macOS · Local-first · Encrypted · Free

Your API keys,
finally secure.

Stop storing API keys in Notes. Keycard encrypts them locally and injects them into any terminal session — no cloud, no leaks, no drama.

↓ Download for macOS See how it works
~/projects/my-app
$ keycard run --profile dev -- cargo build   ✓ Vault unlocked   ✓ Injected OPENAI_API_KEY, ANTHROPIC_API_KEY   Compiling my-app v0.1.0   Finished in 3.4s $
// The problem

Where do your API keys actually live right now?

Most developers have an uncomfortable answer to this question.

📝

Notes app

Plain text. Synced to iCloud. Backed up everywhere. One breach and they're gone.

🗂

.env files

One accidental git add . away from a public repo. Or scattered across 10 project folders.

🧠

Memory

Fine until you rotate a key. Then spend 45 minutes finding everywhere you used it.

💳

Password manager

No CLI injection. Copy → paste → forget to clear clipboard. No profile support.

// How it works

Encrypted vault. One command to use it.

Keycard stores every key encrypted on your machine and injects them exactly where you need them.

01 / STORE

Save keys from your clipboard

Hit ⌘⇧K anywhere. Keycard catches whatever is in your clipboard, detects the key type, and encrypts it with XChaCha20-Poly1305. No cloud. The vault lives at ~/Library/Application Support/Keycard/vault.db.

# Quick-save from clipboard $ keycard add --alias "openai-prod"   Provider: OpenAI  Secret: ••••••••••••••••  ✓ Encrypted and saved
02 / ORGANIZE

Group keys into profiles

Map keys to environment variables per profile. dev uses your personal keys, prod uses the real ones. Switch context in one flag.

# Export env vars for a profile $ eval "$(keycard env --profile dev )"   export OPENAI_API_KEY='sk-...'  export ANTHROPIC_API_KEY='sk-ant-...'  export REPLICATE_API_TOKEN='r8_...'
03 / RUN

Inject and run, no shell pollution

keycard run injects keys only into that subprocess — they never touch your shell environment. The process exits, the keys are gone.

# Keys injected, never exported $ keycard run --profile prod -- python deploy.py   ✓ 4 keys injected into subprocess  Deploying to production...  Done. Keys cleared from memory.
// Features

Everything in one place.

Built for developers who use many APIs and want to stay sane.

🔐

XChaCha20-Poly1305

Per-secret encryption. Argon2id key derivation. The vault is useless without your master password.

💻

Desktop app

Native macOS app with tray icon, global shortcut, and quick-save window. No Electron.

⌨️

CLI first

keycard env and keycard run work anywhere in your terminal workflow.

📋

Clipboard capture

Press ⌘⇧K to save whatever is in your clipboard. Auto-detects OpenAI, Anthropic, and other key formats.

🗂

Profiles

dev, staging, prod — map the same env var name to different keys per profile. Switch with one flag.

🛡

Fully local

SQLite vault on your machine. No account. No cloud sync. No network requests. Nothing leaves your disk.

🔒

Passwords too

Separate tab for site logins, Wi-Fi passwords, and any other credentials you want to keep encrypted.

Saved commands

Save your frequently used CLI commands with their profiles. Run them without retyping every time.

// Pricing

One-time. Yours forever.

Pay once, use forever. No subscriptions, no recurring fees.

Early Bird · First 100
$9
$15
one-time · includes 1 year of updates
  • Encrypted local vault (XChaCha20-Poly1305)
  • Desktop app for macOS
  • CLI: keycard env + keycard run
  • Unlimited API keys & profiles
  • Clipboard quick-save (⌘⇧K)
  • Password storage tab
  • 1 year of free updates
  • Lifetime license — own it forever
Buy now →

Launching in 2026 · Early bird pricing ends at launch

// Early access

Be the first to know.

Keycard is in active development. Get notified when it launches — and lock in early bird pricing.

// Get started

Download Keycard

macOS · Free during early access

↓ Apple Silicon (.dmg) ↓ Intel (.dmg)

View all releases on GitHub →

macOS 13+Apple SiliconIntel