Your AI agent uses your API keys.
It should never see them.

kv encrypts your secrets and lets AI coding agents make API calls without possessing the keys. Like ssh-agent, but for API credentials.

Get Started GitHub

terminal

Works with your favorite AI editor

Cursor

Claude Code

VS Code

Install in seconds

pip install kv-secrets

kv init

Create vault (passphrase prompt)

kv set OPENAI_API_KEY

Store your key

kv unlock

Start the agent

kv setup cursor

Connect your editor

The problem with every other approach

.env files

Agent reads the file. Key in context window. Leaked in logs.

1Password SDK

secrets.resolve() returns plaintext to agent memory. One prompt injection away.

Paste in chat

Key in conversation history. Visible to anyone with access. Forever.

Every approach gives the agent your key. kv doesn't.

How kv keeps your keys safe

kv_api flow

Agent: "Call the OpenAI API"
  ↓
kv_api(provider="openai", path="/v1/chat/completions", body={...})
  ↓
kv agent: looks up OPENAI_API_KEY → adds auth header → makes HTTP call
  ↓
Agent gets: response body (key never appeared)

The API key stays in the kv agent's memory. It never enters the AI agent's process, context window, logs, or filesystem. Same security model as ssh-agent.

Defense in depth for AI-powered development

Agent proxy (kv_api)

Your AI agent makes API calls through the kv agent. The key never leaves. Like ssh-agent for API credentials. Built-in support for OpenAI, Anthropic, Google, GitHub + custom providers.

Tamper-evident audit log

Every API call logged with hash-chain integrity. kv audit --verify proves your logs weren't modified. No competitor has this.

Passphrase + 2FA

Interface barrier that AI agents can't bypass. Interactive passphrase prompt + optional TOTP. Without it, the vault stays locked.

Subprocess sandbox (kv_run)

For databases, cloud SDKs, and legacy apps that need env vars. Read-only filesystem sandbox (bwrap), PID namespace isolation, network isolation, output redaction, file scanning.

Client-agnostic

Works with Claude Code, Cursor, VS Code — any MCP client. Passphrase protection ensures same security regardless of editor.

SSRF protection

Custom providers validated against private IPs and non-HTTPS. DNS rebinding defense. Built-in providers are trusted. Your keys can't be redirected.

How kv compares

	kv	.env files	1Password CLI	AgentSecrets
Key never enters agent	kv_api	No	No (SDK returns plaintext)	Yes
MCP native	Yes	No	No	Added later
Subprocess sandbox	kv_run	No	No	No
Tamper-evident audit	Yes	No	Enterprise	No
Passphrase + 2FA	Yes	No	Via app	No
Filesystem sandbox	bwrap	No	No	No
Free & open source	Yes	Yes	No	Partial

Battle-tested security

attack vectors tested

secrets leaked

defense layers

Adversarial testing by the AI agent itself — with full Bash access and direct daemon connection. Read the full report.

Simple pricing

Free for individuals. One flat price for teams.

Free

forever

Agent proxy for API calls (kv_api)
Filesystem sandbox (bwrap)
Tamper-evident audit logging
ChaCha20-Poly1305 encryption
Dynamic provider registry
MCP integration (Cursor, Claude Code, VS Code)
Unlimited secrets, environments, providers

Install Now

COMING SOON

Team

$15 /team/mo

14-day free trial

Everything in Free
Zero-knowledge cloud sync
Team management with RBAC
Scoped CI/CD API tokens
Audit logs
Priority support

Get notified when teams launch:

You're on the list!

195 tests passing v0.2.1 Python 3.10+ MIT License

Open source (MIT) · ChaCha20-Poly1305 encryption · Security policy

Your AI agent uses your API keys.It should never see them.