Tokenized Tokens

Fly.io has developed a multipurpose secret-using service called the Tokenizer, which is a stateless HTTP proxy that holds the private key of a Curve25519 keypair. When they get a new 3rd party API secret, they encrypt it to Tokenizer's public key; they "tokenize" it. Their API server can handle the (encrypted) tokenized secret, but it can't read or use it directly. Only Tokenizer can. They also developed SSOkenizer, which performs the OAuth2 dance on behalf of Rails and then uses the output to drive the Tokenizer. These tools are open-source and easy for others to deploy and use themselves.