惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Where Are You Storing Your API Keys? (And Why Slack Isn't It)
Muaz · 2026-06-19 · via DEV Community

Be honest for a second.

Where are your API keys right now?

Not the answer you'd write in a security audit. The real answer.

  • Pinned message in your team's #dev-private Slack channel?
  • A .env file someone scp'd from a colleague's laptop last summer?
  • That one Notion page titled "secrets — don't share"?
  • A shared 1Password vault that hasn't been audited since 2023?
  • An email thread from when the newest hire was onboarded?

If even one of those gave you a tiny twinge of "yeah… that's where mine are," keep reading. There's a pattern across dev teams that's worth naming, and there are tools that fix it without costing you a year of engineering or a four-figure annual bill.

The 30-second pattern almost every startup hits

Talk to any startup CTO who's onboarded more than five engineers and the story is the same.

A lead dev quits. No drama, they just leave. And suddenly:

  • Half the team's API keys lived in that person's head
  • The other half are spread across DMs and .env files on four laptops
  • Nobody knows which OpenAI key is charging which project
  • Someone shipped a feature using a Stripe test key by accident because they copied the wrong line from a screenshot

Cue four days of auditing keys, rotating secrets, and quietly hoping nothing leaks before rotation completes.

The fix is obvious in hindsight. Treat API keys like the production assets they are. Don't share them in chat. Don't email them. Don't put them in a Notion page.

But here's the question nobody answers honestly: where, then?

How bad is "keys in random places" actually?

Two stats are enough.

  • 31% of breaches over the past decade involved stolen credentials — Verizon 2024 Data Breach Investigations Report
  • 23+ million secrets exposed in public GitHub commits in 2023 alone — GitGuardian's State of Secrets Sprawl

The pattern: it's almost never a James Bond villain. It's a .env file accidentally committed to a public repo. A Slack export shared with a contractor. A laptop left on a train. A junior dev who pushed a hotfix in a panic and forgot to add .env to .gitignore.

The tools to prevent this all exist. They've existed for a decade. So why do most teams still have keys in Slack?

Because the existing tools are either expensive, overengineered, or both.

The honest landscape, ranked by what dev teams actually feel

Let's walk through the real options. No marketing fluff.

1. HashiCorp Vault

The "real" answer that everyone respects and nobody on a 5-person team actually deploys.

Reality
Price "Free" OSS, but you self-host. Add EC2, maintenance, on-call.
Setup time Hours to days. Then more days to learn the policy language.
Team UI Minimal. Mostly CLI + HCL policies.
Who it's for Enterprises with a dedicated security team.

Vault is genuinely a great tool, but it's a tool for operations people who do nothing but security. Not for a frontend dev who just needs to share the staging Stripe key with the new backend hire.

2. AWS Secrets Manager

$0.40 per secret per month. Plus API calls.

Let that sink in.

Fifty keys across dev / staging / prod for a dozen services — and let's be honest, you have at least that many — is $240/year minimum, before request charges. You're also welded to AWS. If your team is on Vercel, Fly, Render, or Cloudflare Workers, congratulations: you're calling a cross-cloud API every time you need to read your own credentials.

And the UI? IAM policies. Eight pages of documentation to grant one engineer read access to one secret. Bring snacks.

3. 1Password / Bitwarden Teams

Honestly, decent. Real encryption, real teams, real UX.

But they're built for passwords, not API keys. There's no first-class concept of "this is the staging Stripe secret for the payments project." It's folders, items, custom fields. You can make it work. People do. It feels like using a hammer to drive a screw — it sort of goes in, but you can tell something's wrong.

Also: $7–$9 per user per month. A 10-person team is $70–$90/month. That's $840–$1,080 a year, every year, forever, for a tool that wasn't designed for the job.

4. The default: Slack, email, .env files

  • Zero cost
  • Zero encryption at rest
  • Zero access control — if Bob can see the channel, Bob can see every key forever, even after he leaves
  • Zero audit trail. "Who used that key last and when?" "Uh."

Pretty much the highest-risk path on this list, and the most popular one in the wild. Be honest: this is what your team is using.

What "good" actually looks like (in plain English)

If you sat down and wrote out what a sane API-key sharing tool should do, the list looks something like this:

  1. Encrypt at rest. Not "we use TLS." TLS is for the network. The actual blob in the database is ciphertext, and the encryption key isn't in the same place as the data.
  2. Per-project, per-environment organization. "Payments-staging" and "Payments-production" are two different things. Stop treating them the same.
  3. Role-based access. Read, write, admin. The intern needs read on one project, not the keys to the kingdom.
  4. Read-only members should not see plaintext. Underrated. If you give someone "read" access, the value should be ••••••••••••. They can see the key exists. They can't copy it. The server doesn't even send the real value.
  5. An audit log. Who looked at what, when. No exceptions. This is what saves you when someone leaks a key — you can prove rotation and trace blast radius.
  6. Team invitations that can't be hijacked. If you send "you've been added to the team" via email, and someone forwards that email, the recipient should NOT auto-join the org. Most invitation systems get this wrong.
  7. Cheap or free for small teams. A 4-person startup should not be paying $300/year to not put keys in Slack.

Almost no commercial tool ticks all seven.

The tool that's getting traction in 2026: KeyVault

A free option that's been showing up in dev forums lately is KeyVault (apisharing.vercel.app). Worth a closer look because it's the first thing in this category that's actually built for small teams.

What it does, in one paragraph

You sign up and you're the boss of a fresh organization (it creates one automatically). You make a project "payments-production." You add an API key to it. It's encrypted with Fernet (AES-128-CBC + HMAC-SHA256). You invite a teammate by email. You give them read, write, or admin access per project. Read-only members see masked values. Every action is logged.

That's the product. No HCL, no IAM, no $0.40 per secret per month, no "talk to sales."

The boring details that matter (and that competitors get wrong)

A few things to highlight because they're rare in this space:

  • Read-only really means read-only. The masking happens on the server, not in the browser. If you give a teammate read access, the API response sends •••••••••••• with a masked: true flag. The actual ciphertext never leaves the database for that role. You can't right-click → Inspect → see the secret.
  • Invitation links can't be replayed against existing accounts. If your email already has a KeyVault account, accepting an invitation requires you to be signed in with that email first. The token alone doesn't grant access. (Many invitation systems are exploitable here.)
  • Tenant isolation enforced in SQL, not in app code. Every query has AND organization_id = %s baked in. A bug in a route handler can't accidentally leak another org's data the SQL itself refuses to return rows.
  • Login is constant-time. A dummy bcrypt comparison runs even when the email doesn't exist, so an attacker can't probe "is this email registered?" by timing the response.
  • Lockout is per (email, source-IP). Lock by email alone and any attacker can pre-lock arbitrary accounts as a denial-of-service. Per-IP keeps the legit user working from their own network.

A full technical breakdown lives at apisharing.vercel.app/llms-full.txt. It doubles as a public transparency report on how the system is built.

Pricing, plain

  • Free: 1 project. Unlimited keys, unlimited team members, all the security features. Forever. No card required.
  • Pro — $10/month for the whole org. Unlimited projects. That's the only difference.

Compare to AWS Secrets Manager at ~$240/year for the same number of secrets. KeyVault Pro is $120/year flat, for the entire team. The free tier is enough for a side project or a 2-person team that just wants to stop sharing the OpenAI key in Slack.

"Can I trust some new tool with my keys?"

Fair question. The honest answers:

  1. Don't trust anyone blindly. Look at what they do, not what they say. The Fernet scheme is published. The masking behavior described above is testable make a read member and watch the API response. The audit log is queryable. The tenant isolation is in the SQL.
  2. The encryption key isn't theirs. In production, KeyVault refuses to start without an explicit ENCRYPTION_KEY environment variable. The server-side admin can't dump plaintext keys without it.
  3. The tradeoff is honest. Self-host Vault if there's time and a team for it. Use AWS Secrets Manager if the whole stack is AWS and budget isn't a factor. Use KeyVault if the team is small, tired of Slack, and doesn't want to spend a quarter setting up Vault.

The only thing worse than overpaying for security is not having it at all.

TL;DR — pick your fit

Team Size Best Fit Why
Solo / 2-person side project KeyVault free tier Encrypted, free, 30-second setup
2–10 person startup KeyVault Pro ($10/mo flat) Unlimited projects, beats $240+/yr on AWS Secrets Manager
10–50 person team on AWS AWS Secrets Manager If budget allows and stack is fully AWS
50+ engineers with security ops HashiCorp Vault Worth the setup cost at this scale
Mixed-tool team that already has 1Password 1Password Teams Not ideal for keys, but acceptable if it's already paid for

Try the cheapest option first

The honest move: spend 30 seconds at apisharing.vercel.app/signup before committing to anything more expensive. Free tier is enough to migrate one project off Slack today. If the team grows, $10/month covers everyone forever.

The worst-case outcome is finding out it's not for you — total time invested, two minutes.

The best case: it's the last time you ever paste an API key into Slack.


Found this useful? Drop a 💜 or share it with the teammate who keeps pasting prod keys into the wrong channel.

About the Author

I am a freelance AI engineer. I build AI agents, RAG systems, and AI tools for real businesses. I have shipped more than 20 AI systems across 7 countries, and I finished every single project I started.

I am open for AI consulting, RAG work, AI agent work, and LLM app work. Most first versions are ready in 2 to 4 weeks.

If this helped you, follow me here. I share simple lessons from real AI work.