{"id":44863430,"url":"https://github.com/eric8810/authy","last_synced_at":"2026-02-24T02:00:49.859Z","repository":{"id":338938723,"uuid":"1159756426","full_name":"eric8810/authy","owner":"eric8810","description":"A CLI secrets store \u0026 dispatch tool built for AI agents.  Authy stores encrypted secrets locally and dispatches them to agents with policy-based scoping, short-lived session tokens, and audit logging. No server required.","archived":false,"fork":false,"pushed_at":"2026-02-22T23:55:54.000Z","size":398,"stargazers_count":17,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-23T04:42:31.119Z","etag":null,"topics":["agent","agentic","ai","claude","claude-code","clawbot","cli","openclaw","pi-mono","skills","vault"],"latest_commit_sha":null,"homepage":"https://authy.scotares.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eric8810.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-17T05:45:35.000Z","updated_at":"2026-02-22T23:55:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/eric8810/authy","commit_stats":null,"previous_names":["eric8810/authy"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/eric8810/authy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eric8810%2Fauthy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eric8810%2Fauthy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eric8810%2Fauthy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eric8810%2Fauthy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eric8810","download_url":"https://codeload.github.com/eric8810/authy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eric8810%2Fauthy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29768279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T01:40:24.820Z","status":"online","status_checked_at":"2026-02-24T02:00:07.497Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","agentic","ai","claude","claude-code","clawbot","cli","openclaw","pi-mono","skills","vault"],"created_at":"2026-02-17T10:45:14.133Z","updated_at":"2026-02-24T02:00:49.805Z","avatar_url":"https://github.com/eric8810.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# authy\n\nEncrypted secrets for AI agents. Single binary, no server, no accounts.\n\n## 30-Second Start\n\n```bash\nnpm install -g authy-cli\n\nauthy init --generate-keyfile ~/.authy/keys/master.key\nauthy store api-key                          # type value, Ctrl+D\nauthy run --scope \"*\" -- ./my-script.sh      # script sees $API_KEY in its env\n```\n\nThat's it. Secret is encrypted in the vault, injected into the subprocess, never in your shell history or `.env` files.\n\n## Config File Placeholders\n\n```bash\n# Template with placeholders (safe to commit)\necho 'host: \u003cauthy:db-host\u003e\\nport: \u003cauthy:db-port\u003e' \u003e config.yaml.tpl\n\n# Resolve to real values at deploy time\nauthy resolve config.yaml.tpl --scope deploy --output config.yaml\n```\n\n`authy run` covers env vars. `authy resolve` covers config files.\n\n## MCP Server\n\nRun Authy as an MCP (Model Context Protocol) server for AI agent platforms like Claude Desktop, Cursor, and Windsurf:\n\n```bash\nauthy serve --mcp\n```\n\nAdd to your MCP client config (e.g. `claude_desktop_config.json`):\n\n```json\n{\n  \"mcpServers\": {\n    \"authy\": {\n      \"command\": \"authy\",\n      \"args\": [\"serve\", \"--mcp\"],\n      \"env\": { \"AUTHY_PASSPHRASE\": \"your-passphrase\" }\n    }\n  }\n}\n```\n\nExposes 5 tools over stdio JSON-RPC 2.0: `get_secret`, `list_secrets`, `store_secret`, `remove_secret`, `test_policy`.\n\n## Library API\n\nUse Authy as a Rust crate for programmatic vault access:\n\n```rust\nuse authy::api::AuthyClient;\n\nlet client = AuthyClient::with_passphrase(\"my-vault-passphrase\")?;\nclient.init_vault()?;\nclient.store(\"api-key\", \"sk-secret-value\", false)?;\nlet value = client.get(\"api-key\")?; // Some(\"sk-secret-value\")\n```\n\n```bash\n# Add to your project (library only, no CLI deps)\ncargo add authy --no-default-features\n```\n\nAuth from environment variables:\n\n```rust\n// Reads AUTHY_KEYFILE or AUTHY_PASSPHRASE\nlet client = AuthyClient::from_env()?;\n```\n\n## Install\n\n```bash\n# npm (recommended)\nnpm install -g authy-cli\n\n# Linux / macOS\ncurl -fsSL https://raw.githubusercontent.com/eric8810/authy/main/install.sh | sh\n\n# Windows (PowerShell)\nirm https://raw.githubusercontent.com/eric8810/authy/main/install.ps1 | iex\n\n# From source\ncargo build --release\n```\n\n## How It Works\n\n```\nYou store secrets    →  authy vault (encrypted)\nAgent runs command   →  authy run injects secrets as env vars into subprocess\nSubprocess finishes  →  env vars gone, nothing on disk\n```\n\nSecrets never appear in shell history, `.env` files, process arguments, or LLM context.\n\n## Give Agents Scoped Access\n\n```bash\n# Create a policy — agent only sees db-* secrets\nauthy policy create backend --allow \"db-*\" --run-only\n\n# Create a time-limited token\nauthy session create --scope backend --ttl 1h --run-only\n# → authy_v1.dGhpcyBpcyBhIDMyIGJ5dGUgcmFuZG9t...\n\n# Agent uses the token — can only inject, never read values\nexport AUTHY_TOKEN=\"authy_v1....\"\nexport AUTHY_KEYFILE=~/.authy/keys/master.key\nauthy run --scope backend --uppercase --replace-dash '_' -- node server.js\n```\n\n`--run-only` means the agent can inject secrets into subprocesses and resolve config templates, but can never read values directly. `authy get`, `authy env`, `authy export` all return an error.\n\n## Project Config\n\nDrop `.authy.toml` in your project root. No more `--scope` flags:\n\n```toml\n[authy]\nscope = \"my-project\"\nkeyfile = \"~/.authy/keys/master.key\"\nuppercase = true\nreplace_dash = \"_\"\n```\n\n```bash\nauthy run -- ./deploy.sh          # scope inferred from .authy.toml\neval \"$(authy hook bash)\"         # auto-activate on cd (like direnv)\n```\n\n## Migrate from .env\n\n```bash\nauthy import .env                 # imports all keys, transforms names\nauthy import .env --dry-run       # preview first\n```\n\n## Admin TUI\n\n`authy admin` — manage secrets, policies, sessions, and audit logs interactively. Secrets entered through the TUI never touch shell history.\n\n```bash\nauthy admin --keyfile ~/.authy/keys/master.key\n```\n\n## Agent Skills\n\nWorks with Claude Code, Cursor, OpenClaw, and 38+ AI coding agents:\n\n```bash\nnpx skills add eric8810/authy\n```\n\nThe skill teaches agents to use `authy run` (inject secrets), `authy resolve` (config templates), and `authy list` (discover names). Agents never learn commands that expose values.\n\n## Security\n\n- **age encryption** (X25519) — vault encrypted at rest\n- **HMAC-SHA256 session tokens** — short-lived, read-only, constant-time validation\n- **Glob-based policies** — deny overrides allow, default deny\n- **HMAC-chained audit log** — tamper detection on every entry\n- **Zeroize on drop** — all secret-holding memory wiped when freed\n- **Run-only mode** — agents can inject but never read\n\n## All Commands\n\n\u003cdetails\u003e\n\u003csummary\u003eFull command reference\u003c/summary\u003e\n\n```\nBasics\n  authy init                        Initialize a new vault\n  authy store \u003cname\u003e                Store a secret (reads from stdin)\n  authy get \u003cname\u003e                  Retrieve a secret value\n  authy list                        List secret names\n  authy remove \u003cname\u003e              Remove a secret\n  authy rotate \u003cname\u003e              Rotate a secret value\n\nPolicies\n  authy policy create \u003cname\u003e       Create an access policy\n  authy policy show \u003cname\u003e         Show policy details\n  authy policy update \u003cname\u003e       Modify a policy\n  authy policy list                List all policies\n  authy policy remove \u003cname\u003e       Remove a policy\n  authy policy test --scope \u003cs\u003e \u003cname\u003e  Test access\n\nSessions\n  authy session create             Create a scoped session token\n  authy session list               List active sessions\n  authy session revoke \u003cid\u003e        Revoke a session\n  authy session revoke-all         Revoke all sessions\n\nAgent Commands\n  authy run [--scope \u003cs\u003e] -- \u003ccmd\u003e Run a command with injected secrets\n  authy resolve \u003cfile\u003e             Resolve \u003cauthy:key\u003e placeholders in files\n  authy env [--scope \u003cs\u003e]          Output secrets as env vars\n  authy import \u003cfile\u003e              Import from .env file\n  authy export --format \u003cfmt\u003e      Export as .env or JSON\n\nVault Management\n  authy rekey                      Re-encrypt vault with new credentials\n\nProject\n  authy project-info               Show .authy.toml config\n  authy alias [scope] [tools...]   Generate shell aliases\n  authy hook \u003cshell\u003e               Shell hook for auto-activation\n\nAudit\n  authy audit show                 Show audit log\n  authy audit verify               Verify log integrity\n  authy audit export               Export log as JSON\n\nServer\n  authy serve --mcp                Start MCP server (stdio JSON-RPC)\n\nAdmin\n  authy admin                      Launch admin TUI\n  authy config show                Show configuration\n```\n\nAll read commands support `--json`. `--scope` is optional when `.authy.toml` is present.\n\n\u003c/details\u003e\n\n## Docs\n\n- [docs/GUIDE.md](docs/GUIDE.md) — full command reference, auth modes, config, exit codes\n- [ARCHITECTURE.md](ARCHITECTURE.md) — system design\n- [SECURITY.md](SECURITY.md) — threat model\n- [CHANGELOG.md](CHANGELOG.md) — version history\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feric8810%2Fauthy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feric8810%2Fauthy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feric8810%2Fauthy/lists"}