No secrets in AI context windows. No .env files. No copy-paste. API keys live in your macOS Keychain — AI agents fetch them through MCP, gated by Touch ID.
Half your keys pass through an AI tool's context while the other half sit in plaintext .env files — and the "safer" alternatives gate every fetch behind a subscription and a vendor login. Safe and fast shouldn't be a tradeoff.
Drop a key into Claude or Cursor and it lives in the model's context, the chat log, and the provider's traces. There is no undo.
1Password, Bitwarden, Doppler — every vault wants the recipient on the same subscription. Most teams give up and paste into Slack instead.
.env files multiply across projects and drift out of sync.Thirty projects, thirty .env files. Some are stale, one is in git history, half are in the wrong .gitignore. You chase them every quarter.
Everything you need to manage credentials without friction, and without exposing them.
Every secret retrieval requires biometric authentication. No master passwords. No unlocked vaults sitting open on your desktop.
Claude Code, Cursor, and any MCP-aware agent can call noxkey_get, noxkey_set, noxkey_show, noxkey_scan, and noxkey_admin. Values load as env vars — never into the conversation.
Every noxkey_get response carries an in-tool instruction telling the model not to echo, cat, printenv, or hardcode the loaded value. The MCP server's system instructions repeat the rule on every connection.
Press Cmd+Shift+1 from any app. A floating panel appears near your cursor. Search, Touch ID, copied. Under 2 seconds.
Name credentials as org/project/KEY and they group automatically. Filter instantly. No more hunting through .env files.
Copied secrets are automatically cleared from your clipboard after 30 seconds. No stale credentials in your paste buffer.
No proprietary vault. No sync servers. Everything lives in the macOS Keychain, encrypted by Apple's Secure Enclave.
Defense in depth. If any one layer is bypassed, the others still hold.
The app ships without the network entitlement. The kernel blocks every outbound socket. No telemetry, no sync, no exfiltration path.
Secrets encrypted at rest by the Secure Enclave. Apple's implementation, not custom crypto. Unreadable without biometric or passcode auth.
Every read requires biometric auth. Strict-mode secrets always prompt — even mid-session. Passcode fallback for non-biometric Macs.
Sessions are bound to a specific process tree (terminal PID + boot-relative start time). PID recycling is detected. Auto-expire after 4 hours.
MCP noxkey_get returns a ChaChaPoly (AEAD) payload, written to a self-deleting temp script that rms on first source. 120-second hard timeout if it never is.
Not every key deserves the same gate. Pick a level per secret — quiet for the dev API you call all afternoon, locked tight for production.
Touch ID once, then the same secret unlocks silently for the rest of your coding session. No more re-prompting on every call.
Use for: dev-tier API keys you call dozens of times during a coding session.By default, every read asks. Want fewer prompts? Pass session: '4h' once and every secret in that workspace unlocks for the same agent.
Sessions don't apply. Every read prompts you, full stop. The gate never opens automatically — no matter what's already unlocked nearby.
Use for: production credentials, payment keys, anything with blast radius.Safe in the Keychain so you can find it later — but MCP and the menu bar refuse to hand it over to anyone, including you. Reveal in the app only.
Use for: recovery codes, root tokens, things that should never paste.Pass a session window on the first call and the same agent's process tree skips the prompt for every other secret under that prefix — until the window expires or the process exits.
# first call — prompts Touch ID once noxkey_get(account: "noboxdev/gitpulse/STRIPE_KEY", session: "4h") # next 4 hours, same agent, no prompts: noxkey_get(account: "noboxdev/gitpulse/POSTGRES_URL") noxkey_get(account: "noboxdev/gitpulse/OPENAI_KEY")
NoxKey ships with a Model Context Protocol server. Claude Code, Cursor, and any MCP-aware agent can ask for a secret — and get it — without the value ever touching the conversation.
noxkey_get, noxkey_set, noxkey_show, noxkey_scan, noxkey_admin — enough for agents to read, write, and organize secrets without ever shelling out.
The agent sources a short-lived temp file to load the value as an env var. The value is never returned in a tool result, never hits stdout, never lands in the model's context window.
The app walks the requesting process tree and knows when the caller is an agent (Claude, Cursor, Codex). Agent-mode locks down raw-value flags and enforces the handoff pattern.
One Touch ID unlocks a whole org/project prefix for the session. Long-running agent work doesn't need re-auth on every secret.
Quality-of-life tools baked into the menu bar so you never have to leave the keychain.
Need a fresh password mid-signup? Hit generate in the panel — pick length and character set, copy with one keystroke, auto-cleared from the clipboard 30 seconds later. Save it as a NoxKey entry without retyping a thing.
Sign up for a service without burning your real address. NoxKey mints a disposable alias, ties it to the entry, and stores both — so a year later you still know which alias went where, and which one to revoke when a vendor starts spamming.
Save your go-to local-dev password once. Next time a setup wizard asks for one — Postgres, Redis, your test SMTP — paste it from the menu bar instead of inventing yet another throwaway string.
Yes. NoxKey is completely free. No accounts, no subscriptions, no telemetry.
No. The app has zero outbound network connections — enforced by macOS App Sandbox at the kernel level. Updates come from the Mac App Store, so NoxKey itself never phones home. Verify the isolation anytime with codesign -d --entitlements - /Applications/NoxKey.app.
Your secrets stay in the macOS Keychain. You can access them through Keychain Access or reinstall NoxKey anytime. Nothing is lost.
NoxKey requires macOS 14.0 or later with Touch ID. On Macs without Touch ID, the system falls back to your device passcode.
No. Agents receive an encrypted handoff file that they source in Bash; the value lands in the shell as an env var, never in the model’s context. The file self-deletes on first source and hard-deletes after 120 seconds. Bulk-exfiltration variants (--raw, --copy, load, export, bundle) are hard-blocked for detected AI callers.
NoxKey is built for developers and AI workflows, not browser autofill. No sync servers, no master password, no subscription. Everything stays local in the macOS Keychain.
47 .env files, duplicated keys, expired tokens, forgotten repos. I replaced them all with the macOS Keychain. Here's what changed.
Read article March 15, 2026Why we built a credential manager that lives in the macOS Keychain, protected by Touch ID, with zero outbound connections.
Read article March 7, 2026Walk up the process tree from the requesting process, identify Claude/Cursor/Codex by binary name, and switch to encrypted handoff mode.
Read articleNoxKey is live on the Mac App Store. Free, AGPL-3.0, zero outbound network.
Requires macOS 14.0 or later with Touch ID.