Claude Code
your-project/.keynv.env{"mcpServers": {"keynv": {"command": "keynv-mcp"}, ...}}
install
keynv init- MCP server with use_secret refs
- Output redactor on every tool result
- Shell wrapper: keynv exec --
Public beta · self-host today
Secrets your AI agent
can’t leak.
Self-hosted vault for your team’s API keys, database passwords, and SSH credentials. Your AI coding agent sees the alias literal — @billing.prod.db_password — never the value.
no credit card · self-host the same binary anytime
agent's view·what your AI sees
$ keynv exec --mysql -p@billing.prod.db_password# exit 0 · 142ms$ ps aux | grep mysqlmysql -p▒▒▒▒▒▒ -h ▒▒▒▒▒▒# argv redacted by output scanner
subprocess·privileged · agent-blind
# resolved at fork-time, no env / no argvmysql -p$secret_via_stdin→ connected to db.prod.acme.internal$ select count(*) from payments;42,318# this output never reaches the agent's transcript
verified·sha256:9f4c2e·chain head·3 actors · 7 reads in last hour
01 · why it exists
AI coding agents made the secret-leak problem an order of magnitude worse.
Developers leak credentials constantly — .env files committed to repos, keys left in shell history, tokens in tool outputs. AI agents permanently residing in your terminal made it worse: every command, every file, every diff is shipped to a vendor’s logs. Existing vaults (HashiCorp, Doppler, 1Password) are mature but none were designed around AI agents being there.
- 23.7Mhardcoded secrets pushed to GitHub in 2024 (+25% YoY)
- every diffvisible to your AI agent's vendor — and their logs
- alias-onlyresolution happens in a process the agent cannot read
02 · how it works
Aliases in code. Resolution in a process the agent can’t see.
Store
Add a secret with the CLI or web UI. Encrypted at rest with a per-project DEK; the master KEK lives in your OS keychain.
Reference
In code, configs, and bash you type
@project.env.key. The literal alias is the only string the agent ever sees.Resolve safely
keynv execspawns a subprocess with the real value injected via stdin. Tool outputs are scanned for leaks before they return.
03 · agent integrations
Drop into the agent you already use. No prompt-engineering required.
Run keynv init in your project root — it scans existing.env files, uploads detected secrets to the vault, and writes a project-local .keynv.env that maps alias names to vault references. Safe to commit — alias literals only, never raw values.
MCP-powered agents
any MCP-compatible agent{"mcpServers": {"keynv": {"command": "keynv-mcp"}}}
install
keynv-mcp- Works with any MCP client
- use_secret returns single-use refs
- Resolution inside privileged subprocess
Any shell
any process · zero config# in your bash / zsh / fish$ keynv exec --pg_dump -d @reports.prod.dsn# subprocess gets the value via stdin;# your shell history sees only the alias
install
keynv exec -- pnpm dev- Works with anything that takes argv/env/stdin
- CI runners, Docker, Coolify
- No vendor lock-in
04 · install the CLI
One command. The CLI does the rest.
Install
npm install -g @keynv/cliVerify
keynv --versionfull first-run walkthrough → quickstart
05 · pricing
Free to self-host, forever. Managed tier is on the way.
Self-hosted
FreeMIT license planned
The whole platform, on your infra. Single binary + SQLite + Litestream.
- Unlimited projects, secrets, members
- Full audit chain + tamper verification
- OS keychain KEK, libsodium envelope encryption
- All AI-agent integrations
- Community support on GitHub
Managed
TBDwaitlist open
We run it for your team. Same binary, hosted region of your choice, 99.9% SLA.
- Everything in Self-hosted
- Hosted on your region (EU / US)
- Daily encrypted backups
- Email support, 1-business-day reply
- Migration tool from Doppler / 1Password
Enterprise
Customcoming soon
HSM/KMS-backed KEK, SSO, on-prem audit export, named architect.
- AWS KMS / GCP KMS / Vault Transit KEK
- SSO (SAML, OIDC) + SCIM provisioning
- SOC 2 Type II report
- Postgres adapter, multi-region replication
- Dedicated solution architect
self-host stays free regardless of which tier you pick