Comment by jrvarela56
15 hours ago
Agree, i was going the vaultwarden route and figured this pattern seems better: https://fly.io/blog/tokenized-tokens/
Secrets are encrypted and the proxy decrypts on the fly if destination is whitelisted for that token.
Reading through the discussion I was also thinking of the other fly.io blog post around their setup with macaroon tokens and being able to quite easily reduce the blast radius of them by adding more caveats. Feels like you could build out some kind of capability system with that that might mitigate some risks somewhat.