How it works

Three commands.
Zero code changes.

Worthless wraps your existing app with a transparent proxy. Your code never sees the full key — and neither does an attacker who gets hold of your .env or git history.

01

Lock your keys

Run worthless lock. It scans your .env, detects API keys, and splits each one using XOR secret sharing. Share A is written to local encrypted storage. Share B lives in the proxy process memory only — never on disk. Your .env is updated to point at the proxy.

terminal
$ worthless lock
  Scanning .env... found 1 API key
  Splitting OPENAI_API_KEY...
  Share A → ~/.worthless/shares/
  Share B → proxy memory
1 key(s) protected.
🔑
Information-theoretic security. Share A alone is a random-looking string. Given only A, an attacker cannot learn anything about the original key — not even a single bit. This cannot be brute-forced.
02

Run your app — unchanged

Prefix any command with worthless wrap. The proxy intercepts outbound API requests, reconstructs the full key in memory for the duration of the call, forwards the request, then zeroes memory immediately. Your code doesn't change.

terminal
# Before
$ python app.py

# After — everything else stays the same
$ worthless wrap python app.py
$ worthless wrap node server.js
$ worthless wrap pytest
your app
──→
worthless proxy
──→
OpenAI API
proxy reconstructs key in memory · checks budget · zeroes after use
Share A
Share B
──→
full key (ephemeral)
A leaked Share A alone → cryptographically worthless
03

Budget enforcement — a hard stop

Before reconstructing the key, the proxy checks your spending counter. If the budget is reached, the proxy refuses — even if both shares are available. This is a hard stop at the infrastructure layer. No alerts to miss, no override from the app side.

💸
Two independent guards: a cryptographic split and a spending cap. An attacker who somehow gets both shares still can't spend more than your limit allows.
04

Pre-commit scanning

Add the Worthless hook to prevent raw keys from ever reaching git history. First line of defense — the split-key proxy handles everything that slips through.

.pre-commit-config.yaml
repos:
  - repo: https://github.com/shacharm2/worthless
    rev: main
    hooks:
      - id: worthless-scan

# Every commit is scanned automatically.
05

Undo everything — fully reversible

Run worthless unlock at any time. Original keys are restored, the proxy stops, no traces remain. No lock-in. No dependency on Worthless to keep your app running.

terminal
$ worthless unlock
1 key(s) restored. .env as before.
View all features → GitHub ↗ Read the blog →