7000pctAUTO/api-token-vault

Fork 0

Go to file

7000pctAUTO 3364bc47c5

CI / test (push) Has been cancelled

Details

CI / lint (push) Has been cancelled

Details

fix: resolve CI workflow path and add lint job

2026-01-31 23:08:32 +00:00

.gitea/workflows

fix: resolve CI workflow path and add lint job

2026-01-31 23:08:32 +00:00

app/api-token-vault

Initial upload: api-token-vault Rust CLI tool with encrypted vault storage

2026-01-31 22:54:36 +00:00

.gitignore

fix: resolve CI workflow path and add lint job

2026-01-31 23:08:32 +00:00

Cargo.lock

fix: resolve CI workflow path and add lint job

2026-01-31 23:08:31 +00:00

README.md

fix: resolve CI workflow path and add lint job

2026-01-31 23:08:32 +00:00

README.md

API Token Vault

A Rust CLI tool that generates cryptographically secure API tokens, stores them in an encrypted local vault, rotates them on configurable schedules, and injects them into .env files. Provides multi-project isolation with separate vaults per project.

Features

Secure Token Generation: Generate cryptographically secure API tokens using libsodium
Encrypted Vault Storage: All tokens stored encrypted using libsodium's secretbox
Auto-Rotation Schedules: Configure automatic token rotation with configurable intervals
.env File Injection: Inject tokens directly into .env files with custom prefixes
Multi-Project Isolation: Separate vaults for different projects with independent passwords
Secure Key Derivation: Uses Argon2id for deriving encryption keys from master passwords

Installation

From Crates.io

cargo install api-token-vault

From Source

git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/api-token-vault.git
cd api-token-vault
cargo build --release

The binary will be at target/release/api-token-vault.

Quick Start

Initialize a Vault

api-token-vault init --project my-project

You can also set the project via environment variable:

export API_VAULT_PROJECT=my-project
api-token-vault init

Generate a Token

api-token-vault generate --name api_key --length 32

List All Tokens

api-token-vault list

Get a Token Value

api-token-vault get --name api_key
api-token-vault get --name api_key --raw  # Output only the token value

Rotate a Token

api-token-vault rotate --name api_key
api-token-vault rotate --name api_key --force  # Force rotation even if not due

Set Auto-Rotation

api-token-vault set-rotation --name api_key --days 30

Check Expired Tokens

api-token-vault check-expired

Rotate All Expired Tokens

api-token-vault rotate-expired

Inject Tokens into .env File

api-token-vault inject --env-file .env
api-token-vault inject --env-file .env --dry-run  # Preview changes without writing
api-token-vault inject --env-file .env --token-prefix MY_TOKEN_  # Custom prefix

Delete a Token

api-token-vault delete --name api_key

Command Reference

Command	Description
`init`	Initialize a new vault for a project
`generate`	Generate a new secure API token
`list`	List all tokens in the vault
`get`	Get a specific token value
`delete`	Delete a token from the vault
`rotate`	Rotate (regenerate) a specific token
`set-rotation`	Set auto-rotation schedule for a token
`inject`	Inject tokens into a .env file
`check-expired`	Check for expired tokens
`rotate-expired`	Rotate all expired tokens

Configuration

Environment Variables

Variable	Description
`API_VAULT_PATH`	Custom path for vault storage directory
`API_VAULT_PROJECT`	Default project name (used when not specified via CLI)

Vault Location

By default, vaults are stored in:

Linux/macOS: ~/.config/api-token-vault/
Windows: %APPDATA%\api-token-vault\

Each project has its own vault file: ~/.config/api-token-vault/{project_name}.json

Security

Encryption: Uses libsodium's secretbox for authenticated encryption
Key Derivation: Uses Argon2id (via libsodium's pwhash) for key derivation
Master Password: Required to access each vault
Salt: Unique salt per vault for key derivation

Token Formats

The tool can generate tokens in various formats:

Default: Base64-encoded secure random bytes
Hex: Hexadecimal encoded
Alphanumeric: Letters and numbers only
API Key: With custom prefix (e.g., sk_live_xxxxx)

Development

Build

cargo build
cargo build --release

Run Tests

cargo test
cargo test --all

Lint

cargo clippy

Benchmarks

cargo bench

Project Structure

api-token-vault/
├── Cargo.toml
├── Cargo.lock
├── README.md
├── src/
│   ├── main.rs           # Entry point and command handling
│   ├── cli.rs            # CLI argument parsing with clap
│   ├── vault.rs          # Vault storage and management
│   ├── token.rs          # Token generation and data structures
│   ├── rotation.rs       # Token rotation scheduling
│   ├── env_injector.rs   # .env file injection
│   └── crypto.rs         # Cryptographic operations
└── tests/
    └── integration_tests.rs

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.