Skip to content
keynv
Sign in
Public beta · keynv.dev or self-hosted

Store secrets once.
Use safe aliases everywhere.

Developer-first vault for API keys, database credentials, SSH secrets, webhook tokens, and internal credentials. Use readable aliases like @billing.prod.db_password in code, terminals, CI, and AI tools — real values stay protected.

npm install -g @keynv/cli · run keynv · no credit card

developer / agent view·alias only
$ keynv exec --
  mysql -p@billing.prod.db_password
# exit 0 · 142ms
 
$ ps aux | grep mysql
  mysql -p▒▒▒▒▒▒ -h ▒▒▒▒▒▒
# argv redacted by output scanner
runtime·resolved privately
# resolved at fork-time, no env / no argv
  mysql -p$secret_via_stdin
  connected to db.prod.acme.internal
 
$ select count(*) from payments;
  42,318
# this output never reaches the agent's transcript
vaulted·sha256:9f4c2e·audit chain·3 actors · 7 reads in last hour
01 · what keynv protects

One place for the credentials your team uses every day. Not just developer env vars.

Store secrets manually in the dashboard, import them from existing .env files, or manage them from the CLI. keynv keeps the real value in the vault and gives your team a safe alias to use everywhere else.

Application secrets

API keys, database URLs, OAuth client secrets, webhook signing keys, and service tokens organized by project and environment.

Manual team credentials

Shared internal passwords, SSH credentials, admin tokens, and operational secrets that should not live in chat, notes, or local files.

AI-assisted workflows

Aliases are safe to show in prompts, code reviews, terminal transcripts, and agent tool calls; real values resolve only at runtime.

Readable aliases

Use names like @billing.prod.stripe_key instead of copying raw values between tools.

Project + environment scope

Keep dev, staging, and production credentials separated with clear ownership.

Audit-ready access

Track who read or changed a secret, when it happened, and which project it belonged to.

02 · why it exists

The old secret workflow breaks down as soon as more than one person needs access.

Secrets usually start in .env files, then spread into chat, shell history, CI settings, screenshots, and AI agent transcripts. keynv replaces that copying habit with a vault, readable aliases, runtime resolution, and an audit trail your team can actually follow.

  • less copying
    developers use aliases instead of moving raw values
  • manual + app
    store operational credentials and project env vars together
  • agent-safe
    AI tools see alias literals, not production credentials
03 · how it works

A vault for real values. Aliases for everything developers touch.

  1. Connect

    Install the CLI and run keynv. The TUI connects to keynv.dev or your self-hosted server, then offers to set up the current project.

  2. Store

    Add secrets manually in the dashboard, create them from the CLI, or import existing .env files into project and environment scopes.

  3. Use safely

    Code, configs, terminals, CI, and AI agents use @project.env.key. keynv resolves the real value only when a trusted runtime needs it.

04 · developer workflows

Works where secrets already create risk. Local dev, CI, dashboards, and AI agents.

Run keynv in your project root and choose Set up this project. The TUI can migrate existing .env values, write a commit-safe .keynv.env, and keep raw secrets out of your repo.

Claude Code

your-project/.keynv.env
{
  "mcpServers": {
    "keynv": {
      "command": "keynv-mcp"
    }, ...
  }
}
install
keynv
  • MCP server with use_secret refs
  • Output redactor on every tool result
  • TUI-guided project setup

MCP-powered agents

any MCP-compatible agent
{
  "mcpServers": {
    "keynv": {
      "command": "keynv-mcp"
    }
  }
}
install
keynv-mcp
  • Works with any MCP client
  • use_secret returns single-use refs
  • Resolution inside privileged subprocess

Local dev + CI

any process · aliases only
# in your bash / zsh / fish
$ keynv exec --
    pg_dump -d @reports.prod.dsn
 
# subprocess gets the value via stdin;
# your shell history sees only the alias
install
keynv exec -- pnpm dev
  • Works with anything that takes argv/env/stdin
  • CI runners, Docker, Coolify
  • No vendor lock-in
04 · install the CLI

One command. The CLI does the rest.

Install
npm install -g @keynv/cli
Verify
keynv --version

full first-run walkthrough → quickstart

05 · pricing

Free to self-host, forever. Managed tier is on the way.

Self-hosted
FreeMIT license planned

The whole platform, on your infra. Single binary + SQLite + Litestream.

  • Unlimited projects, secrets, members
  • Full audit chain + tamper verification
  • OS keychain KEK, libsodium envelope encryption
  • All AI-agent integrations
  • Community support on GitHub
coming soon
Managed
TBDwaitlist open

We run it for your team. Same binary, hosted region of your choice, 99.9% SLA.

  • Everything in Self-hosted
  • Hosted on your region (EU / US)
  • Daily encrypted backups
  • Email support, 1-business-day reply
  • Migration tool from Doppler / 1Password
Enterprise
Customcoming soon

HSM/KMS-backed KEK, SSO, on-prem audit export, named architect.

  • AWS KMS / GCP KMS / Vault Transit KEK
  • SSO (SAML, OIDC) + SCIM provisioning
  • SOC 2 Type II report
  • Postgres adapter, multi-region replication
  • Dedicated solution architect

self-host stays free regardless of which tier you pick

Ready to clean up your secret workflow?

Start on keynv.dev or self-host the same stack. One CLI, one dashboard, one safe alias layer for developers and AI-assisted teams.