{"id":48801647,"url":"https://github.com/fastogt/keydesk","last_synced_at":"2026-04-14T03:03:59.584Z","repository":{"id":350589338,"uuid":"1207494983","full_name":"fastogt/keydesk","owner":"fastogt","description":"Self-hosted open-source credential manager for teams. Share company accounts without exposing passwords. Chrome extension auto-login. One-click offboarding.","archived":false,"fork":false,"pushed_at":"2026-04-11T03:17:42.000Z","size":69,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-11T05:14:19.164Z","etag":null,"topics":["access-management","chrome-extension","corporate-security","credential-manager","cybersecurity","devops","employee-offboarding","golang","identity-management","open-source","password-manager","privileged-access","secret-management","self-hosted","shared-accounts","sysadmin","team-security"],"latest_commit_sha":null,"homepage":"https://keydesk.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fastogt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-11T02:29:29.000Z","updated_at":"2026-04-11T03:17:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fastogt/keydesk","commit_stats":null,"previous_names":["fastogt/keydesk"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/fastogt/keydesk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastogt%2Fkeydesk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastogt%2Fkeydesk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastogt%2Fkeydesk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastogt%2Fkeydesk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fastogt","download_url":"https://codeload.github.com/fastogt/keydesk/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastogt%2Fkeydesk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31779959,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-management","chrome-extension","corporate-security","credential-manager","cybersecurity","devops","employee-offboarding","golang","identity-management","open-source","password-manager","privileged-access","secret-management","self-hosted","shared-accounts","sysadmin","team-security"],"created_at":"2026-04-14T03:03:59.391Z","updated_at":"2026-04-14T03:03:59.569Z","avatar_url":"https://github.com/fastogt.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KeyDesk\n\n**Self-hosted corporate credential manager. Employees use company accounts without seeing passwords.**\n\nShare company credentials on onboarding. Revoke everything in one click on offboarding. Chrome extension lets employees login to company accounts — LinkedIn, Gmail, Reddit, AWS, Stripe — without ever seeing a password.\n\n## The Problem\n\nYour company has shared accounts — Gmail, LinkedIn, Reddit, AWS, Stripe.\nYou track them in a spreadsheet. Someone gets fired. You forget to change 3 passwords.\nEx-employee still has your company LinkedIn.\n\n## The Solution\n\nKeyDesk is a self-hosted credential desk for your company.\nAdd accounts. Assign to employees. They login via Chrome extension — no passwords visible.\nSomeone leaves? One click — all access revoked, all passwords rotated.\n\n## Features\n\n- **Credential vault** — encrypted storage (AES-256-GCM) for passwords, API keys, tokens, OAuth credentials, TOTP seeds\n- **Give / take access** — assign company accounts to employees, track who has what\n- **Chrome extension** — employees login to company accounts without seeing passwords\n- **One-click offboarding** — revoke all access, rotate all passwords, reassign services\n- **Service credentials** — track API keys with expiry dates, get warnings before they expire\n- **TOTP auto-fill** — extension handles 2FA codes automatically\n- **Full audit log** — who accessed what, when, given by whom\n- **Single binary** — one `.deb` package, one systemd service, SQLite database\n- **No Docker required** — standard Linux daemon, installs like nginx\n\n## Quick Start\n\n```bash\n# Download latest release\nwget https://github.com/fastogt/keydesk/releases/latest/download/keydesk-1.0.0.1-amd64.deb\n\n# Install\nsudo dpkg -i keydesk-1.0.0.1-amd64.deb\n\n# Edit config (set jwt_secret and vault_master_key)\nsudo nano /etc/keydesk.conf\n\n# Start\nsudo systemctl start keydesk\nsudo systemctl enable keydesk\n\n# Create admin user\nsudo keydesk create-admin --email admin@company.com --password changeme\n\n# Open browser\n# http://localhost:6690\n```\n\n## Chrome Extension\n\nInstall from [Chrome Web Store](#) or load unpacked from the `extension/` directory.\n\n1. Employee installs the extension\n2. Enters KeyDesk server URL and their Person ID\n3. Extension shows their assigned accounts\n4. Click **Open** — logged in automatically, password never visible\n\nOn managed corporate laptops with DevTools disabled, employees physically cannot extract passwords.\n\n## How It Works\n\n```\nAdmin adds company accounts (LinkedIn, Gmail, AWS, Stripe...)\n     ↓\nAdmin assigns accounts to employees\n     ↓\nEmployee opens Chrome → extension shows their accounts\n     ↓\nEmployee clicks [Open] → logged in, password never visible\n     ↓\nEmployee fired → admin clicks [Offboard] → done\n     ↓\nAll passwords rotated, remaining users notified\n```\n\n## Why Not...\n\n| Tool | Problem |\n|------|---------|\n| **Spreadsheet** | No security, no tracking, forget to revoke |\n| **Bitwarden / 1Password** | No assignment tracking, no offboarding automation, employee sees all passwords |\n| **CyberArk** | $200k+/year, 6 months to deploy, needs 8-10 Windows servers |\n| **KeyDesk** | Free, self-hosted, 5-minute install, employees never see passwords |\n\n## Tech Stack\n\n- **Backend:** Go, Chi, SQLite, AES-256-GCM encryption\n- **Frontend:** TypeScript, esbuild, custom CSS\n- **Extension:** Chrome Manifest V3\n- **Packaging:** `.deb` / `.rpm` via nfpm, systemd service\n- **Dependencies:** gofastogt, logrus, jwt-go\n\n## Configuration\n\n```yaml\n# /etc/keydesk.conf\nsettings:\n  host: 127.0.0.1:6690\n  log_path: ~/keydesk.log\n  log_level: INFO\n  database: /var/lib/keydesk/keydesk.db\n  jwt_secret: \"YOUR_SECRET_HERE\"\n  vault_master_key: \"YOUR_32_BYTE_HEX_KEY\"\n```\n\nGenerate a vault master key:\n```bash\nopenssl rand -hex 32\n```\n\n## Building from Source\n\n```bash\n# Prerequisites: Go 1.25+, Node.js 20+, npm\n\n# Clone\ngit clone https://github.com/fastogt/keydesk.git\ncd keydesk\n\n# Development setup\nmake dev-setup\n\n# Build\nmake build\n\n# Run locally\n./build/bin/keydesk --config config/keydesk.conf --no-pid-file\n\n# Build .deb package\nmake package-deb-amd64\n```\n\n## API\n\nAll responses follow the `{\"data\": {...}}` / `{\"error\": {\"code\": N, \"message\": \"...\"}}` envelope.\n\n### Admin API\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| POST | `/api/auth/login` | Admin login (email + password → JWT) |\n| GET | `/api/dashboard` | Stats, warnings, recent activity |\n| GET/POST | `/api/people` | List / create people |\n| GET/PUT/DELETE | `/api/people/:id` | Get / update / delete person |\n| POST | `/api/people/:id/offboard` | One-click offboarding |\n| GET/POST | `/api/accounts` | List / create accounts |\n| GET/PUT/DELETE | `/api/accounts/:id` | Get / update / delete account |\n| POST | `/api/accounts/:id/reveal` | Decrypt and return password |\n| POST | `/api/accounts/:id/rotate` | Generate new password |\n| GET/POST | `/api/services` | List / create services |\n| POST | `/api/credentials` | Add credential to service |\n| POST | `/api/credentials/:id/reveal` | Decrypt credential value |\n| POST | `/api/assignments` | Give account to person |\n| DELETE | `/api/assignments/:id` | Take account back |\n\n### Extension API\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| POST | `/api/ext/auth` | Extension login (person_id → JWT) |\n| GET | `/api/ext/accounts` | List assigned accounts |\n| POST | `/api/ext/credentials/:id` | Get credentials for auto-fill |\n| GET | `/api/ext/match?url=` | Check if URL matches an account |\n| POST | `/api/ext/totp/:id` | Get current TOTP code |\n\n## License\n\nApache 2.0\n\n## Contributing\n\nIssues and PRs welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n---\n\nBuilt by [FastoCloud](https://github.com/fastogt)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastogt%2Fkeydesk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffastogt%2Fkeydesk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastogt%2Fkeydesk/lists"}