Alex Sancivieri

I've been noticing a pattern in dev communities lately. Someone builds their first LLM-powered app, ships it, and a week later they're asking why their OpenAI bill spiked or why their key stopped working. Nine times out of ten it's because the key was sitting in the codebase or a committed .env file.

Nobody warns new builders about this especially people coming in through Vibecoding who are moving fast and just want to ship.

I built API Locker (apilocker.app) to solve this. You store your keys in the vault, get a proxy token back, and your code only ever touches the token. You can rotate it anytime without changing your codebase. It's completely free, unlimited usage, and works via web, CLI, IDE extensions for VS Code and Cursor, and MCP tools for AI-native workflows.

Curious have you ever had a key exposed? How are you currently handling secrets management in your projects?