Much like all other types of businesses, application developers have professional information they wish to keep far away from the reach of competitors. In order to protect this information, developers rely on passwords, ID’s and API keys. However, some apps require several layers of programming, which is why the amount of passwords required can be quite high. If all keys aren’t kept in one place, people tend to get confused and if they lose track of their key locations, problems could ensue.
API keys, Analytics IDs and tokens are basically codes that identify programs, developers or users and determines what type of actions said bodies are permitted to execute on the source code of an apps interface.
Because these keys usually grant you access to very sensitive control over the APIs in question, it’s no wonder developers go a long way to keep those keys secure. This is not always the case though, as you can see from this warning message.
Even if they should be done over not doing them at all, homemade solutions (which is what most developers do) for API key management can turn out to be quite a bit of a hassle. Tricky situations emerge when new API keys are required, when old config files are used accidentally or when programmers leave/enter the development team. Changes can happen anytime, which is why Helsinki-based Keystock asks developers: do you know where all of your keys are right now?
If you don’t or you’re not entirely sure, it could mean you’re not prepared.
Because of their importance, keys need to be carefully placed in specific locations, shared with specific people and revoked when changes happen. Goes without saying that it requires some valuable work which could be better spent!
Helsinki-based Keystock is a cloud based virtual vault for your API keys. Since hard-coding the keys into the source code or even storing them locally can potentially turn messy, Keystok offers to store these keys into their cloud, through which you can move and manage all your configs, secret keys and passwords. In addition, revoking existing keys or replacing them with new ones can also be done centrally from one place. This means developers wouldn’t have to touch the application code in case of a key revoking, which eliminates the need for re-builds and updates.
Keystok CEO Christian Fruehwirth told us the idea for such a service came to light while he was working with newspaper publication apps in the US. The company he worked in covered more than 500 local newspapers through 230 applications. Needless to say, he became familiar with the annoyances related to key/config file managing by the sheer number of apps he was involved in.
You might raise the question whether it’s safe to simply put all of the code you’ve worked so hard to build onto a website that says it will manage your keys. Well, Keystok uses strong encryption to encrypt all your config parameters on the client side, and they promise that neither anyone from Keystock nor the NSA for that matter will ever be able to read your config files. All parameters are encrypted locally, in the client library or browser, before they are stored in Keystok, according to Fruehwirth.
Keystok launched a little less than two weeks ago after two years of internal use (not branded as Keystok at the time). Though they’re not exactly drowning in users, Fruehwirth is confident people will soon realise Keystok’s potential.
The company’s background check revealed that their target customers are probably going to be small developer teams, since enterprises mostly stated that they would only use Keystok’s services as a locally installable solution, not as a cloud service.
Fruehwirth says there are hundreds of thousands of cases where Keystok could effectively be put to use but developers need to hear of its existence before giving it a try. There aren’t many key vault clouds out there, hence the biggest competition stems from the developers themselves who resolve key management through self made solutions.
Keystok is funded for now and currently offers anyone up for a tryout a 30-day free of charge trial, after which prices go as follow: free of charge for 1-man teams (limited to three apps and 100 keys), $49/month for teams of three, $99/month for teams of ten and $299/month teams of 30. Too big to fit? Custom plan it is (call Keystok for a personal deal)
Better details on how Keystok works (warning: developer language) go here.