Why Your Team Shouldn't Share API Keys

Most teams have some version of the same setup: an OpenAI key (or Anthropic, or both) sitting in a shared 1Password vault. It was the path of least resistance when the team was small, and it worked fine. Now you're bigger, you've had a few rounds of contractor turnover, and that key has been copy-pasted into more environments than anyone has actually tracked.

This isn't about a specific breach or a scare story. It's about a habit that accumulates quietly and only becomes visible when someone leaves the team.

How a shared key travels

It starts in one place. Then someone needs it for a CI pipeline, so it goes in GitHub Actions. Another person needs it locally, so it ends up in a .env file on their machine, probably more than one. A contractor gets onboarded and needs access, so it gets Slack DM'd over. Six months later it's in four laptops, two CI pipelines, a staging server, and a Slack thread that's technically still searchable.

Nobody planned this. It just happens, because the key is the unit of access and everyone needs access.

When someone leaves, you're either rotating the key, which means scrambling to update everything that depends on it, or you're leaving it in place and hoping for the best.

Rotation costs you an afternoon of coordination you shouldn't have to spend. Leaving it means someone has access to production systems you've quietly decided to ignore.

What the fix looks like

Your underlying Anthropic or OpenAI key lives in one encrypted vault. Each developer, CI runner, or script gets its own token that routes through that vault. The API behaves identically. Nothing in your calling code changes.

What changes in the .env file

Here's what it looks like on an actual developer's machine, before and after:

# Everyone on the team has this
OPENAI_API_KEY=sk-proj-shared-key...

# Dev leaves. Now what?

# Alice
OPENAI_BASE_URL=https://alice.strake.sh/v1
OPENAI_API_KEY=ct_live_alice...

# Dev leaves. Revoke their token.

The calling code doesn't change. The OpenAI SDK, Claude Code, Cursor, whatever tool you're using just hits a different base URL. Strake handles the proxy to the upstream provider.

Where this actually bites you

Contractors. You hand them access at the start of the engagement, and then there's no clean way to take it back. Without individual tokens, the key either gets rotated (breaking whatever else uses it) or it doesn't (and their access just quietly persists). With Strake, you issue a token for the engagement and revoke it when the work is done. No rotation, no emails asking them to clean up their machine.

Multiple environments, one key. When your CI pipeline, staging setup, local dev, and two or three developers all share the same key, there's no way to tell what's consuming what. If something looks off in your usage, you can't isolate it. Individual tokens fix that, and let you cut off any one environment without touching the others.

Slack DMs. If you've ever sent an API key over Slack, it's now in search history, potentially in third-party integrations, and out of your control. Strake means there's nothing sensitive to pass around. You share a token that can be revoked, not a key that can't be un-shared.

The part that doesn't get counted

Security aside, shared keys create operational overhead that adds up. Every offboarding that touches a shared key is a coordination task. Someone has to remember where it lives, update the places they find, and hope they got everything. It's rarely one place.

Per-person tokens make offboarding a single revocation. It should have always worked this way.

Shared API keys are a habit the industry got stuck with because doing it properly used to mean building your own proxy infrastructure. Most teams weren't going to do that. Strake is the version you can set up in a few minutes: paste your key once, give everyone their own token, and if something ever goes wrong you fix it in one place.