Blog · Key Management & Security

Simplifying API Key Management

Practical security insights and product updates from the team building safer, simpler key management for modern APIs.

April 4, 2026 • 5 min read • API Stronghold Team

npm postinstall Scripts Can Read Your .env. Most Projects Let Them.

The strapi-plugin-events attack used a postinstall hook to exfiltrate secrets. This vector isn't new. What's new is how often it works.

supply chain npm API keys secrets management credential security

March 31, 2026 • 9 min read • API Stronghold Team

Your Ex-Employee's API Key Is Still Deploying to Production

Offboarding in Okta stops logins. It leaves GitHub PATs, AWS IAM keys, and OAuth grants running. Here's the exact checklist to kill all of it.

security SSO offboarding API keys tokens

March 28, 2026 • 5 min read • API Stronghold Team

Your .env File Is the Attack Surface. The Telnyx Backdoor Proves It.

TeamPCP backdoored telnyx 4.87.1 and LiteLLM using the same RSA key infrastructure, targeting environment variables both times. Until you stop storing live credentials in .env, rotation is just cleanup.

supply chain PyPI API keys secrets management AI agents

March 24, 2026 • 5 min read • API Stronghold Team

Your AI Agent's API Key Will Leak. Here's the Fix.

Long-lived credentials in `.env` files aren't a best practice; they're a countdown timer. Workload identity gives agents short-lived tokens that expire before they can do damage.

AI agents API keys OIDC workload identity security

Page 1 of 1

Previous Next

Simplify secrets management

Join thousands of developers who trust API Stronghold for secure, simplified key management.

Start Free — No Credit Card Required