This extension stores API keys locally on your machine using VS Code's configuration system. Keys are stored in plain text in your VS Code settings.json file.

Your API keys are NEVER:

• Sent to any third-party servers
• Uploaded to cloud storage by this extension
• Logged or transmitted anywhere except directly to the LLM provider APIs

API keys are only sent directly to the respective LLM provider APIs:

• Z.ai: https://api.z.ai - for fetching usage data
• Claude/Anthropic: Direct API calls (when implemented)

Instead of storing API keys in VS Code settings, use environment variables:

# Z.ai
export ZAI_API_KEY="your-zai-api-key"

# Claude
export CLAUDE_SESSION_KEY="your-session-key"
export CLAUDE_ACCESS_TOKEN="your-access-token"
export ANTHROPIC_API_KEY="your-anthropic-api-key"

This is more secure because:

• Environment variables are not persisted in VS Code settings
• They won't be accidentally committed to version control
• They won't sync via VS Code Settings Sync

If you use VS Code Settings Sync, your API keys could be synced to Microsoft's cloud. To prevent this:

1. Open VS Code Settings
2. Search for "settings sync"
3. Add llmUsage to the ignored settings, or disable sync for this extension

If you version control your dotfiles or VS Code configuration:

• Ensure .vscode/settings.json is in your .gitignore
• Never commit files containing API keys to public repositories

If you suspect your API keys have been exposed:

1. Immediately revoke/regenerate them from the respective provider's dashboard
2. Update your configuration with the new keys

If you discover a security vulnerability in this extension, please open an issue on GitHub or contact the maintainer directly.

The following security enhancements are planned:

• VS Code SecretStorage API integration for encrypted local storage
• Warning prompts before storing sensitive credentials
• Key validation without persistent storage