Writing on security,
keys, and agents.
On API security, developer tools, and what we're learning building Strake.
Stop Adversarial Prompts Before They Reach Your Model
Jailbreak protection is now available on all Strake endpoints. Block prompt injection, DAN attempts, and indirect injection at the proxy layer — before they ever reach your AI provider.
Read postStop Sensitive Data Before It Reaches Your LLM
Most applications weren't designed with AI in mind. Now that the downstream service is an LLM, sensitive data that used to stop at your API is flowing straight to your model provider. Here's how to fix that at the request level.
Read postYour MCP Config Has Tokens in It. Have You Looked Lately?
Your mcp.json is sitting on disk in plaintext. Backed up to iCloud. Maybe in a public dotfiles repo. Here's why MCP configs are actually worse than .env files — and what to do about it.
Read postWhy Your Team Shouldn't Share API Keys
Shared keys are a habit, not a best practice. When someone leaves your team, you're either rotating a key that breaks everything, or hoping they don't misuse access they technically still have.
Read postYour API Keys Don't Belong in Environment Variables
Every few months a platform gets breached and the recommendation is "rotate your env vars." That's the wrong fix. Here's what the pattern should look like.
Read post