Ashby (YC W19) Is Hiring Design Engineers in AMER and EMEA (ashbyhq.com)

1 points by abhikp 13h ago 0 comments

EasyPost (YC S13) Is Hiring (easypost.com)

1 points by jstreebin 1d ago 0 comments

Tesorio (YC S15) Is Hiring a Senior GenAI Engineer (100% Remote) (tesorio.com)

1 points by FabioFleitas 1d ago 0 comments

OneSignal (YC S11) Is Hiring Engineers (onesignal.com)

1 points by gdeglin 2d ago 0 comments

Axle (YC S22) is hiring product engineers (ycombinator.com)

1 points by niharparikh 2d ago 0 comments

Mbodi AI (YC X25) Is Hiring a Founding Research Engineer (Robotics) (ycombinator.com)

1 points by chitianhao 2d ago 0 comments

ReadMe (YC W15) Is Hiring a Developer Experience PM (readme.com)

1 points by gkoberger 3d ago 0 comments

Weave (YC W25) is hiring a founding AI engineer (ycombinator.com)

1 points by adchurch 4d ago 0 comments

Depot (YC W23) Is Hiring a Community and Events Manager (Remote) (ycombinator.com)

1 points by jacobwg 4d ago 0 comments

CoLoop (YC S21) Is Hiring AI Engineers in London

1 points by mrlowlevel 4d ago 0 comments

Trellis (YC W24) Is Hiring: Automate Prior Auth in Healthcare (ycombinator.com)

1 points by jackylin 5d ago 0 comments

Type (YC W23) is hiring a founding engineer to build an AI-native doc editor (ycombinator.com)

1 points by stewfortier 6d ago 0 comments

Foundry (YC F24) is hiring staff-level product engineers (ycombinator.com)

1 points by lakabimanil 9d ago 0 comments

GoGoGrandparent (YC S16) Is Hiring Back End and Full-Stack Engineers

1 points by davidchl 9d ago 0 comments

Kyber (YC W23) is hiring enterprise account executives (ycombinator.com)

1 points by asontha 11d ago 0 comments

Converge (YC S23) well-capitalized New York startup seeks product developers (runconverge.com)

1 points by thomashlvt 13d ago 0 comments

Great Question (YC W21) Is Hiring a VP of Engineering (Remote) (ycombinator.com)

1 points by nedwin 14d ago 0 comments

Coverage Cat (YC S22) Is Hiring a Senior, Staff, or Principal Engineer (coveragecat.com)

1 points by botacode 15d ago 0 comments

Kaizen (YC X25) is hiring engineers to build browser agents that work (kaizenautomation.com)

1 points by michaelssilver 16d ago 0 comments

Infracost (YC W21) hiring first PM to shift $600B cloud spend to proactive (ycombinator.com)

1 points by akh 16d ago 0 comments

Sei (YC W22) Is Hiring a Full Stack Engineer in Chennai, India (ycombinator.com)

1 points by ramkumarvenkat 17d ago 0 comments

Artie (YC S23) Is Hiring Founding AEs (ycombinator.com)

1 points by j-cheong 17d ago 0 comments

Cedana (YC S23) Is Hiring a Systems Engineer (ycombinator.com)

1 points by neelm 17d ago 0 comments

CodeCrafters (YC S22) is hiring first Marketing Person (ycombinator.com)

1 points by sarupbanskota 18d ago 0 comments

PAX Markets (YC W25) is hiring a founding principal hardware (RTL) engineer (ycombinator.com)

1 points by etep 18d ago 0 comments

Sendblue (YC S23) is hiring senior engineers (ycombinator.com)

1 points by rhaber 18d ago 0 comments

Thunder Compute (YC S24) Is Hiring a C++ Systems Engineer (ycombinator.com)

1 points by cpeterson42 23d ago 0 comments

Optery (YC W22) Is Hiring in Engineering, Legal, Sales, Marketing (U.S., Latam) (optery.com)

1 points by beyondd 24d ago 0 comments

QuestDB (YC S20) Is Hiring a Technical Content Lead (questdb.com)

1 points by nhourcard 24d ago 0 comments

Depot (YC W23) Is Hiring a Technical Content Writer (Remote) (ycombinator.com)

1 points by jacobwg 24d ago 0 comments

Firebender (YC W24) Is Hiring (ycombinator.com)

1 points by kevo1ution 25d ago 0 comments

Show HN: Scoped, expiring API keys for AI agents

4 lexokoh 4 8/16/2025, 2:42:38 PM github.com ↗

I’ve been experimenting with AI agents lately, and one problem kept coming up: they either get a raw API key with full access or nothing at all. That’s risky, especially if you’re testing agents that can make arbitrary calls.

So I hacked together a tiny package called Kage Keys - https://github.com/kagehq/keys

It lets you wrap agent actions with scoped, short-lived tokens instead of handing over your real API keys.

Example:

```js import { withAgentKey, getLogs } from "@kagehq/keys";

async function main() { await withAgentKey("github:repos.read", async () => { console.log("Agent is calling GitHub API..."); });

  console.log(await getLogs());

}

main();

Right now it:

- Generates scoped, expiring tokens (default 10s)

- Logs every action to kage-keys.log

- Works as a drop-in wrapper for async functions

It’s just an MVP (tokens are fake UUIDs), but I want to see if developers find this helpful before building the production version with real crypto + proxy enforcement.

Repo: https://github.com/kagehq/keys

npm: https://www.npmjs.com/package/@kagehq/keys

Would love feedback, especially from anyone running agents in production or dealing with API key sprawl.

Comments (4)

skyzouwdev · 4h ago

Makes sense — handing full API keys to agents is a huge risk surface. Even with fake UUIDs at MVP stage, the scoped/expiring pattern seems useful. Curious if you’ve thought about integrating with existing secrets managers (Vault, Doppler, etc.) instead of rolling custom crypto later on.

lexokoh · 1h ago

Thank you. Yes, it's one of the things I'm already looking into. So will work well with any Secrets manager, not compete with them.

Curious if you'd want to use it?

sinharishabh · 9h ago

interesting project, what is the primary use-case for something like this? i'm still giving the agent access anyway or is it just scoped-access? i'm trying to understand how the short-lived nature of these keys can help

lexokoh · 9h ago

Thank you. Instead of giving the agent your real API key, it gets a scoped, short-lived capability (e.g. “can post 1 message to Slack channel X in the next 30s”).

The short-lived nature means that if the token is leaked or the agent goes rogue, the blast radius is tiny, you can instantly revoke/deny new mints, and you get full audit and policy control. It turns “here’s my permanent master key” into “here’s a disposable permit slip for just this action.”

Let me know if that makes sense.