diff --git a/hv4gha/entry.py b/hv4gha/entry.py
index 6b6304e..37266a2 100644
--- a/hv4gha/entry.py
+++ b/hv4gha/entry.py
@@ -6,6 +6,7 @@
 
 def import_app_key(
     pem_key: bytes | str,
+    *,
     key_name: str,
     vault_addr: str,
     vault_token: str,
@@ -26,14 +27,22 @@ def import_app_key(
     if isinstance(pem_key, str):
         pem_key = pem_key.encode()
 
-    transit = VaultTransit(vault_addr, vault_token, transit_backend)
-    transit.import_key(key_name, pem_key)
+    transit = VaultTransit(
+        vault_addr=vault_addr,
+        vault_token=vault_token,
+        transit_backend=transit_backend,
+    )
+    transit.import_key(
+        key_name=key_name,
+        pem_app_key=pem_key,
+    )
 
     if revoke_vault_token:
         transit.revoke_token()
 
 
 def issue_access_token(
+    *,
     key_name: str,
     vault_addr: str,
     vault_token: str,
@@ -64,11 +73,24 @@ def issue_access_token(
     if isinstance(app_id, int):
         app_id = str(app_id)
 
-    transit = VaultTransit(vault_addr, vault_token, transit_backend)
-    jwt: str = transit.sign_jwt(key_name, app_id)
-
-    ghapp = GitHubApp(account, jwt)
-    access_token: TokenResponse = ghapp.issue_token(permissions, repositories)
+    transit = VaultTransit(
+        vault_addr=vault_addr,
+        vault_token=vault_token,
+        transit_backend=transit_backend,
+    )
+    jwt: str = transit.sign_jwt(
+        key_name=key_name,
+        app_id=app_id,
+    )
+
+    ghapp = GitHubApp(
+        account=account,
+        jwt_token=jwt,
+    )
+    access_token: TokenResponse = ghapp.issue_token(
+        permissions=permissions,
+        repositories=repositories,
+    )
 
     if revoke_vault_token:
         transit.revoke_token()
diff --git a/hv4gha/gh.py b/hv4gha/gh.py
index 917b518..d1b0963 100644
--- a/hv4gha/gh.py
+++ b/hv4gha/gh.py
@@ -124,7 +124,7 @@ class AccessToken(BaseModel):
 class GitHubApp:
     """GitHub App Access Tokens, etc"""
 
-    def __init__(self, account: str, jwt_token: str):
+    def __init__(self, *, account: str, jwt_token: str):
         """
         :param app_id: GitHub App ID.
         :param jwt_token: GitHub App JWT token
@@ -186,6 +186,7 @@ def __find_installation(self) -> str:
 
     def issue_token(
         self,
+        *,
         permissions: None | dict[str, str] = None,
         repositories: None | list[str] = None,
     ) -> TokenResponse:
diff --git a/hv4gha/vault.py b/hv4gha/vault.py
index a8a802a..56af5f0 100644
--- a/hv4gha/vault.py
+++ b/hv4gha/vault.py
@@ -72,7 +72,7 @@ class WrappingKey(BaseModel):
 class VaultTransit:
     """Interact with Vault's Transit Secrets Engine"""
 
-    def __init__(self, vault_addr: str, vault_token: str, transit_backend: str):
+    def __init__(self, *, vault_addr: str, vault_token: str, transit_backend: str):
         """
         :param vault_addr: Vault instance VAULT_ADDR.
         :param vault_token: Vault instance VAULT_TOKEN.
@@ -147,7 +147,7 @@ def __api_write(
 
         return response
 
-    def import_key(self, key_name: str, pem_app_key: bytes) -> None:
+    def import_key(self, *, key_name: str, pem_app_key: bytes) -> None:
         """
         Import GitHub App key
 
@@ -169,7 +169,7 @@ def import_key(self, key_name: str, pem_app_key: bytes) -> None:
 
         self.__api_write(api_path, payload, AppKeyImportError)
 
-    def sign_jwt(self, key_name: str, app_id: str) -> str:
+    def sign_jwt(self, *, key_name: str, app_id: str) -> str:
         """
         Sign JWT token to authenticate towards GitHub