Kolkata, India – In the last five years, India has quietly topped a global leaderboard few are proud of: the highest number of leaked API keys and access credentials on public repositories like GitHub. These seemingly small mistakes, known as secret sprawl, have cost companies millions of dollars in data breaches, downtime, and trust. But while the issue has remained largely ignored in public discourse, two college students from India have decided to do something about it.
Meet Keyshade – a lightweight, developer-first secret and configuration management tool that could change how Indian developers handle sensitive data forever.
The Problem No One Talks About
Every software product – whether a food delivery app or a bank’s backend everything relies on secrets: API keys, tokens, database URIs, and credentials. Developers typically store these in .env files, hoping they stay private. But when code is pushed to GitHub, shared in Slack, or even screen-recorded for demo purposes, these secrets often leak.
This phenomenon, known as secret sprawl, is alarmingly common, especially in India, where fast-growing teams, open-source enthusiasm, and lax DevSecOps practices create a perfect storm.
The consequences can be catastrophic. In 2022, Uber suffered a massive breach when a leaked hardcoded secret in a PowerShell script gave attackers access to internal tools, codebases, and even Slack. In Toyota’s case, an access key embedded in public GitHub code remained exposed for five years, compromising customer data from over 2 million vehicles. Neither breach was the result of sophisticated hacking – just poor secrets management.
“In less than 30 minutes, I found over 100 exposed AWS keys just by searching public GitHub repos,” wrote Anmol, a cybersecurity researcher, in a Medium article.
According to the GitGuardian State of Secrets Sprawl Report 2025, over 23.7 million secrets were detected in public GitHub repositories in 2024, a 25% increase from the previous year. The report highlights that India ranks as the leading country in terms of exposed secrets, accounting for nearly 15% of all global incidents. This puts Indian organizations and developers at heightened risk, with leaked credentials often serving as the initial attack vector in major breaches.
The Spark
Keyshade was born out of frustration. Its two co-founders, both engineering students, kept running into the same issue on every project: managing secrets was messy, insecure, and ignored.
“We weren’t trying to build a startup,” says Rajdip Bhattacharya, CTO at Keyshade. “We just wanted to stop the chaos in our own projects like copying keys around, forgetting to rotate them, and hoping we never accidentally leak something.”
What started as an internal tool quickly gained traction in their peer circles. Open-source contributors, indie hackers, and even mid-size dev teams began asking for access.
That’s when they realized: the problem wasn’t just theirs – it was the industry’s.
How Keyshade Works
Keyshade offers a developer-friendly way to manage secrets without ever exposing them in the codebase.
- No .env files
- No risk of accidental commits
- Secure, encrypted storage and controlled access
- Seamless CLI/API integration for developers
- Minimal configuration built for speed and simplicity
“We wanted something as easy as .env, but safe by default,” says the team. “No security team should be needed just to handle credentials properly.”
It’s built for developers first, not just DevOps. Unlike heavyweight solutions like Hashicorp Vault, Keyshade doesn’t require spinning up servers, managing roles, or hiring consultants to use it.
India’s Developer Boom Needs Security Basics
India is currently on track to have the largest developer population in the world by 2027. Startups are scaling fast. But the basics of secure development haven’t kept pace.
“There’s no real education around secret handling. Most engineers graduate without ever learning what secret sprawl is,” says Sawan Bhattacharya, CEO of Keyshade.
This creates a huge national risk, not just for tech startups, but for India’s global tech reputation. Security-conscious investors, clients, and regulators may soon begin to ask hard questions.
By building tools like Keyshade, the founders hope to embed security into the development lifecycle itself, not as an afterthought, but as the default setting.
What’s Next
Currently in alpha, Keyshade is being tested by indie developers and open-source maintainers across India and abroad. A beta release is expected later this year, with plans for an open-source SDK and GitHub integration already underway.
They’re also preparing a “State of Secret Security in India” report, compiling live data on exposed credentials from public repos, to raise awareness and push the industry to take action.
Why This Matters
In an era of growing cyberattacks, every leak matters. A single exposed AWS key can cost a company lakhs, sometimes crores. And the worst part? Many don’t realize they’ve been breached until it’s too late.
With Keyshade, two recent college grads are trying to shift that narrative. They’re proving that good security doesn’t have to be complicated, just thoughtful.
“Secrets shouldn’t be a security risk,” they say.
“They should be invisible.”
For Early Access:
Keyshade
