Security
KeyStackz exists for one reason: your API keys deserve better than a .env file in a Slack DM. Here is exactly how we protect them โ no hand-waving, no badges we don't hold.
Encryption at rest
Every secret is encrypted with AES-256-GCM envelope encryption under a per-user key the moment it arrives. Plaintext values are never logged, never displayed after entry, and never sent to a model or chat window. What we store is ciphertext; what you pull is decrypted only for the services you've toggled on, only at pull time.
Scoped, revocable tokens
The CLI authenticates with tokens you create and name yourself. Each token is scoped to exactly the services a project needs and can be revoked instantly from your dashboard. A token's raw value is shown exactly once, at creation โ we cannot show it to you again, by design.
Fail-closed pulls
If two active services define the same environment variable, keystackz pull blocks and names both services instead of silently overwriting one secret with another. Your .env.local is never quietly wrong.
We never mint keys
KeyStackz never fetches or generates credentials from your providers. You create each key in the provider's own dashboard and paste it once; we store it encrypted. We never hold authority to create credentials in your accounts โ a deliberate safety choice that caps the blast radius of any incident.