keystrok_Key lifecycle instrument Sign in

The key lifecycle, instrumented.

Find exposed API keys, see which are still live, and rotate them safely. Self-host it on your own database.

Fig. 01: System overviewScan → inventory → validate → rotate, end to end
INPUT
Code + platforms
Source trees, .env, AWS, Stripe, GitHub, Grafana, …
STAGE 1SCAN-01
Scan
Exposed and forgotten keys, across code and platforms.
mode: read-only
STAGE 2INV-02
Inventory
One ledger: platform, real risk, exposure.
at rest: encrypted
STAGE 3VAL-03
Validate
Which leaked keys are still live, right now.
signal: live / revoked
STAGE 4ROT-04
Rotate
Issue → roll out → revoke, in the safe order.
order: enforced
-- solid: stored in your Keystrok database- - dashed: platforms read via the credentials you connect
Fig. 02

Module specifications

4 modules · no feature matrix
SCAN-01stable
Scan
Exposed keys and ones past their rotation date, across code and platforms.
inputcode · platforms
outputfindings list
guaranteeread-only
INV-02stable
Inventory
What keys do we have, and how exposed? Sort by platform, exposure, or risk.
inputscan findings
outputone ledger
guaranteeencrypted at rest
VAL-03stable
Validate
Which leaked keys are still live. Dead keys drop, live ones rise.
inputledger · platform
outputlive / revoked
guaranteeadvisory
ROT-04stable
Rotate
Issue, roll out, revoke, the order that never locks you out. Every step recorded.
inputone key id
outputrotated key
guaranteesafe order
Fig. 03

Credential handling

the part you should audit first
Lifecycle of a credential inside KeystrokAES-256-GCM · lib/crypto.ts
ON SAVE
Encrypted
Sealed with AES-256-GCM before it reaches the database.
AT REST
Ciphertext only
Stored as enc:v1: blobs. Never plaintext, never logged.
IN USE
Decrypted in memory
Unsealed only for a call. Connection tests are SSRF-guarded.
Fig. 04

Built to self-host

Docker + your own Postgres

Run it where your keys already live.

A Docker stack: app, Postgres, mail. Your infrastructure, your database. The only outbound calls go to the platforms you connect.

Authpasswordless, invite-only
EncryptionAES-256-GCM at rest
Self-hostDocker + your Postgres
Teamsshared workspace, roles
Telemetrynone
StackNext.js · Postgres · Prisma

Put your keys under instrumentation.

Invite-only beta. Request access and we'll send a sign-in link.

Sign in