Some secret management belongs in your HTTP proxy
a day ago
- #API-security
- #secrets-management
- #agents
- Larger organizations centralize secrets management with services that add operational overhead and complexity, while smaller organizations face growing challenges, especially with agents.
- Agents can mishandle API keys: some refuse to act upon seeing secrets, others misuse revoked keys, highlighting the broader issue of API keys being too powerful and prone to exfiltration.
- Automated key rotation solutions like OAuth are often complex and inconsistent, with practices like GitHub's 90-day tokens failing to adequately address security or usability for agents.
- Using an HTTP proxy to inject headers can manage secrets effectively by removing keys from client requests, covering most secrets and simplifying access control for servers and agents.
- exe.dev offers Integrations to automate this process, including a GitHub App for OAuth management, eliminating manual key rotation and providing seamless access to secrets across tagged VMs.