Your secrets aren't secret
at runtime.
Every bearer token in your services is one supply chain compromise from walking out the door. Overbearer makes leaked tokens worthless.
You secured the vault. You forgot the runtime.
You store tokens in Vault, in Kubernetes Secrets, in HSMs. You only show them once. You rotate them religiously. You treat them like state secrets.
And yet — at runtime, that token sits in an environment variable. In a config file. In memory. The moment any link in your supply chain is compromised, that token walks out the door.
You rotate, patch, and hope. But it will happen again.
What if leaked tokens were completely worthless?
The problem isn't how you store tokens. The problem is that the token your service uses is the real token. If it leaks, the attacker has the keys to the kingdom.
Overbearer changes the equation. Your services use fake tokens — meaningless strings that are useless outside your infrastructure.
ob_fake_7f3a9b2c1d8e5f4a6b...sk-real-prod-abc123def456...
Fake tokens in. Real tokens out.
Overbearer is a transparent proxy between your services and the APIs they call. It intercepts outgoing requests and swaps fake tokens for real ones from an encrypted vault — on the fly.
Your services never see, store, or transmit real API keys. An attacker would need persistent access inside your infrastructure and route traffic through the proxy to exploit a stolen token.
That's a dramatically higher bar than pasting a leaked key into curl.
See everything. Miss nothing.
Every token swap is logged. Which service used which token, when, to which endpoint. Full audit trail shipped to ClickHouse with 90-day retention.
When something goes wrong, you don't guess. You know.
- Real-time streaming with auto-refresh and filtering
- ClickHouse-backed for fast queries at scale
- Filter by service, token, provider, or time range
Catch real tokens in the wild.
Overbearer automatically detects services sending real tokens directly — bypassing the proxy entirely.
You see which service, which token, and when it happened. Fix it before it becomes a breach.
No more guessing which services still have real credentials baked in.
Built for zero trust.
Every layer designed to minimize blast radius and maximize accountability.
Zero-latency design
Sub-millisecond token lookup via memcached, TLS cert caching, async audit logging. Under 2ms added to request round-trip time.
Horizontally scalable
Proxy pods are stateless. All state lives in memcached and PostgreSQL. Scale to as many instances as you need.
Passkey-only auth
The management console uses WebAuthn passkeys exclusively. No passwords. No phishing. No credential database to breach.
Role-based access
Four roles — requester, manager, viewer, admin — each with precisely scoped permissions. Principle of least privilege, enforced.
AES-256-GCM encryption
Real tokens encrypted at rest in PostgreSQL and in the memcached cache. Cache compromise reveals nothing useful.
Kubernetes-native
Interactive setup generates all manifests. HPA for auto-scaling. Runs wherever your cluster runs.
Deploy in five minutes.
One script generates all Kubernetes manifests tailored to your environment. No Helm charts to debug.
Run the setup script
Walks you through namespace, hostnames, networking, storage, and scaling. Generates crypto secrets automatically.
Apply the manifests
kubectl apply the generated YAML. Infrastructure comes up first, then the Overbearer proxy and management console.
Create token mappings
Register with a passkey, generate your CA, add your real API keys. Your services get fake tokens in return.
Stop putting real tokens in your services.
One proxy. Fake tokens everywhere. Real tokens nowhere.