aaronpkthe best way to do that is with a hardware-backed key, that way the private key isn't able to be exported at all. with an exportable key, it's better than nothing but ultimately just shifts the problem from worrying about stealing the token to worrying about stealing the private key
