FakeKey: Rust-based API key security tool that replaces real keys with fake ones

FakeKey is a Rust-based API key security tool that replaces real API keys with fake ones in application environments. The tool addresses supply chain attack risks like those seen in recent incidents involving LiteLLM and Axios, where compromised libraries can scan and exfiltrate API keys immediately.

How FakeKey Works

FakeKey operates by ensuring that agents and dependencies only see fake API keys during normal operation. The real keys are securely encrypted and stored in the system's native keychain. Only at the moment an HTTP/S request is sent does FakeKey inject the real key back into the request.

This approach makes leaked keys meaningless even in compromised environments. As described in the source: "Even if a dependency is compromised, the attacker can only steal useless strings."

Problem Being Solved

The tool addresses the reality that it's almost impossible to guarantee all software and NPM dependencies are safe from supply chain attacks. These attacks are often discovered only after damage is done, with API keys frequently exposed in environment files—including LLM keys tied to billing and sensitive tokens like Feishu (Lark) keys.

Instead of trying to prevent poisoning entirely, FakeKey changes the approach to make leaks meaningless by ensuring compromised dependencies can only access fake keys.

Source and Availability

FakeKey is available on GitHub at https://github.com/happyvibing/fakekey. The tool was developed in response to recent supply chain security incidents and represents a different approach to API key protection in environments where complete dependency security cannot be guaranteed.