What is NoxKey?

NoxKey is a free, open-source macOS app that stores developer secrets in the Keychain with Touch ID. It replaces .env files and protects secrets from AI coding agents.

NoxKey is a macOS menu bar app and CLI that stores API keys, tokens, passwords, and other credentials in the macOS Keychain — Apple's hardware-encrypted credential store backed by the Secure Enclave. Every access requires Touch ID.

It replaces the common pattern of storing secrets in .env files (plaintext, no authentication, readable by any process) with encrypted, biometric-gated storage that never leaves your machine.

Key features

Keychain storage

Secrets stored in macOS Keychain, encrypted by the Secure Enclave. Not files on disk.

Touch ID on every access

Biometric authentication for every secret read. No master password, no unlock timeout.

AI agent detection

Detects Claude Code, Cursor, Copilot via process-tree walking. Switches to encrypted handoff automatically.

Encrypted handoff

Secrets reach the agent's shell environment through a self-deleting encrypted script. Raw values never enter the conversation.

DLP guard

Scans agent output for leaked secret values using 8-character fingerprints before they enter conversation context.

One-command migration

noxkey import myorg .env moves all secrets to the Keychain. Then delete the .env file.

Zero network

No outbound connections. No cloud. No account. Verifiable via macOS network monitoring.

MCP server

Built-in Model Context Protocol server for direct IDE integration with Claude Code and other MCP-compatible tools.

How it works

The old workflow with .env files:

# .env (plaintext, no auth, can be committed to git)
STRIPE_KEY=sk_live_abc123
DATABASE_URL=postgres://user:pass@host/db

The NoxKey workflow:

# Store (from clipboard, never in shell history)
noxkey set myorg/STRIPE_KEY --clipboard

# Use (Touch ID required)
eval "$(noxkey get myorg/STRIPE_KEY)"

# Verify without exposing
noxkey peek myorg/STRIPE_KEY
# → sk_live_a...

The secret loads into your shell environment variable without appearing in terminal output, shell history, or files on disk.

Who is NoxKey for?

What NoxKey is not

Frequently asked questions

Is NoxKey free?
Yes. MIT-licensed, open source, no account, no subscription, no cloud. Install with brew install no-box-dev/noxkey/noxkey.
How is NoxKey different from .env files?
.env files are plaintext with no authentication. NoxKey stores secrets in the hardware-encrypted Keychain with Touch ID. Secrets can't be committed to git because they're not files. Full comparison.
How is NoxKey different from 1Password CLI?
NoxKey is local-only (no cloud, no account), free, and includes AI agent detection. 1Password requires a subscription and cloud sync. Full comparison.
How does NoxKey detect AI agents?
It walks the macOS process tree when a secret is requested. If an AI agent is in the calling chain, the secret is delivered through an AES-256-CBC encrypted, self-deleting temp script. Technical deep-dive.
Does NoxKey connect to the internet?
No. Zero outbound network connections. All communication is via a local Unix domain socket between the CLI and the menu bar app.
What macOS version do I need?
macOS 14 Sonoma or later. Touch ID or a Mac with a T2/M-series chip required for biometric authentication.
Can I use NoxKey with Docker or CI/CD?
NoxKey is for local development. For Docker and CI/CD, use your provider's secret management (GitHub Actions secrets, AWS Secrets Manager, etc.).
How do I migrate from .env files?
One command: noxkey import myorg .env. This imports all key-value pairs into the Keychain. Then delete the .env file.

Try NoxKey

Free, no account, no cloud. One command.

brew install no-box-dev/noxkey/noxkey

GitHub · Blog · Architecture · vs dotenv · vs 1Password · vs Vault