Terms of Service

3.1 Eligibility

You must be at least 18 years old and have the legal capacity to enter into a binding agreement in your jurisdiction. If you are using the Service on behalf of a company or other legal entity, you represent that you have the authority to bind such entity.

3.2 Account Types

Deli supports two account types:

• Developer Accounts: Registered through the developer portal at /auth/register. Developers manage OAuth applications, configure API services, create Agents, and access analytics. Authentication is handled via session-based login.
• User Accounts: Registered through the user portal at /user/register. Users store API keys in their encrypted vault, review authorized applications, manage their activity, and control authorization grants. Authentication is handled via session-based login.

3.3 Account Security

You are responsible for maintaining the confidentiality of your account credentials, including your password, client IDs, client secrets, and any tokens issued to you. You must immediately notify us at kieran@kierans.net if you become aware of any unauthorized use of your account. We are not liable for losses arising from unauthorized use of your credentials.

3.4 Accurate Information

You agree to provide accurate, current, and complete information during registration and to keep your account information up to date.

4.1 Platform Overview

Deli provides delegated API authentication infrastructure that enables Developers to securely proxy API requests to Third-Party Services without exposing Users’ API keys. The platform implements OAuth 2.0 with PKCE enforcement for authorization, AES-256-GCM encryption for API key storage, and a secure proxy layer for request forwarding.

4.2 Core Components

The Service consists of the following components:

• OAuth 2.0 Authorization Server: RFC 6749-compliant authorization server with PKCE enforcement (RFC 7636), supporting authorization code flow, token exchange, token refresh, and token revocation (RFC 7009).
• API Proxy Service: Secure request forwarding to supported Third-Party Services with real-time API key decryption, request/response logging, and usage tracking.
• Developer Portal: Web-based dashboard at withdeli.com for managing OAuth applications, configuring services, viewing analytics, and managing Agent credentials.
• User Portal: Web-based interface for storing API keys, reviewing authorized applications, monitoring activity, and managing authorization grants.
• CLI Tool (withdeli-cli): Command-line interface distributed via npm for agent-based authentication, direct API calls through the proxy, and local configuration management.
• TypeScript SDK (@deli/sdk): Client library with OAuth 2.0 PKCE support, service-specific helpers, and framework integrations for Express.js and Next.js.

4.3 Supported Third-Party Services

The Proxy Service currently supports forwarding requests to OpenAI, Anthropic, Stripe, and GitHub APIs. We may add or remove supported services at our discretion with reasonable notice.

4.4 Service Availability

We strive to maintain high availability of the Service but do not guarantee uninterrupted access. The Service may be temporarily unavailable due to maintenance, updates, infrastructure issues, or circumstances beyond our control. We will make reasonable efforts to provide advance notice of planned maintenance.

5.1 Application Registration

Developers may register OAuth applications through the developer portal. Each application is assigned a unique client ID and client secret. You are solely responsible for the security of your client credentials and must not share them publicly or embed them in client-side code.

5.2 Agent Management

Developers may create Agents that authenticate via the client_credentials grant type and make proxied API calls. Developers are responsible for all activity conducted by their Agents, including API usage, data handling, and compliance with Third-Party Service terms.

5.3 API Key Security Obligations

While Deli encrypts API keys at rest using AES-256-GCM, Developers must:

• Never attempt to extract, intercept, or reverse-engineer Users’ API keys from proxy requests or responses.
• Implement reasonable security measures in their own applications to protect tokens and credentials issued by Deli.
• Not store, log, or cache any data that could be used to reconstruct a User’s API key.
• Immediately report any suspected security breach to Deli.

5.4 User Authorization

Developers must obtain explicit User authorization through the Deli OAuth flow before accessing any User’s API services. Developers must respect User revocation of authorization and immediately cease using the affected services upon revocation.

5.5 Webhook Security

If Developers configure webhook endpoints, they must validate incoming webhook signatures using HMAC SHA-256 verification. Developers are responsible for the security of their webhook endpoints and must use HTTPS URLs in production environments.

5.6 Third-Party Service Compliance

Developers are independently responsible for complying with the terms of service, acceptable use policies, and usage guidelines of any Third-Party Service accessed through the Deli proxy. Deli does not assume any obligation to monitor or enforce third-party terms on your behalf.

6.1 API Key Storage

Users may store API keys for supported Third-Party Services in their Deli encrypted vault. API keys are encrypted using AES-256-GCM with a unique initialization vector per key and are decrypted only at the moment a proxied request is made. Users are responsible for the validity and authorized use of the API keys they store.

6.2 Authorization Grants

When you authorize a Developer’s application, you grant that application permission to make API calls to the specified Third-Party Services on your behalf using your stored API keys. You can review and revoke any authorization at any time through the User portal at /user/authorizations.

6.3 Revocation Rights

You have the right to revoke any authorization grant at any time. Revocation takes effect immediately and cascades to invalidate all associated access tokens and refresh tokens. Developers will no longer be able to make proxied API calls on your behalf once authorization is revoked.

6.4 API Key Ownership

You retain full ownership and responsibility for your API keys. Deli acts solely as a secure storage and proxy intermediary. Any charges incurred on your Third-Party Service accounts through proxied API calls are your responsibility, whether or not such calls were authorized by you.

6.5 Account Activity

You can monitor all API calls made on your behalf through the User activity dashboard. You are responsible for reviewing your activity regularly and reporting any unauthorized usage to Deli promptly.

7.1 General Conduct

You agree not to use the Service in any manner that:

• Violates any applicable law, regulation, or third-party rights.
• Infringes intellectual property rights of any party.
• Transmits malware, viruses, or any code designed to harm systems or data.
• Attempts to gain unauthorized access to any part of the Service, other users’ accounts, or Deli’s infrastructure.
• Interferes with or disrupts the Service or servers and networks connected to the Service.
• Uses the Service for any form of spam, phishing, or social engineering.

7.2 Rate Limits

The Service enforces rate limits to ensure fair usage and platform stability. Current rate limits include:

• Authentication endpoints: 10 requests per 15 minutes.
• General API endpoints: 100 requests per 15 minutes.
• Proxy endpoints: 60 requests per minute.
• Token endpoints: 20 requests per 15 minutes.

We reserve the right to adjust rate limits at any time. Systematically exceeding rate limits or attempting to circumvent them may result in temporary or permanent suspension of your account.

7.3 Prohibited Uses

You may not use the Service to:

• Build competing API key management or proxy services using Deli’s infrastructure.
• Resell, redistribute, or sublicense access to the Proxy Service without written authorization from Deli.
• Use automated means to create accounts, generate excessive API traffic, or abuse the Service.
• Attempt to decrypt, intercept, or access API keys belonging to other users.
• Use the Service in any way that violates the terms of the Third-Party Services being proxied.

8.1 Data We Collect

In the course of providing the Service, we collect and process the following categories of data:

• Account Information: Email addresses, hashed passwords (bcrypt, cost factor 10), and account preferences for both Developer and User accounts.
• API Keys: Encrypted at rest using AES-256-GCM with a unique random initialization vector per key. Authentication tags verify data integrity. Keys are decrypted only in-memory during proxy request forwarding.
• OAuth Tokens: Authorization codes (10-minute expiration), access tokens (1-hour expiration), and refresh tokens (30-day expiration), all stored in the database with appropriate expiration enforcement.
• Audit Logs: Complete request/response logs for proxied API calls, including timing data, response codes, and error information. Retained for 30 days.
• Usage Records: Request counts, response times, and error rates per application and service.
• Session Data: Browser session information managed through express-session with secure configuration.

8.2 How We Use Your Data

We use the data we collect to operate and maintain the Service, provide analytics dashboards, monitor and enforce rate limits, detect fraudulent activity, communicate with you about your account, and improve the Service.

8.3 Security Measures

We implement the following security measures to protect your data:

• Encryption: AES-256-GCM for API keys at rest, bcrypt for password hashing, HTTPS for all data in transit.
• Authentication: OAuth 2.0 with mandatory PKCE (S256 code challenge), session-based developer authentication, and token-based API access with per-request validation.
• Infrastructure: Helmet security headers, CORS whitelisting, CSRF origin validation, PII redaction in logs, and tiered rate limiting.
• Monitoring: Sentry integration for real-time error tracking and performance monitoring.

8.4 Data Retention

• Account Data: Retained for the lifetime of your account and deleted upon account termination.
• Audit Logs: Retained for 30 days, then automatically purged.
• OAuth Tokens: Automatically expire per their respective lifetimes (auth codes: 10 min; access tokens: 1 hour; refresh tokens: 30 days).
• Authorization Grants: Persistent until the User revokes them or either party’s account is terminated.

8.5 Data Sharing

We do not sell your personal data. We may share data when forwarding proxied requests to Third-Party Services, when required by law, or in the event of a security incident.

8.6 GDPR and International Users

If you are located in the EEA, UK, or other jurisdiction with data protection laws, you may have additional rights including the right to access, correct, delete, or port your personal data. Contact us at kieran@kierans.net to exercise these rights. We will respond within 30 days.

9.1 Deli’s Intellectual Property

The Service, including the developer portal, API infrastructure, SDK, CLI tool, documentation, and all associated code, design, and content, is owned by Deli and protected by copyright, trademark, and other intellectual property laws.

9.2 SDK and CLI License

The Deli TypeScript SDK (@deli/sdk) and CLI tool (withdeli-cli) are distributed under open-source licenses as specified in their respective package repositories. Your use of these tools is subject to both these Terms and the applicable open-source license.

9.3 Your Content

You retain ownership of all content, data, and API keys you provide to the Service. By using the Service, you grant Deli a limited, non-exclusive license to process your data solely as necessary to provide the Service.

9.4 Feedback

If you provide feedback, suggestions, or ideas about the Service, you grant Deli a non-exclusive, royalty-free, perpetual, irrevocable license to use, modify, and incorporate that feedback into the Service without obligation to you.

10.1 Current Pricing

Deli currently operates under a developer-pays model. Specific pricing terms will be communicated through the developer portal and may include usage-based billing tiers. We will provide at least 30 days’ notice before introducing new fees or changing existing pricing.

10.2 x402 Cryptocurrency Payments

The Service includes built-in support for per-call cryptocurrency payments via the x402 payment protocol. This feature is currently disabled but may be activated in the future. When enabled:

• Payments will be processed on supported blockchain networks (currently Ethereum-based).
• Payment amounts will be determined per API call based on the target service and request parameters.
• You are responsible for maintaining sufficient funds in your connected wallet.
• Cryptocurrency transactions are irreversible. Deli is not responsible for transactions sent to incorrect addresses or on incorrect networks.
• You are solely responsible for any tax obligations arising from cryptocurrency transactions.

10.3 Third-Party Service Costs

Deli does not cover the costs incurred on your Third-Party Service accounts. Any API usage charges from OpenAI, Anthropic, Stripe, GitHub, or other Third-Party Services accessed through the Deli proxy are your sole responsibility.

11.1 “As Is” Service

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. We disclaim all warranties, including implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade.

11.2 Third-Party Service Disclaimer

Deli acts as a proxy intermediary and does not control or guarantee the availability, accuracy, reliability, or performance of Third-Party Services. We are not responsible for downtime, errors, changes to APIs or pricing, data loss, or rate limiting imposed by Third-Party Services.

11.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, DELI SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, USE, OR GOODWILL, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE.

OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS YOU PAID TO DELI IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS ($100).

11.4 Security Disclaimer

While we implement industry-standard security measures including AES-256-GCM encryption and PKCE-enforced OAuth, no system is perfectly secure. We do not guarantee that the Service will be free from security vulnerabilities, and we are not liable for damages arising from a security breach except to the extent caused by our gross negligence or willful misconduct.

13.1 Termination by You

You may terminate your account at any time through the account settings page. Termination will result in immediate revocation of all active authorization grants, invalidation of all associated OAuth tokens, deletion of your stored API keys from our encrypted vault, and deletion of your account data, subject to any legal retention requirements.

13.2 Termination by Deli

We may suspend or terminate your account at any time if you breach these Terms, your use poses a security risk, we are required to do so by law, or we discontinue the Service. Where practicable, we will provide advance notice and an opportunity to export your data before termination.

13.3 Effect of Termination

Upon termination, all rights granted to you under these Terms will immediately cease. Sections 8 (Data Processing), 9 (Intellectual Property), 11 (Disclaimers), 12 (Indemnification), and 14 (Dispute Resolution) will survive termination.

13.4 Data Export

Prior to account termination, you may export your data through the available API endpoints or by contacting us at kieran@kierans.net. We will provide reasonable assistance with data export for a period of 30 days following termination notice.

14.1 Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to conflict of law principles.

14.2 Informal Resolution

Before initiating any formal dispute resolution proceeding, you agree to first contact us at kieran@kierans.net and attempt to resolve the dispute informally for a period of at least 30 days.

14.3 Arbitration

If informal resolution is unsuccessful, any dispute arising out of or relating to these Terms shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall take place in the State of Delaware.

14.4 Class Action Waiver

YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION.

14.5 Exceptions

Nothing in this section prevents either party from seeking injunctive or other equitable relief in court for matters relating to intellectual property rights or data security.

15.1 Entire Agreement

These Terms, together with any Privacy Policy and any service-specific agreements referenced herein, constitute the entire agreement between you and Deli regarding the Service.

15.2 Severability

If any provision of these Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

15.3 No Waiver

Our failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

15.4 Assignment

You may not assign or transfer these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets.

15.5 Force Majeure

Deli shall not be liable for any delay or failure to perform resulting from causes outside its reasonable control, including natural disasters, war, terrorism, pandemics, labor disputes, power failures, internet disturbances, or actions of governmental authorities.

15.6 Notices

Notices to Deli should be sent to kieran@kierans.net. We may send notices to you at the email address associated with your account.