Practical security insights and product updates from the team building safer, simpler key management for modern APIs.
AI plugins inherit every credential in your .env file. Audit what your ChatGPT plugin can actually reach and scope credentials so a compromised plugin stays contained.
MCP servers that hold long-lived API keys are the new .env file problem. Here's how session-scoped credential brokering limits blast radius when things go wrong.
Environment variables work fine solo. They fail in production. The Phantom Token Pattern gives agents fake tokens that proxy to real credentials at runtime.
MCP is being rushed into production with no real auth story. The security community is sounding the alarm. Here's what the credential gap looks like - and how to close it before your org gets burned.
Zero trust says never trust, always verify, least privilege. Most AI agent deployments violate all three. Here's how a credential proxy closes the gap without rewriting your stack.
AI coding assistants like Cursor, Copilot, and Windsurf routinely suggest code with hardcoded secrets. Here's why it happens, what the real damage looks like, and how to stop it.
MCP skill marketplaces have the same supply chain problems as npm, except the blast radius is your AI agent's full context window. Here are 5 vulnerabilities with code fixes you can deploy today.
The OWASP MCP Top 10 lists token mismanagement as the #1 risk for AI agents. Here's how to manage API keys for MCP servers using scoped secrets, runtime injection, and zero-knowledge encryption.