The API Key Anatomy Card

What's Inside

Everything from V09 on one printable A4 page.

Section A — Map Your Current Key

Five fillable lines per tool: name, key family (sk-proj- / sk-ant- / AKIA / AIza / sk_live), scope, storage location, rotation cadence.

Section B — 7 Anatomy Checks

Family match, smallest scope, OS-protected storage (DPAPI / Keychain / libsecret), rotation tested, revocation path documented, dashboard fresh, refresh-token preferred.

Section C — The Threshold

6–7 Yes = own the bridge, anatomy intact. 3–5 = patch first, tighten scope and storage. Less than 3 = rented illusion, you own the label, not the bridge.

The Pillar Statement

Own the bridge — not just its label. AI sovereignty starts with knowing the anatomy of the key in your hand.

Sources · data as of May 2026

Every check on the card is grounded in primary sources — not opinions.

• · GitGuardian — State of Secrets Sprawl 2025/2026
• · OpenAI Platform Docs — Project-scoped API keys (sk-proj-)
• · Anthropic API Docs — Workspace tokens (sk-ant-api03- / sk-ant-oat01-)
• · AWS IAM — Access key prefix convention (AKIA)
• · Google Cloud — API keys (AIza) and Service Account JSON
• · Microsoft — DPAPI (Win32) docs
• · Apple — Keychain Services Programming Guide
• · freedesktop.org — Secret Service API spec
• · IETF RFC 6749 + RFC 6819 — OAuth 2.0 + threat model
• · Git Credential Manager — cross-platform secret-storage comparison

The FYTAHQ Promise