npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

token-guardian

v1.0.5

Published

A comprehensive solution for protecting and managing API tokens and secrets

Downloads

52

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

geeknikgeeknik

Keywords

securitytokenssecretsapi-keysjwtrotationcanary-tokens

Readme

TokenGuardian

🔒 Zero-trust token security, leak prevention and rotation automation for Node.js applications

npm version CI CodeQL License: MIT

The Problem

API tokens, JWT tokens, and secrets are constantly leaked through accidental commits, environment misconfigurations, and poor rotation practices. Once exposed, these tokens create significant security vulnerabilities that often go undetected until it's too late.

The Solution

TokenGuardian provides multi-layered protection for your tokens and secrets:

  1. Leak Prevention - Git pre-commit hooks that scan for potential token patterns across multiple formats
  2. Validation - Runtime token validation that verifies entropy and format compliance
  3. Rotation - Fully automated token rotation capabilities with common services (AWS, GitHub, etc.)
  4. Monitoring - Token canary system that alerts when exposed credentials are used
  5. Tracking - Fingerprinting to track token usage across systems

Installation

npm install token-guardian

For default JWT rotation, set an explicit signing secret before using the built-in default rotator:

export TOKEN_GUARDIAN_SECRET_KEY="$(openssl rand -hex 32)"

Usage

import { TokenGuardian } from 'token-guardian';

// Initialize TokenGuardian with your configuration
const guardian = new TokenGuardian({
  services: ['github', 'aws'],
  rotationInterval: '7d',
  canaryEnabled: true
});

// Check if a string contains potential tokens or secrets
const hasSensitiveData = guardian.scanString('My API key is sk_test_1234567890abcdef');

// Protect your GitHub token. PAT rotation is intentionally disabled because
// GitHub does not expose supported APIs for PAT create/delete operations.
guardian.protect('GITHUB_TOKEN', process.env.GITHUB_TOKEN, {
  rotationEnabled: false,
  canaryEnabled: true,
  serviceType: 'github'
});

// Protect your AWS credentials and enable rotation
// AWS credentials must be in format "ACCESS_KEY_ID:SECRET_ACCESS_KEY"
guardian.protect('AWS_CREDENTIALS', `${process.env.AWS_ACCESS_KEY_ID}:${process.env.AWS_SECRET_ACCESS_KEY}`, {
  rotationEnabled: true,
  canaryEnabled: true,
  serviceType: 'aws'
});

// Get a protected token
const token = guardian.getToken('GITHUB_TOKEN');

// Manually rotate a token
await guardian.rotateToken('AWS_CREDENTIALS');

// Pause scheduled rotation if you need to take a token out of circulation temporarily
guardian.stopRotation('GITHUB_TOKEN');

// Stop all scheduled rotations (useful during shutdown or maintenance)
guardian.stopAllRotations();

Features

🔍 Token Detection

TokenGuardian can detect over 150 different token formats, including:

  • API Keys (AWS, GitHub, Stripe, etc.)
  • JWT Tokens
  • OAuth Tokens
  • Private Keys (SSH, RSA, etc.)
  • Cryptocurrency Private Keys
  • Database Connection Strings

🔄 Automated Rotation

TokenGuardian provides actual working rotation for supported services:

  • AWS IAM Keys: Securely rotates IAM access keys with proper verification AWS IAM responses are validated against the expected result blocks before new key material is accepted.
  • GitHub Tokens: PAT rotation is disabled by design; use OAuth refresh tokens or GitHub App credentials instead
  • Default JWT Rotation: Requires an explicit TOKEN_GUARDIAN_SECRET_KEY; no insecure fallback secret is used
  • Custom Services: Extensible framework for adding more services
  • Rotation Controls: Explicitly pause rotation per token or stop all schedules during shutdown

Rotation intervals are validated (positive integers followed by d, h, m, or s). Invalid inputs automatically fall back to the configured default (30d by default).

🕵️ Canary Tokens

Embed undetectable canary markers in your tokens to be alerted when they're used outside your authorized systems. Supports clever embedding in:

  • Long string tokens (minimal modifications that maintain functionality)
  • Multiple format-specific strategies for optimal tracking

JWTs are left unchanged to preserve signature validity; TokenGuardian does not mutate signed JWT payloads for canary tracking. Webhook and per-token alert endpoints must use https:// and cannot point at localhost or private-network IP literals.

🔐 Token Storage

All sensitive data is encrypted at rest using AES-256-GCM authenticated encryption with:

  • Per-token encryption to minimize exposure
  • Secure key derivation
  • Tamper detection on decrypt
  • Comprehensive audit logging

🌐 Token Fingerprinting

Track where and how your tokens are being used across your infrastructure:

  • Usage patterns
  • Access timestamps
  • Anomaly detection

CI/CD and GitHub Workflows

To use the included CI/CD workflows, copy the workflow files into your GitHub repository:

  1. Create the .github/workflows directory
  2. Copy ci-workflow.yml to .github/workflows/ci.yml
  3. Copy release-workflow.yml to .github/workflows/release.yml

These workflows will:

  • Run tests on multiple Node.js versions
  • Perform security scanning with CodeQL
  • Publish releases to npm

Security

TokenGuardian takes a zero-trust approach to token security. All sensitive data is encrypted at rest and in transit, and we implement defense-in-depth with multiple layers of protection. Operational logs redact common secret-bearing fields such as tokens, authorization headers, API keys, and client secrets.

License

MIT