Worthless Blog

Security, keys & code.

Deep dives on API key security, secret management, and developer tooling.

๐Ÿš€
Launch April 13, 2026 ยท 5 min
Introducing Worthless โ€” post-leak API key protection
We built Worthless because every other tool protects your key until you use it. We protect you after it leaks.

Every developer knows the feeling. You paste an API key into your code "just for testing," it ends up in a git commit, and seconds later it's live on GitHub. Bots scan repos constantly. Your bills spike. You rotate. Repeat next month.

The gap in the market

There are two categories of tools that help with API key security:

  1. Pre-leak prevention โ€” Vault, dotenv, GitHub secret scanning. These keep keys out of code and logs.
  2. Post-leak response โ€” rotating the key, monitoring for abuse, revoking tokens.

What's missing is the middle: what if the key leaks, but it's already useless?

How Worthless works

Worthless splits your API key into two cryptographic shares. Neither share reveals anything about the original key โ€” you need both to reconstruct it. Reconstruction happens in memory only, for milliseconds, and only when your app actually needs to make an API call.

$ worthless lock
1 key(s) protected.

$ worthless wrap python app.py
# your code is unchanged

$ worthless unlock
1 key(s) restored.

There's also a budget enforcement layer: if your spending limit is hit, the key simply never forms โ€” even if your code tries to use it. A hard stop.

"Every secrets tool protects the key until your app uses it. Worthless protects you after it leaks."

Get started

pip install worthless
worthless lock
worthless wrap python app.py
๐Ÿ”‘
Deep Dive April 13, 2026 ยท 8 min
Why splitting a key makes it useless: the cryptography explained
A plain English explanation of secret sharing โ€” why two shares together reconstruct a secret, but neither reveals anything alone.

When we say "a leaked share is worthless," we mean it in a precise mathematical sense. This post explains why โ€” without requiring a cryptography background.

The intuition: a lock with two keys

Imagine a padlock that requires two keys simultaneously to open. If someone steals one, they can't open the lock. They have something real โ€” but it's useless without the other half. Secret sharing is the mathematical equivalent.

The XOR method (2-of-2 sharing)

  1. Generate a truly random string A the same length as your secret S
  2. Compute B = S XOR A
  3. Store A locally, B in the proxy

Reconstruction: S = A XOR B. Simple. Brilliant.

Why is A useless alone?

Because A is purely random. An attacker with only A sees that every possible value of S produces a valid B โ€” the share A is statistically independent of S. It could have come from any secret equally well.

Information-theoretic security. This is called one-time pad secret sharing. It cannot be broken even with unlimited computational power โ€” no brute force is possible because every guess is equally valid.

What Worthless does in practice

When you run worthless lock: your key is read, Share A is generated randomly, Share B is derived so A XOR B = key. A goes to local encrypted storage; B lives in proxy memory. Your .env is updated to point at the proxy. The full key exists for milliseconds, then memory is zeroed.

Two independent protections:
1. Cryptographic split โ€” a leaked share reveals nothing.
2. Budget enforcement โ€” even with full key access, spending is capped.
๐Ÿ”ฅ
Security April 13, 2026 ยท 6 min
5 real API key leaks that cost companies thousands
From accidental git commits to supply chain attacks โ€” real incidents and what we learned from each one.

API key leaks are more common than people admit. Most companies quietly rotate and move on. Here are five categories of real incidents that show exactly how these leaks happen and what they cost.

1. The .env commit

What happened

A founder adds their OpenAI key to .env while scaffolding a demo, runs git add . before adding .env to .gitignore, and pushes to a public repo. Within 4 minutes, a bot catches it. By the time they rotate, $2,300 in credits is consumed.

With Worthless: the .env would contain only a useless key share.

2. The compromised dependency

What happened

A popular npm package is compromised via a maintainer account takeover. The malicious version reads process.env and exfiltrates all environment variables. Hundreds of developers lose keys within hours.

With Worthless: the exfiltrated env var would be a key share โ€” useless without the other half in a separate process.

3. The CI log exposure

What happened

A developer uses echo $AWS_SECRET_KEY to debug a failing CI step on a public repo. The log is visible to everyone. A scraper catches it in 30 minutes. An EC2 fleet is spun up for crypto mining. Bill: $14,000 in 48 hours.

With Worthless: the exposed env var would be a random-looking share. Logging it leaks only meaningless data.

4. The contractor offboarding gap

What happened

A contractor keeps a copy of the .env after leaving. Three months later, the company discovers the Stripe API key has been used to pull transaction data. They had access for months before anyone noticed unusual API activity.

With Worthless: the contractor's copy contains a share tied to a local proxy โ€” which is no longer running. Worthless without the other half.

5. The bug report screenshot

What happened

A developer files a GitHub issue with a terminal screenshot that includes a Sendgrid API key partially visible in the corner. It's on a public issue for 6 days before anyone notices.

With Worthless: the visible string would be a random-looking share. A screenshot exposes nothing usable.

In every case, the attacker got a real, complete API key stored in plaintext. Worthless changes that โ€” what gets leaked is never the whole key.

pip install worthless
worthless lock
worthless wrap python app.py