agent-secret

A secure local secret vault for developers. Store credentials in your OS keychain — never in plain text.

bash
$ curl -fsSL https://raw.githubusercontent.com/onurkerem/agent-secret/main/install.sh | bash

Core Capabilities

lock

OS Keychain Storage

Secrets live in your OS native keychain — macOS Keychain, Windows Credential Manager, or Linux Secret Service. No custom encryption, no plain-text files.

sync

Smart Injection

Injects secrets into .env files while preserving comments, blank lines, and key ordering. Special characters are auto-quoted. Files written with 0600 permissions.

visibility_off

Zero Exposure

Secret values are never printed to the terminal. Verify existence with length checks, list key names only — values stay hidden at every step.

Usage

Store secrets once, inject them anywhere. Map stored names to different .env keys across projects — one vault, many environments.

check_circle

Store secrets with hidden terminal input — nothing echoed to screen or history

check_circle

Map secret names to different .env keys with SECRET_NAME:FILE_KEY syntax

check_circle

Check configuration status in scripts with quiet mode exit codes

check_circle

Works with any file containing .env in the name — .env.local, .env.production, etc.

Terminal
# Store a secret
$ agent-secret set API_KEY
# Inject into .env
$ agent-secret inject API_KEY
# Map to a different key
$ agent-secret inject PROJECTX_JWT_SECRET:JWT_SECRET
# Verify without seeing the value
$ agent-secret check DATABASE_URL
  ✓ Key 'DATABASE_URL' is set (length: 32 characters)
# List all stored secrets
$ agent-secret list
  API_KEY
  DB_PASSWORD
  JWT_SECRET

How It Works

Secrets live in the OS keychain. When you inject, they're written directly to your .env file — never displayed in the terminal.

OS Keychain

key API_KEY
key DB_PASSWORD
key JWT_SECRET
key PROJECTX_STRIPE_KEY
arrow_downward

.env file

description # Database config
edit DB_PASSWORD="••••••••"
edit JWT_SECRET="••••••••"
edit STRIPE_KEY="••••••••"

Built for AI Agents

agent-secret ships with a skill file for AI coding agents. Agents can verify secrets, inject them into .env files, and set up new projects — all without ever seeing secret values.

check_circle

Auto-triggers when users mention API keys, credentials, or .env configuration

check_circle

Smart prefix matching — maps PROJECTX_STRIPE_KEY to STRIPE_KEY

check_circle

Safe for automated workflows — check and inject commands never expose values

shield

Hooks for Claude Code and Codex automatically block agents from reading .env files — they must use agent-secret instead

Agent Workflow
# User: "Add google maps to .env"
# Agent discovers available secrets
$ agent-secret list
# Agent matches and injects
$ agent-secret inject TRAVELER_GOOGLE_MAPS_KEY:GOOGLE_MAPS_KEY
# Agent tries to read .env — blocked by hook
$ cat .env
  ✗ Blocked: Use agent-secret tool or ask for help
# Agent verifies the right way
$ agent-secret check DATABASE_URL -q