API key management with access control and audit logging.
Aegis stores API keys encrypted, controls who can reveal each key, and logs every access event - without requiring engineers to share keys through insecure channels.
Unstructured API key storage leaves no access record.
Most teams start by sharing API keys in environment files, chat tools, or shared password managers. The access model is all-or-nothing: either you have access to the project, or you don’t.
There’s no record of who actually used a key, when, or why. When an auditor asks - or when an incident happens - you can’t answer.
Four capabilities that change the access model.
Per-key RBAC
Each API key has its own access list. Being on a team does not automatically grant access to any key. Access is an explicit, separate grant.
Reveal logging
Every time a key value is shown, the event is written to an immutable log: actor, timestamp, environment, and linked sprint ticket if one is active.
Environment separation
The same key name can hold different values per environment - production, staging, dev - with different access rules for each.
Rotation tracking
Aegis tracks the age of every key and flags ones approaching your rotation policy threshold so nothing silently expires.
Three steps. No behaviour change for developers.
Manual entry, .env file import, or CLI push. Aegis parses the key name and value and stores it encrypted.
Specify who can read, reveal, or edit each key per environment. No access is granted by default.
When a developer reveals the key value, the event is written automatically - no action required from the developer.