Overview Change from a secret key type auth in VS Code to something that uses the account manager API ( https://code.visualstudio.com/api/references/vscode-api#authentication ). This prevents the secret key from being stored in an unprotected plain/obfuscated text format and remains protected via the various credential protection systems. The Entra credentials in VS Code are protected by Credential Guard and other isolation tech preventing all access to the secret store, even if a threat actor wanted to read encrypted creds, they could not as they are behind hypervisor protection from an access perspective. This also opens a lot of new SSO or SSO scenarios as VS Code is frequently already authenticated to Entra ID or GitHub or both, allowing for the easy, (sometimes) non-interactive, automatic login of the extension. This allows for integration to audit systems as standard auth APIs are frequently integrated into SEIMs and other various security systems (e.g. Entra ID Identity protection) Standard Auth APIs allow for 3rd party integration too allowing for even more integration and 3rd party friendliness without needing to anything or partner to get your integrations to other products. Tl;Dr As a threat actor I can steal the API keys from disk for your end users pretty easily. Please stop storing the authentication secrets as API keys and instead use the auth APIs.
