Blind AI to Your API Keys

Encrypted secrets vault for AI agents. Secrets are resolved at runtime, never leaked to LLM conversations.

npm install -g keyblind && keyblind init && keyblind setup-mcp
Three commands. Works from any directory. Zero telemetry.

GitHub →

How It Works

Three commands. Your secrets stay secret.
1

Store Your Secrets

Encrypt API keys, tokens, and passwords into a local AES-256-GCM vault.


echo "sk-abc123" | keyblind set OPENAI_API_KEY
2

Connect Your AI

One command to configure Claude Code, Cursor, Copilot, Windsurf, Cline, or Zed.


keyblind setup-mcp
3

AI Resolves at Runtime

Your AI agent resolves secrets when needed. The values never appear in chat.


keyblind sandbox && keyblind run -- npm start
Claude Code Cursor Copilot Windsurf Cline Zed

More Than a Vault

16 MCP tools. One CLI. No network calls.
🔒

AES-256-GCM Vault

Encrypted SQLite. Machine-identity-bound key. Zero network.

🔑

7 Backends

Local, 1Password, Bitwarden, env vars, AWS, GCP, Azure.

📦

Sandbox

Deterministic HMAC-SHA256 fakes. Clean git diffs. Safe for AI review.

TOTP / HOTP

Built-in 2FA code generation. No phone needed. Zero deps.

🔗

Secret Sharing

AES-256-GCM encrypted URL fragments. Time-limited. View-limited.

Dead Man's Switch

Auto-release vault to contacts if you don't check in.

👥

Team Vaults

Git-safe shared vault. Passphrase-protected. PBKDF2 key derivation.

🔑

SSO / OIDC

Team vault access via Google, Okta, or any OIDC provider.

📧

Alerts

Slack and Discord webhooks for secret expiry and vault events.

Pricing

Start free. Upgrade when you need more.

Free

$0
forever
  • 5 secrets
  • Local vault (AES-256-GCM)
  • Sandbox / Unsandbox
  • MCP server (16 tools)
  • 7 backends
  • TOTP / Sharing / Dead Man
  • Team vaults
  • Audit log
  • Secret rotation
  • CI/CD integration
Get Started

Team

$29
/ user / month
  • Everything in Pro
  • Centralized admin
  • Shared vault policies
  • SSO / OIDC
  • Audit export
  • Priority support
Coming Soon

Keyblind vs Cloak

Why Keyblind is the right choice for AI-era secret management.
Feature Keyblind Cloak
Protocol MCP (every AI tool) VS Code / Cursor only
Editors supported 6 (Claude Code, Cursor, Copilot, Windsurf, Cline, Zed) 2 (VS Code, Cursor)
Encryption AES-256-GCM + machine-identity-bound key AES-256-GCM
Backends 7 (local, 1Password, Bitwarden, AWS, GCP, Azure, env) 1 (local)
Sandbox Deterministic HMAC-SHA256 fakes Random placeholders
TOTP / 2FA built-in Yes No
Secret sharing Encrypted URL fragments No
Dead man's switch Yes No
Team vaults Git-safe, passphrase-protected No
Dashboard Web dashboard (app.keyblind.dev) No
Browser extension Chrome (paste interception) No
License MIT (open source) Proprietary
Pricing Free tier + $79/yr Pro $8/mo ($96/yr)

Documentation

Everything you need to get started and go deep.

Getting Started

Install, init, first secret, sandbox walkthrough.

CLI Reference

All 40+ commands with examples and flags.

MCP Integration

16 MCP tools with parameter schemas and usage patterns.

Editor Setup

Per-editor config for Claude Code, Cursor, Copilot, and more.

Security

Threat model, cryptographic architecture, attack surface analysis.

Recipes

CI/CD, Docker, pre-commit, sharing, TOTP, multi-machine sync.

FAQ

Common questions about setup, security, licensing, and teams.

Trusted by Developers

"Finally: an MCP-native secrets manager that actually works across all my editors. The sandbox feature alone saved me from leaking keys to Claude Code twice."

Alex R., Senior Engineer

"We run Keyblind in CI to sandbox .env files before AI code review. Clean diffs, real secrets never exposed. It's part of our standard dev setup now."

Jordan M., DevOps Lead

"Switched from hand-managing .env files to Keyblind. The dead man's switch gives me peace of mind for our team vault access."

Sam T., CTO at 12-person startup