{"id":47555880,"url":"https://github.com/No-Box-Dev/Noxkey","last_synced_at":"2026-03-31T09:00:48.193Z","repository":{"id":346027002,"uuid":"1174913410","full_name":"No-Box-Dev/Noxkey","owner":"No-Box-Dev","description":"macOS secrets manager with Touch ID. Stores API keys in the Keychain, detects AI agents, delivers secrets via encrypted handoff. Free, open source, local-only. A dotenv alternative for developers.","archived":false,"fork":false,"pushed_at":"2026-03-29T18:47:16.000Z","size":1915,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-29T18:53:13.000Z","etag":null,"topics":["ai-agent-security","cli","credential-management","developer-tools","dotenv-alternative","encryption","keychain","macos","mcp","menu-bar-app","open-source","secrets-manager","swiftui","touch-id"],"latest_commit_sha":null,"homepage":"https://noxkey.ai","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/No-Box-Dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-07T01:32:18.000Z","updated_at":"2026-03-29T17:42:18.000Z","dependencies_parsed_at":"2026-03-22T11:02:50.551Z","dependency_job_id":null,"html_url":"https://github.com/No-Box-Dev/Noxkey","commit_stats":null,"previous_names":["no-box-dev/noxkey"],"tags_count":119,"template":false,"template_full_name":null,"purl":"pkg:github/No-Box-Dev/Noxkey","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/No-Box-Dev%2FNoxkey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/No-Box-Dev%2FNoxkey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/No-Box-Dev%2FNoxkey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/No-Box-Dev%2FNoxkey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/No-Box-Dev","download_url":"https://codeload.github.com/No-Box-Dev/Noxkey/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/No-Box-Dev%2FNoxkey/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31228492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-31T08:35:14.124Z","status":"ssl_error","status_checked_at":"2026-03-31T08:34:00.887Z","response_time":111,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agent-security","cli","credential-management","developer-tools","dotenv-alternative","encryption","keychain","macos","mcp","menu-bar-app","open-source","secrets-manager","swiftui","touch-id"],"created_at":"2026-03-29T11:00:26.339Z","updated_at":"2026-03-31T09:00:48.165Z","avatar_url":"https://github.com/No-Box-Dev.png","language":"JavaScript","funding_links":[],"categories":["セキュリティツール","Security"],"sub_categories":["オーディオ録音・処理","Text"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"website/favicon.svg\" width=\"80\" height=\"80\" alt=\"NoxKey — macOS secrets manager with Touch ID\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eNoxKey\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003emacOS secrets manager with Touch ID. A secure dotenv alternative.\u003c/strong\u003e\u003cbr\u003e\n  Stop putting API keys in .env files. Stop pasting secrets into AI chats.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/No-Box-Dev/Noxkey/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue.svg\" alt=\"MIT License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://noxkey.ai?ref=github\"\u003e\u003cimg src=\"https://img.shields.io/badge/platform-macOS%2014+-black.svg\" alt=\"macOS 14+\"\u003e\u003c/a\u003e\n  \u003ca href=\"#install\"\u003e\u003cimg src=\"https://img.shields.io/badge/homebrew-noxkey-orange.svg\" alt=\"Homebrew\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://noxkey.ai?ref=github\"\u003eWebsite\u003c/a\u003e \u0026middot;\n  \u003ca href=\"https://noxkey.ai/blog/?ref=github\"\u003eBlog\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#install\"\u003eInstall\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#cli-reference\"\u003eCLI Reference\u003c/a\u003e \u0026middot;\n  \u003ca href=\"https://noxkey.ai/compare/noxkey-vs-dotenv.html?ref=github\"\u003evs dotenv\u003c/a\u003e \u0026middot;\n  \u003ca href=\"https://noxkey.ai/compare/noxkey-vs-1password-cli.html?ref=github\"\u003evs 1Password CLI\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## What is NoxKey?\n\nNoxKey is a **free, open-source macOS secrets manager** that stores API keys, tokens, and credentials in the **macOS Keychain** (hardware-encrypted via Secure Enclave) and gates every access with **Touch ID**.\n\nIt replaces `.env` files with a developer CLI and native menu bar app. No cloud. No master password. No subscription. NoxKey detects AI coding agents (Claude Code, Cursor, Copilot) and delivers secrets through an encrypted handoff so the raw value never enters the agent's context window.\n\n```bash\nbrew install no-box-dev/noxkey/noxkey\n```\n\n---\n\n## The problem\n\nYou have API keys in `.env` files. Plaintext. No authentication. Any process on your machine can read them — including AI coding agents that treat your `.env` as just another project file.\n\n[12.8 million secrets](https://noxkey.ai/blog/stop-putting-secrets-in-env-files.html?ref=github) were exposed in public GitHub repos in 2024. The `.env` pattern was designed in 2012, before AI agents existed. It's a liability.\n\n## How NoxKey fixes it\n\nNoxKey stores secrets in the **macOS Keychain** (Secure Enclave, hardware-encrypted) and gates every access with **Touch ID**. No files on disk. No master password. No cloud.\n\n```bash\n# Store a secret (from clipboard — never in shell history)\nnoxkey set myorg/project/STRIPE_KEY --clipboard\n\n# Use it in your shell\neval \"$(noxkey get myorg/project/STRIPE_KEY)\"\n# → Touch ID prompt → STRIPE_KEY loaded into environment\n\n# List your secrets (names only, never values)\nnoxkey ls myorg/\n```\n\nWhen an AI agent calls `noxkey get`, NoxKey [detects the agent](https://noxkey.ai/blog/process-tree-agent-detection.html?ref=github) by walking the process tree and returns an **encrypted handoff** — the secret reaches the agent's environment but never enters its conversation context.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"website/demo.gif\" alt=\"NoxKey demo\" width=\"780\"\u003e\n\u003c/p\u003e\n\n## Install\n\n```bash\n# 1. Install via Homebrew\nbrew install no-box-dev/noxkey/noxkey\n\n# 2. Launch the app (it lives in your menu bar)\nopen /Applications/NoxKey.app\n\n# 3. Done — the CLI works immediately\nnoxkey ls\n```\n\n### Migrate from .env files\n\n```bash\nnoxkey import myorg/project .env   # import all secrets\nnoxkey ls myorg/project/           # verify\nrm .env                             # delete the liability\n```\n\n## Why NoxKey\n\n| | .env files | 1Password CLI | HashiCorp Vault | **NoxKey** |\n|---|---|---|---|---|\n| **Encryption** | None | AES-256 (cloud) | Server-side | **Secure Enclave (hardware)** |\n| **Auth model** | None | Master password | Token-based | **Touch ID per access** |\n| **AI agent safety** | None | None | None | **Process-tree detection** |\n| **Network required** | No | Yes (sync) | Yes (server) | **No** |\n| **Cost** | Free | $36/yr | Free (self-host) | **Free** |\n| **Setup** | None | Account + master pw | Server infra | **`brew install`** |\n\n## Architecture\n\n```\n┌──────────────┐         Unix socket          ┌─────────────────┐\n│  noxkey CLI   │ ──────── JSON ────────────▶ │  NoxKey.app      │\n│  (Swift)      │                              │  (SwiftUI)       │\n└──────────────┘                              └────────┬─────────┘\n                                                       │\n                                              ┌────────▼─────────┐\n                                              │ Agent Detection   │\n                                              │ (process-tree     │\n                                              │  walk, 20 levels) │\n                                              └────────┬─────────┘\n                                                       │\n                              ┌─────────────┐ ┌───────▼──────────┐\n                              │  Touch ID    │ │ macOS Keychain    │\n                              │  (Secure     │◀│ (Data Protection) │\n                              │   Enclave)   │ └──────────────────┘\n                              └─────────────┘\n```\n\n**Menu bar app** — native SwiftUI. Manages the Keychain, handles Touch ID, detects AI agents via `proc_pidinfo`, serves requests over a Unix domain socket.\n\n**CLI** — Swift binary. Talks to the app over the socket. Every request is validated server-side — the CLI can't bypass agent detection.\n\n**Agent detection** — walks the process tree from the requesting PID up to `launchd`, checking each ancestor against known agent signatures (claude, cursor, codex, windsurf, copilot). [Full explanation →](https://noxkey.ai/blog/process-tree-agent-detection.html?ref=github)\n\n## Key features\n\n### Security\n- **Touch ID on every access** — not a password, your fingerprint\n- **Secure Enclave storage** — decryption key never leaves the chip\n- **Strict mode** — mark high-value secrets to always require Touch ID, even during sessions\n- **Zero network** — no telemetry, no sync, no cloud. Secrets never leave your machine\n- **DLP guard** — scans AI agent output for leaked secret values before they enter context\n\n### Developer experience\n- **`eval \"$(noxkey get org/proj/KEY)\"`** — one command, any terminal\n- **Session unlock** — `noxkey unlock org/proj` → one Touch ID, then batch access\n- **Import/export** — `noxkey import org/proj .env` migrates everything in one step\n- **Peek** — `noxkey peek org/proj/KEY` shows first 8 chars for verification\n- **Organize** — `noxkey organize` reviews keys and adds missing metadata\n- **Rotate** — `noxkey rotate org/proj/KEY` guides you through secret rotation\n\n### Password \u0026 login management\n- **Generate** — create login credentials with auto-generated passwords from the quick-access panel\n- **Organizations** — managed org list, linked emails auto-selected per org\n- **Email aliases** — generate unique `+alias` variants per project (e.g. `user+react-frontend-a1b2@domain`)\n- **Tabbed view** — All | Logins | Recovery Codes | Generate in both panel and main app\n- **Step-through clipboard** — username copied first, click Next for password\n- **Browser detection** — auto-detects project from active localhost tab (Chrome, Safari, Arc, Edge)\n\n### AI agent safety\n- **Automatic detection** — Claude Code, Cursor, Codex, Windsurf, Copilot identified by process tree\n- **Encrypted handoff** — agents get secrets in their environment, never in conversation context\n- **Command blocking** — `--raw`, `--copy`, `load`, `export`, `bundle` blocked for agent callers\n- **DLP scanning** — `noxkey guard` catches leaked values in agent output\n\n## CLI reference\n\n### Core\n\n```\nnoxkey set \u003corg/proj/KEY\u003e --clipboard   Store from clipboard\nnoxkey get \u003corg/proj/KEY\u003e               Copy to clipboard (Touch ID)\nnoxkey peek \u003corg/proj/KEY\u003e              Show first 8 chars\nnoxkey rm  \u003corg/proj/KEY\u003e               Delete a secret\nnoxkey ls  [prefix]                     List key names (no values)\nnoxkey ls  --type=login --org=n1       Filter by type, org, or search\nnoxkey import \u003corg/proj\u003e \u003cfile\u003e         Import from .env file\nnoxkey export \u003corg/proj\u003e \u003cfile\u003e         Export to .env file\n```\n\n### Sessions\n\n```\nnoxkey unlock \u003corg/proj\u003e [--timeout=4h]   One Touch ID, then batch access\nnoxkey lock [org/proj]                     Lock prefix (or all)\nnoxkey session                             Show active sessions\n```\n\n### Security\n\n```\nnoxkey strict \u003corg/proj/KEY\u003e       Always require Touch ID (even during sessions)\nnoxkey unstrict \u003corg/proj/KEY\u003e     Remove strict mode\nnoxkey guard                       DLP scan stdin for leaked values\nnoxkey verify                      Print security verification commands\nnoxkey audit [N]                   Show last N audit log entries\n```\n\n### Maintenance\n\n```\nnoxkey rotate \u003corg/proj/KEY\u003e              Guided rotation workflow\nnoxkey organize [--dry-run] [--auto]      Review and fix metadata\nnoxkey scan [path] [--prefix=org/proj]    Find and import .env files\nnoxkey config \u003corg/proj\u003e --timeout=8h     Set session timeout per prefix\nnoxkey update                             Update app and/or CLI\n```\n\n### Naming convention\n\n```\norg/project/KEY          — project-specific secrets\nshared/KEY               — cross-project secrets (e.g. shared/CLOUDFLARE_API_TOKEN)\n```\n\n## Security model\n\n| What | Where |\n|---|---|\n| Secret values | macOS Data Protection Keychain (Secure Enclave) |\n| Metadata | Separate Keychain item per secret |\n| Session cache | In-memory only, cleared on lock/quit |\n| Socket | User-only permissions (`0600`), peer UID verified |\n\n- Secrets **never leave the machine** in plaintext\n- Agent callers receive AES-256-CBC encrypted payloads via self-deleting temp scripts\n- Sessions are bound to PID + process start time (prevents PID recycling attacks)\n- `noxkey ls` and `noxkey peek` never expose full values\n\n## Build from source\n\n```bash\ngit clone https://github.com/No-Box-Dev/Noxkey.git\ncd Noxkey\nopen NoxKey.xcodeproj\n# Build and run (Cmd+R)\n```\n\nThe CLI auto-installs to `~/.local/bin/noxkey` when the app launches. Add `~/.local/bin` to your `PATH`.\n\nRequires macOS 14+ and Xcode 15+.\n\n## Blog\n\nDeep dives into how NoxKey works and why:\n\n- [Stop Putting Secrets in .env Files](https://noxkey.ai/blog/stop-putting-secrets-in-env-files.html?ref=github)\n- [macOS Keychain for Developers](https://noxkey.ai/blog/macos-keychain-for-developers.html?ref=github)\n- [How Touch ID Can Protect Your API Keys](https://noxkey.ai/blog/touch-id-api-keys.html?ref=github)\n- [The Developer's Guide to Credential Hygiene](https://noxkey.ai/blog/credential-hygiene-for-developers.html?ref=github)\n- [6 Ways AI Agents Leak Your Secrets](https://noxkey.ai/blog/five-ways-ai-agents-leak-secrets.html?ref=github)\n- [How We Built Process-Tree Agent Detection](https://noxkey.ai/blog/process-tree-agent-detection.html?ref=github)\n\n## FAQ\n\n**Is NoxKey free?**\nYes. MIT-licensed, open source, no account, no subscription, no cloud.\n\n**How is NoxKey different from 1Password CLI?**\nNoxKey is local-only (no cloud, no account), free, and includes AI agent detection with encrypted handoff. [Full comparison](https://noxkey.ai/compare/noxkey-vs-1password-cli.html?ref=github).\n\n**How is NoxKey different from dotenv?**\ndotenv stores secrets as plaintext files with zero authentication. NoxKey stores them in the hardware-encrypted Keychain with Touch ID. [Full comparison](https://noxkey.ai/compare/noxkey-vs-dotenv.html?ref=github).\n\n**Does NoxKey work on Linux or Windows?**\nNo. NoxKey is macOS only — it depends on the macOS Keychain and Touch ID. For cross-platform needs, consider 1Password CLI or HashiCorp Vault.\n\n**Does NoxKey send data to the cloud?**\nNo. Zero outbound network connections. Verifiable via macOS network monitoring.\n\n**How does NoxKey detect AI agents?**\nIt walks the macOS process tree when a secret is requested. If an AI agent is in the calling chain, the secret is delivered through an encrypted, self-deleting temp script instead of as a raw value. [Technical deep-dive](https://noxkey.ai/blog/process-tree-agent-detection.html?ref=github).\n\n## License\n\n[MIT](LICENSE) — Copyright (c) 2024-2026 [No-Box-Dev](https://noboxdev.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNo-Box-Dev%2FNoxkey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNo-Box-Dev%2FNoxkey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNo-Box-Dev%2FNoxkey/lists"}