and limits responses to 1 MB.
  • Optional Payload Encryption: When NEXT_PUBLIC_ENCRYPTION_KEY is set, request and response bodies are encrypted in transit between the browser and Oracle's API routes.
  • Privacy-Safe Leak Handling: Oracle never sends raw keys to third-party code-search providers.
  • Local History Off By Default: Postman request history is opt-in. When enabled, Authorization headers and auth fields are redacted before being saved to localStorage.
  • Zero Server-Side Persistence: Oracle has no credential database. Verification happens in-memory per request.

Legal & Terms of Service

1. Disclaimer of Warranty

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

2. Limitation of Liability

You expressly understand and agree that Oracle shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses resulting from the use or the inability to use the service.

3. Zero Retention Policy

Oracle is designed to avoid server-side credential persistence. Verification requests are processed in-memory and are not written to any Oracle database.

Optional payload encryption is supported when configured, and HTTPS transport is required in production. Local client-side history is user-controlled and redacted by default behavior.

4. User Responsibility

You are solely responsible for the security of your API keys. We recommend rotating any keys that you believe may have been compromised, regardless of Oracle's verification results.