Release notes

Changelog

Every release, every change. We ship in the open — see what's new, what's improved, and what's coming next.

v1.0.0 2026-04-08
One vault, three types of credentials.

The 1.0 release

  • Three credential types now first-class: LLM API keys, service API keys, and OAuth credentials. 34 provider templates total.
  • OAuth credentials as a full multi-field type. Store client_id, client_secret, refresh_token, scopes, and endpoints as a single named credential. 14 pre-configured templates: Google, GitHub App, Slack, Microsoft, Notion, Spotify, Twitter/X, LinkedIn, Discord, Zoom, Dropbox, Salesforce, HubSpot, plus Custom OAuth.
  • apilocker run injects OAuth credentials as multiple env vars. A credential named google-oauth contributes GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, GOOGLE_OAUTH_REFRESH_TOKEN, etc. — one env var per non-empty field.
  • Three-bucket dashboard. Keys panel now shows LLM / Service / OAuth as three distinct sections, each with its own "+ Add" button that pre-selects the right tab in the Add Key modal.
  • Homepage rewritten with three-pillar positioning: "One vault, three types of credentials."

New credential operations

  • apilocker rename <old> <new> — lossless rename. Old names are remembered forever via a previous_names fallback, so existing .apilockerrc files and app code that reference the old name keep working. The CLI prints a gentle nudge whenever a legacy alias is used.
  • apilocker pause <alias> / resume — freeze proxy access without deleting. Reveal / run / get / env still work on paused credentials, so you can still rotate or inspect during incident response.
  • ElevenLabs provider template with the non-standard xi-api-key header correctly supported end-to-end through the proxy.
  • Custom header name support in provider templates for any service with a non-standard auth header.

Security + operations

  • OAuth CSRF protection: the GitHub/Google OAuth callbacks now require a valid state parameter bound to a 10-minute KV window. Stale callbacks are rejected with HTTP 400.
  • Per-device master tokens with independent revocation. Revoking a device takes effect instantly and only affects that device.
  • Open-redirect protection on OAuth return_to parameters (same-origin validation).
  • Vault-only credentials are now first-class: base_url is optional. Credentials stored without one work with apilocker run/get/env but are not proxyable — a clear error message explains how to enable proxy access if you want it.
  • Cleanup cron for expired device authorization codes.
v0.5.0 2026-04-08
The trust layer.
  • apilocker doctor — security health report. Flags stale rotations, unused keys, expiring tokens, stale devices, and insecure local config permissions. Every warning comes with a concrete remedy command.
  • apilocker activity --follow — stream new proxy calls live, like tail -f. Poll every 2 seconds, deduped by ID. Perfect for debugging during development.
  • apilocker update — check the npm registry for a newer version and show the upgrade command.
v0.4.0 2026-04-08
Onboarding + organization + hygiene.
  • apilocker import .env — migrate an existing project in 30 seconds. Reads a .env file, auto-detects providers from variable name prefixes, stores each secret, and offers to replace the .env with a committable .apilockerrc.
  • apilocker rotate <alias> — replace a credential's value in place with a masked-input prompt. Scoped tokens that reference the key continue working without reissue.
  • Tags and filters on apilocker list: filter by tag, provider, or substring search. Also added --tag as a repeatable flag on apilocker store.
v0.3.0 2026-04-08
The ".env replacement" trio.
  • apilocker run -- <command> — the killer feature. Run any subprocess with vault secrets injected as environment variables. Raw secrets never touch disk, never hit shell history, never get committed to git. Ctrl+C, SIGTERM, and SIGHUP are forwarded to the child cleanly.
  • apilocker get <alias> — print a single secret to stdout for scripting.
  • apilocker env — emit shell-eval-able export statements. Supports sh / bash / zsh / fish / PowerShell formats.
  • apilocker init + .apilockerrc support — pin a project to a specific set of credentials with a committable config file. After apilocker init, running apilocker run in that directory automatically picks up the right keys.
v0.2.0 2026-04-08
Browser-based device authorization.
  • apilocker register rewritten to use the RFC 8628 device authorization flow. No more pasted master tokens. Opens your browser for a one-click confirmation, same pattern as gh, vercel, wrangler.
  • apilocker devices list / revoke — manage devices registered to your account directly from the CLI.
  • Dashboard gets a Devices tab with matching list + revoke.
v0.1.x 2026-04-08
Initial public beta.
  • First public release. Encrypted credential vault with CLI register, store, list, delete, token, activity. 19 provider templates for major API services. Published to npm as apilocker.

← Back to homepage