{"slug": "show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them", "title": "Show HN: Cloak – let AI agents use your API keys without ever seeing them", "summary": "Cloak, a new open-source tool, lets AI agents use API keys without exposing them to the model by storing keys in an encrypted local vault and proxying requests. The tool, available for macOS and Linux, prevents key leakage from prompt injection attacks and supports services like Stripe and OpenAI.", "body_md": "**Stop pasting API keys into your AI.**\n\nCloak lets your agents use your keys without ever seeing them.\n\n*An agent using your Stripe key without ever seeing it. The model only handled the name; the value never left Cloak. Watch in HD.*\n\nHand an AI agent an API key and you've handed it to the model: its context, its provider's logs, and anyone who can read them. One prompt injection and the key walks out the door.\n\nCloak keeps your keys in an encrypted vault on your machine, where your agent can use them but never read them. It asks Cloak to make the call, Cloak attaches the key and returns only the result, and the value never enters the model.\n\n**No** The agent can list, sign, proxy, and mint. It cannot read a stored value.`read_secret`\n\ntool.**Allowlisted by default.** A key reaches a host only if you approved it.**Local only.** No account, no cloud, no telemetry.**Signed releases.** macOS-notarized, cosign-signed, SLSA L3-attested.\n\nmacOS (arm64/x64) and Linux (x64 glibc):\n\n```\nbrew install cloakward/cloak/cloak\ncloak setup                     # creates the vault, starts the daemon, connects your AI clients\ncloak import .env               # pull every key you already have into the encrypted vault\n```\n\nThat works for any secret: an LLM key, a payments key, a cloud credential, a git token. Add them one at a time instead with `cloak add OPENAI_API_KEY`\n\n.\n\nEvery secret starts denied. Allow each key to reach a host with one command, applied live with no daemon restart:\n\n```\ncloak allow OPENAI_API_KEY api.openai.com\ncloak allow STRIPE_SECRET_KEY api.stripe.com\ncloak policy                    # see what each key can reach\n```\n\nPrefer a file? The same rules live in `policy.toml`\n\n, one `[[secrets]]`\n\nblock per secret. Remove a host with `cloak deny`\n\n.\n\nYour agent can now use any of them, in plain English. One worked example:\n\nYou:test my checkout: create a $50 Stripe PaymentIntent with pm_card_visa and confirm it succeeded.\n\nThe agent calls `proxy_authenticated_http_request`\n\n. Cloak attaches `STRIPE_SECRET_KEY`\n\n, sends the request to Stripe, and returns only the result. This is a real one, captured in test mode:\n\n```\nproxy_authenticated_http_request  →  POST https://api.stripe.com/v1/payment_intents\n\nStatus 200\n{\n  \"id\": \"pi_3ThFkTKCZ65x2cgg0rzmsrj3\",\n  \"amount\": 5000,\n  \"amount_received\": 5000,\n  \"currency\": \"usd\",\n  \"livemode\": false\n}\n```\n\nA real $50 charge went through. The `STRIPE_SECRET_KEY`\n\nthat authorized it, which can refund every charge and drain the account, appears nowhere in what the model received.\n\n`cloak setup`\n\nconnects Claude Desktop, Claude Code, Cursor, Windsurf, Zed, Continue.dev, and Codex that it finds installed. The [quickstart](/cloakward/cloak/blob/main/docs/QUICKSTART.md) covers Linux, Docker, and the Claude Desktop extension.\n\nThree pieces:\n\n: the CLI you use to add and manage secrets.`cloak`\n\n: a local daemon that holds the keys and does the privileged work.`cloakd`\n\n: the MCP server your AI client connects to.`cloak-mcp`\n\nYour agent calls a tool on `cloak-mcp`\n\n. `cloakd`\n\nchecks your policy, attaches the secret only for the allowed request, and returns the result. The stored key never reaches the agent or model.\n\nCloak stops your long-lived key from leaking. It does not make a hijacked agent harmless: a minted token or a proxied response still goes to the agent, and an agent can still misuse the access you allowlisted. It is built for a single-user machine; root and compromised hosts are out of scope. The [threat model](/cloakward/cloak/blob/main/docs/THREAT_MODEL.md) is honest about the rest.\n\nApache-2.0. See [LICENSE](/cloakward/cloak/blob/main/LICENSE).", "url": "https://wpnews.pro/news/show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them", "canonical_source": "https://github.com/cloakward/cloak", "published_at": "2026-06-21 13:41:29+00:00", "updated_at": "2026-06-21 14:05:02.352098+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools"], "entities": ["Cloak", "Stripe", "OpenAI", "Claude", "Cursor", "Windsurf", "Zed", "Continue.dev"], "alternates": {"html": "https://wpnews.pro/news/show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them", "markdown": "https://wpnews.pro/news/show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them.md", "text": "https://wpnews.pro/news/show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them.txt", "jsonld": "https://wpnews.pro/news/show-hn-cloak-let-ai-agents-use-your-api-keys-without-ever-seeing-them.jsonld"}}