Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From prodsec-skills
Audits API key usage in production AI systems and recommends migrating to short-lived OIDC bearer tokens. Covers credential storage, gateway deployment, and deprecation planning.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:avoid-api-keysThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
API keys SHOULD NOT be used in production environments. Short-lived, scoped bearer tokens issued by an identity provider are preferable.
API keys SHOULD NOT be used in production environments. Short-lived, scoped bearer tokens issued by an identity provider are preferable.
| Issue | Impact |
|---|---|
| Long-lived | Extended exposure window if compromised |
| Difficult to rotate | Rotation requires coordination across all consumers |
| Lack fine-grained scoping | Cannot limit permissions per request or context |
| No sender binding | Any holder of the key can use it from anywhere |
| No standard revocation | No instant revocation mechanism across distributed systems |
| Poor audit trail | API keys don't carry identity claims about the caller |
Use short-lived, scoped bearer tokens from an OIDC Identity Provider:
| Property | API Key | IdP-Issued Token |
|---|---|---|
| Lifetime | Long-lived (months/years) | Short-lived (≤15 minutes) |
| Scoping | Broad or none | Per-request scopes |
| Revocation | Manual, slow | Instant via IdP + local blacklist |
| Identity | Opaque | Rich claims (sub, iss, aud, scope) |
| Rotation | Manual | Automatic via refresh tokens |
| Sender binding | None | DPoP or mTLS certificate binding |
For systems currently using API keys:
Credentials (API keys, tokens, secrets) MUST NEVER be stored in source code. This applies to all credentials including those used to connect to third-party model endpoints. Credentials must be managed and stored securely using:
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsRejects raw API key authentication in inference engines. Use when designing, reviewing, or auditing authentication for LLM API endpoints.
Designs API authentication with prefixed keys (e.g., Stripe sk_live_), OAuth 2.0 flows, JWT tokens, Bearer auth, key rotation, and permission scoping.
Discovers, classifies, protects, and governs API keys, tokens, secrets across code, git history, containers, CI/CD, VPS, and providers like OpenAI, AWS, GCP, Azure, Stripe. Enforces rotation, least privilege, and governance.