AI News HubLIVE
In-site rewrite3 min read

Show HN: Cloak – let AI agents use your API keys without ever seeing them

Cloak is a local encrypted vault that lets AI agents use API keys without exposing the keys themselves. It proxies requests and enforces policies to prevent key leakage, supporting macOS and Linux with compatibility for multiple AI clients.

SourceHacker News AIAuthor: VarunMenon

Notifications You must be signed in to change notification settings

Fork 0

Star 13

BranchesTags

Open more actions menu

Folders and files

NameName

Last commit message

Last commit date

Latest commit

History

148 Commits

148 Commits

.cargo

.cargo

.github

.github

crates

crates

docs

docs

packages/cloak-mcp

packages/cloak-mcp

packaging

packaging

scripts

scripts

.dockerignore

.dockerignore

.gitignore

.gitignore

CHANGELOG.md

CHANGELOG.md

CONTRIBUTING.md

CONTRIBUTING.md

Cargo.lock

Cargo.lock

Cargo.toml

Cargo.toml

Cross.toml

Cross.toml

Dockerfile

Dockerfile

LICENSE

LICENSE

README.md

README.md

SECURITY.md

SECURITY.md

deny.toml

deny.toml

rust-toolchain.toml

rust-toolchain.toml

Repository files navigation

Stop pasting API keys into your AI.

Cloak lets your agents use your keys without ever seeing them.

An agent using your Stripe key without ever seeing it. The model only handled the name; the value never left Cloak. Watch in HD.

Hand an AI agent an API key and you've handed it to the model: its context, its provider's logs, and anyone who can read them. One prompt injection and the key walks out the door.

Cloak keeps your keys in an encrypted vault on your machine, where your agent can use them but never read them. It asks Cloak to make the call, Cloak attaches the key and returns only the result, and the value never enters the model.

No read_secret tool. The agent can list, sign, proxy, and mint. It cannot read a stored value.

Allowlisted by default. A key reaches a host only if you approved it.

Local only. No account, no cloud, no telemetry.

Signed releases. macOS-notarized, cosign-signed, SLSA L3-attested.

▶ See the full flow: store a key, then let an agent use it

Quickstart

macOS (arm64/x64) and Linux (x64 glibc):

brew install cloakward/cloak/cloak cloak setup # creates the vault, starts the daemon, connects your AI clients cloak import .env # pull every key you already have into the encrypted vault

That works for any secret: an LLM key, a payments key, a cloud credential, a git token. Add them one at a time instead with cloak add OPENAI_API_KEY.

Every secret starts denied. Allow each key to reach a host with one command, applied live with no daemon restart:

cloak allow OPENAI_API_KEY api.openai.com cloak allow STRIPE_SECRET_KEY api.stripe.com cloak policy # see what each key can reach

Prefer a file? The same rules live in policy.toml, one [[secrets]] block per secret. Remove a host with cloak deny.

Your agent can now use any of them, in plain English. One worked example:

You: test my checkout: create a $50 Stripe PaymentIntent with pm_card_visa and confirm it succeeded.

The agent calls proxy_authenticated_http_request. Cloak attaches STRIPE_SECRET_KEY, sends the request to Stripe, and returns only the result. This is a real one, captured in test mode:

proxy_authenticated_http_request → POST https://api.stripe.com/v1/payment_intents

Status 200 { "id": "pi_3ThFkTKCZ65x2cgg0rzmsrj3", "amount": 5000, "amount_received": 5000, "currency": "usd", "livemode": false }

A real $50 charge went through. The STRIPE_SECRET_KEY that authorized it, which can refund every charge and drain the account, appears nowhere in what the model received.

cloak setup connects Claude Desktop, Claude Code, Cursor, Windsurf, Zed, Continue.dev, and Codex that it finds installed. The quickstart covers Linux, Docker, and the Claude Desktop extension.

How it works

Three pieces:

cloak: the CLI you use to add and manage secrets.

cloakd: a local daemon that holds the keys and does the privileged work.

cloak-mcp: the MCP server your AI client connects to.

Your agent calls a tool on cloak-mcp. cloakd checks your policy, attaches the secret only for the allowed request, and returns the result. The stored key never reaches the agent or model.

What it protects (and what it doesn't)

Cloak stops your long-lived key from leaking. It does not make a hijacked agent harmless: a minted token or a proxied response still goes to the agent, and an agent can still misuse the access you allowlisted. It is built for a single-user machine; root and compromised hosts are out of scope. The threat model is honest about the rest.

Documentation

Quickstart

Threat model

Security invariants

Architecture

MCP tools

FAQ

License

Apache-2.0. See LICENSE.

About

Local vault for AI agents. Use API keys without exposing raw stored keys to the model.

Topics

cli

security

vault

mcp

secrets

ai-agents

local-first

slsa

cosign

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy

Uh oh!

There was an error while loading. Please reload this page.

Activity

Custom properties

Stars

13 stars

Watchers

0 watching

Forks

0 forks

Report repository

Releases 17

Cloak v1.1.2

Latest

Jun 18, 2026

+ 16 releases

Packages 0

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Rust 84.4%

TypeScript 11.7%

Shell 2.2%

JavaScript 1.1%

Dockerfile 0.6%