npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

token-guardian

v1.0.1

Published

A comprehensive solution for protecting and managing API tokens and secrets

Downloads

362

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

geeknikgeeknik

Keywords

securitytokenssecretsapi-keysjwtrotationcanary-tokens

Readme

TokenGuardian

🔒 Zero-trust token security, leak prevention and rotation automation for Node.js applications

npm version CI CodeQL license

The Problem

API tokens, JWT tokens, and secrets are constantly leaked through accidental commits, environment misconfigurations, and poor rotation practices. Once exposed, these tokens create significant security vulnerabilities that often go undetected until it's too late.

The Solution

TokenGuardian provides multi-layered protection for your tokens and secrets:

  1. Leak Prevention - Git pre-commit hooks that scan for potential token patterns across multiple formats
  2. Validation - Runtime token validation that verifies entropy and format compliance
  3. Rotation - Fully automated token rotation capabilities with common services (AWS, GitHub, etc.)
  4. Monitoring - Token canary system that alerts when exposed credentials are used
  5. Tracking - Fingerprinting to track token usage across systems

Installation

npm install token-guardian

Usage

import { TokenGuardian } from 'token-guardian';

// Initialize TokenGuardian with your configuration
const guardian = new TokenGuardian({
  services: ['github', 'aws'],
  rotationInterval: '7d',
  canaryEnabled: true
});

// Check if a string contains potential tokens or secrets
const hasSensitiveData = guardian.scanString('My API key is sk_test_1234567890abcdef');

// Protect your GitHub token and enable rotation
guardian.protect('GITHUB_TOKEN', process.env.GITHUB_TOKEN, {
  rotationEnabled: true,
  canaryEnabled: true,
  serviceType: 'github'
});

// Protect your AWS credentials and enable rotation
// AWS credentials must be in format "ACCESS_KEY_ID:SECRET_ACCESS_KEY"
guardian.protect('AWS_CREDENTIALS', `${process.env.AWS_ACCESS_KEY_ID}:${process.env.AWS_SECRET_ACCESS_KEY}`, {
  rotationEnabled: true,
  canaryEnabled: true,
  serviceType: 'aws'
});

// Get a protected token
const token = guardian.getToken('GITHUB_TOKEN');

// Manually rotate a token
await guardian.rotateToken('AWS_CREDENTIALS');

// Pause scheduled rotation if you need to take a token out of circulation temporarily
guardian.stopRotation('GITHUB_TOKEN');

// Stop all scheduled rotations (useful during shutdown or maintenance)
guardian.stopAllRotations();

Features

🔍 Token Detection

TokenGuardian can detect over 150 different token formats, including:

  • API Keys (AWS, GitHub, Stripe, etc.)
  • JWT Tokens
  • OAuth Tokens
  • Private Keys (SSH, RSA, etc.)
  • Cryptocurrency Private Keys
  • Database Connection Strings

🔄 Automated Rotation

TokenGuardian provides actual working rotation for supported services:

  • AWS IAM Keys: Securely rotates IAM access keys with proper verification
  • GitHub Tokens: Full API-based rotation with scope preservation
  • Custom Services: Extensible framework for adding more services
  • Rotation Controls: Explicitly pause rotation per token or stop all schedules during shutdown

Rotation intervals are validated (positive integers followed by d, h, m, or s). Invalid inputs automatically fall back to the configured default (30d by default).

🕵️ Canary Tokens

Embed undetectable canary markers in your tokens to be alerted when they're used outside your authorized systems. Supports clever embedding in:

  • JWT tokens (preserves functionality while adding tracking)
  • Long string tokens (minimal modifications that maintain functionality)
  • Multiple format-specific strategies for optimal tracking

🔐 Token Storage

All sensitive data is encrypted at rest using AES-256-CBC with:

  • Per-token encryption to minimize exposure
  • Secure key derivation
  • Comprehensive audit logging

🌐 Token Fingerprinting

Track where and how your tokens are being used across your infrastructure:

  • Usage patterns
  • Access timestamps
  • Anomaly detection

CI/CD and GitHub Workflows

To use the included CI/CD workflows, copy the workflow files into your GitHub repository:

  1. Create the .github/workflows directory
  2. Copy ci-workflow.yml to .github/workflows/ci.yml
  3. Copy release-workflow.yml to .github/workflows/release.yml

These workflows will:

  • Run tests on multiple Node.js versions
  • Perform security scanning with CodeQL
  • Publish releases to npm

Security

TokenGuardian takes a zero-trust approach to token security. All sensitive data is encrypted at rest and in transit, and we implement defense-in-depth with multiple layers of protection.

License

MIT