Stop pasting API keys into your AI.
Cloak lets your agents use your keys without ever seeing them.
An agent using your Stripe key without ever seeing it. The model only handled the name; the value never left Cloak. Watch in HD.
Hand an AI agent an API key and you've handed it to the model: its context, its provider's logs, and anyone who can read them. One prompt injection and the key walks out the door.
Cloak keeps your keys in an encrypted vault on your machine, where your agent can use them but never read them. It asks Cloak to make the call, Cloak attaches the key and returns only the result, and the value never enters the model.
No The agent can list, sign, proxy, and mint. It cannot read a stored value.read_secret
tool.Allowlisted by default. A key reaches a host only if you approved it.Local only. No account, no cloud, no telemetry.Signed releases. macOS-notarized, cosign-signed, SLSA L3-attested.
macOS (arm64/x64) and Linux (x64 glibc):
brew install cloakward/cloak/cloak
cloak setup # creates the vault, starts the daemon, connects your AI clients
cloak import .env # pull every key you already have into the encrypted vault
That works for any secret: an LLM key, a payments key, a cloud credential, a git token. Add them one at a time instead with cloak add OPENAI_API_KEY
.
Every secret starts denied. Allow each key to reach a host with one command, applied live with no daemon restart:
cloak allow OPENAI_API_KEY api.openai.com
cloak allow STRIPE_SECRET_KEY api.stripe.com
cloak policy # see what each key can reach
Prefer a file? The same rules live in policy.toml
, one [[secrets]]
block per secret. Remove a host with cloak deny
.
Your agent can now use any of them, in plain English. One worked example:
You:test my checkout: create a $50 Stripe PaymentIntent with pm_card_visa and confirm it succeeded.
The agent calls proxy_authenticated_http_request
. Cloak attaches STRIPE_SECRET_KEY
, sends the request to Stripe, and returns only the result. This is a real one, captured in test mode:
proxy_authenticated_http_request → POST https://api.stripe.com/v1/payment_intents
Status 200
{
"id": "pi_3ThFkTKCZ65x2cgg0rzmsrj3",
"amount": 5000,
"amount_received": 5000,
"currency": "usd",
"livemode": false
}
A real $50 charge went through. The STRIPE_SECRET_KEY
that authorized it, which can refund every charge and drain the account, appears nowhere in what the model received.
cloak setup
connects Claude Desktop, Claude Code, Cursor, Windsurf, Zed, Continue.dev, and Codex that it finds installed. The quickstart covers Linux, Docker, and the Claude Desktop extension.
Three pieces:
: the CLI you use to add and manage secrets.cloak
: a local daemon that holds the keys and does the privileged work.cloakd
: the MCP server your AI client connects to.cloak-mcp
Your agent calls a tool on cloak-mcp
. cloakd
checks your policy, attaches the secret only for the allowed request, and returns the result. The stored key never reaches the agent or model.
Cloak stops your long-lived key from leaking. It does not make a hijacked agent harmless: a minted token or a proxied response still goes to the agent, and an agent can still misuse the access you allowlisted. It is built for a single-user machine; root and compromised hosts are out of scope. The threat model is honest about the rest.
Apache-2.0. See LICENSE.