A Gemini Chatbot,
With the Key Locked Away
Meet Vault. He's the friendly face on a real AI assistant connected to Google's Gemini — and he's also the point of this page. The secret key the chatbot needs never reaches your browser; it stays locked on the server. Say hi and ask him something.
/api/chatThe browser only ever talks to my own server, never to Google directly. That one hop is what keeps the key out of sight.
1. What this is
A working chat assistant connected to Google's Gemini model. The point of this page isn't just the chat bubble itself — it's getting one to run on a live, public website while keeping the secret API key private. That last part is the easy thing to get wrong, so it's the part worth showing.
2. What happens when you send a message
Your message doesn't go straight to Google. It goes to a small program of mine at /api/chat, running on the server. That program adds the key, asks Gemini, and sends back only the answer. So the page you're looking at never talks to Google directly — it only ever talks to my own server.
3. Why the key stays locked away
The Gemini key lives only on the server, in Google's secret storage, and is never written into this page. That means viewing the page source or watching the browser's network tab won't reveal it — all you'd see is the request to /api/chat and the reply. If the page called Gemini directly, the key would be sitting in plain sight in the code for anyone to copy.
4. When Gemini is busy
Now and then Gemini is briefly overloaded and asks you to try again. Instead of showing an error, the server quietly waits a moment and retries a couple of times first, so a short hiccup usually never reaches you. A "busy" reply has no answer in it, so retrying one costs effectively nothing.