How to Keep API Keys Out of an AI Coding Agent
A practical guide to preventing API keys from leaking into Claude Code, Cursor, and Cline — covering common failure modes, vault patterns, and incident response.
Read post →Apple Keychain Is Not Enough to Protect Secrets from Claude Code
macOS Keychain keeps secrets encrypted at rest. The moment you use the security CLI to pull them into your shell — and Claude Code is running — you've already lost.
Read post →AI Agents in On-Premise Infrastructure — The Secrets Problem Nobody Has Solved
HashiCorp Vault, Kubernetes secrets, Doppler, Infisical, systemd — none of them were designed for a world where the process requesting credentials is an AI agent that can read its own environment.
Read post →What the Claude Code Source Leak Reveals About AI Agent Security
Anthropic accidentally shipped 60MB of Claude Code's unobfuscated source code in an npm package. Here's what security researchers found inside — and what it means for how you think about AI agent credentials.
Read post →Cloudflare Workers Secrets and AI Development — What's Actually Safe
Cloudflare Workers secrets are designed for production deployment, not local development. Here's what they protect, what they don't, and how to close the gap when using Claude Code.
Read post →Stop Telling Claude to Read Your .env File
The advice spreading across AI communities — 'just create a .env file and have Claude read it' — is wrong, and here's why it matters.
Read post →How to Keep API Keys Secure When Using Claude Code
Claude Code can read your project files, including .env. Here's the right way to handle API keys so they never enter the model's context window.
Read post →How to Store Secrets for Claude Code (Without Putting Them in .env)
The standard .env approach exposes your API keys to Claude's context window. Here's the correct way to store and use secrets with Claude Code.
Read post →MCP Secret Manager — How OpaqueVault Works
OpaqueVault is the only MCP-native secret manager built for AI coding agents. Here's how it works, why the architecture matters, and how to set it up in five minutes.
Read post →MCP Server Secrets Management — The Complete Guide
How to manage credentials across MCP servers without exposing them to the AI. Architecture, patterns, and a reference implementation with OpaqueVault.
Read post →Zero-Knowledge Secret Manager — What It Is and Why It Matters for AI Agents
A zero-knowledge secret manager means the server cannot decrypt your secrets. Here's why that architecture matters — especially when AI coding agents are in the loop.
Read post →24,000 secrets found in MCP config files — what it means and how to fix it
Researchers found 24,008 live API keys and credentials inside Claude Desktop MCP configuration files. Here's what went wrong and how zero-knowledge vaults change the equation.
Read post →HCP Vault Secrets is being shut down. Here's where to migrate before July 2026.
HashiCorp confirmed HCP Vault Secrets reaches end-of-life on July 1, 2026. If you're using it today, here's what you need to know and where to move your secrets.
Read post →Why your AI coding assistant is a secret leak waiting to happen
Claude Code, Cursor, and GitHub Copilot dramatically accelerate development — and, if misconfigured, dramatically accelerate credential exposure. Here's the structural problem and how to fix it.
Read post →