Show HN: Cloak – let AI agents use your API keys without ever seeing them

Cloak, a new open-source tool, lets AI agents use API keys without exposing them to the model by storing keys in an encrypted local vault and proxying requests. The tool, available for macOS and Linux, prevents key leakage from prompt injection attacks and supports services like Stripe and OpenAI.

Stop pasting API keys into your AI. Cloak lets your agents use your keys without ever seeing them. An agent using your Stripe key without ever seeing it. The model only handled the name; the value never left Cloak. Watch in HD. Hand an AI agent an API key and you've handed it to the model: its context, its provider's logs, and anyone who can read them. One prompt injection and the key walks out the door. Cloak keeps your keys in an encrypted vault on your machine, where your agent can use them but never read them. It asks Cloak to make the call, Cloak attaches the key and returns only the result, and the value never enters the model. No The agent can list, sign, proxy, and mint. It cannot read a stored value. read secret tool. Allowlisted by default. A key reaches a host only if you approved it. Local only. No account, no cloud, no telemetry. Signed releases. macOS-notarized, cosign-signed, SLSA L3-attested. macOS arm64/x64 and Linux x64 glibc : brew install cloakward/cloak/cloak cloak setup creates the vault, starts the daemon, connects your AI clients cloak import .env pull every key you already have into the encrypted vault That works for any secret: an LLM key, a payments key, a cloud credential, a git token. Add them one at a time instead with cloak add OPENAI API KEY . Every secret starts denied. Allow each key to reach a host with one command, applied live with no daemon restart: cloak allow OPENAI API KEY api.openai.com cloak allow STRIPE SECRET KEY api.stripe.com cloak policy see what each key can reach Prefer a file? The same rules live in policy.toml , one secrets block per secret. Remove a host with cloak deny . Your agent can now use any of them, in plain English. One worked example: You:test my checkout: create a $50 Stripe PaymentIntent with pm card visa and confirm it succeeded. The agent calls proxy authenticated http request . Cloak attaches STRIPE SECRET KEY , sends the request to Stripe, and returns only the result. This is a real one, captured in test mode: proxy authenticated http request → POST https://api.stripe.com/v1/payment intents Status 200 { "id": "pi 3ThFkTKCZ65x2cgg0rzmsrj3", "amount": 5000, "amount received": 5000, "currency": "usd", "livemode": false } A real $50 charge went through. The STRIPE SECRET KEY that authorized it, which can refund every charge and drain the account, appears nowhere in what the model received. cloak setup connects Claude Desktop, Claude Code, Cursor, Windsurf, Zed, Continue.dev, and Codex that it finds installed. The quickstart /cloakward/cloak/blob/main/docs/QUICKSTART.md covers Linux, Docker, and the Claude Desktop extension. Three pieces: : the CLI you use to add and manage secrets. cloak : a local daemon that holds the keys and does the privileged work. cloakd : the MCP server your AI client connects to. cloak-mcp Your agent calls a tool on cloak-mcp . cloakd checks your policy, attaches the secret only for the allowed request, and returns the result. The stored key never reaches the agent or model. Cloak stops your long-lived key from leaking. It does not make a hijacked agent harmless: a minted token or a proxied response still goes to the agent, and an agent can still misuse the access you allowlisted. It is built for a single-user machine; root and compromised hosts are out of scope. The threat model /cloakward/cloak/blob/main/docs/THREAT MODEL.md is honest about the rest. Apache-2.0. See LICENSE /cloakward/cloak/blob/main/LICENSE .