keystrok_Key lifecycle instrument Sign in

The key lifecycle, instrumented.

Keystrok is an instrument for the API-key lifecycle: it scans your code and connected platforms for exposed keys, holds one inventory — platform, age, and risk for every key — and walks you through rotation in the only safe order. Self-host it on your own database.

Request accessHow it works
Fig. 01 — System overviewScan → inventory → rotate, end to end
INPUT
Code + platforms
Source trees, .env, AWS, Stripe, GitHub, Grafana, …
STAGE 1SCAN-01
Scan
Finds exposed and forgotten keys across your code and platforms.
mode: read-only
STAGE 2INV-02
Inventory
One ledger: key, platform, age, risk, and status.
at rest: encrypted
STAGE 3ROT-03
Rotate
Issue → roll out → revoke. Guided, in the only safe order.
order: enforced
— solid: stored in your Keystrok database- - dashed: platforms read via the credentials you connect
Fig. 02

Module specifications

3 modules · no feature matrix
SCAN-01stable
Scan
Walks your source trees and connected platforms; flags exposed keys and ones past their rotation date.
inputcode · platforms
outputfindings list
guaranteeread-only
INV-02stable
Inventory
The single answer to "what keys do we have, and how exposed are they." Sort by platform, age, or risk.
inputscan findings
outputone ledger
guaranteeencrypted at rest
ROT-03stable
Rotate
Walks you through issue → roll out → revoke — the order that never locks you out — and records every step.
inputone key id
outputrotated key
guaranteesafe order
Fig. 03

Credential handling

the part you should audit first
Lifecycle of a credential inside KeystrokAES-256-GCM · lib/crypto.ts
ON SAVE
Encrypted
A platform key you add is sealed with AES-256-GCM before it ever reaches the database.
AT REST
Ciphertext only
The database stores enc:v1: blobs — never plaintext, never logged.
IN USE
Decrypted in memory
Unsealed only at the moment of a call. Connection tests are SSRF-guarded.
Fig. 04

Built to self-host

Docker + your own Postgres

Run it where your keys already live.

Keystrok ships as a Docker stack — app, Postgres, and mail — so you can run the whole instrument on your own infrastructure, against your own database. The only outbound calls are to the platforms you connect.

Authpasswordless, invite-only
EncryptionAES-256-GCM at rest
Self-hostDocker + your Postgres
Telemetrynone
StackNext.js · Postgres · Prisma

Put your keys under instrumentation.

Keystrok is invite-only while in beta. Request access and we'll send a sign-in link.

Sign in