API key leakage prevention

Make proxy credentials narrow, revocable, and difficult to reuse

ThrottleProxy keys are created after verified-user and workspace permission checks, displayed once, stored as hashes, looked up exactly, and removed from outbound requests. Application secret storage and incident response still remain your responsibility.

Hash storedOne-time displayRevocable

Practical boundaries

Reduce the places where a reusable credential can escape

Verify before creation

Require an authenticated, email-verified user with workspace key-management permission.

Display once

Return the raw value only at creation so it can move directly into approved secret storage.

Store a hash

Persist and cache deterministic hashes rather than the reusable raw key.

Look up exactly

Authenticate with one SHA-256 operation and one exact Redis lookup instead of scanning keys.

Strip before upstream

Remove proxy Authorization, x-api-key, cookies, and ThrottleProxy headers from outbound traffic.

Revoke and invalidate

Deactivate workspace keys and remove their exact cached configuration.

Good fit

  • Teams that can place the one-time key in a reviewed secret manager.
  • Workspaces that need role-gated creation and revocation.
  • Applications that keep proxy and provider credentials separate.

Not a replacement for

  • A replacement for application secret storage.
  • Recovery of a raw key after its one-time display.
  • Automatic provider credential rotation or vaulting.

Common questions

Can ThrottleProxy show an existing raw key again?

No. The reusable value is displayed once; stored and cached representations use its hash.

Is a proxy key sent to the provider?

No. Proxy credentials and cookies are stripped before the upstream request.

What should happen after suspected exposure?

Deactivate the key, update the application secret through an approved channel, and review sanitized lifecycle context without pasting the old value.

Start with one narrow integration

Use one workspace key, one exact public host, and non-sensitive test traffic.

Open quick start