Keys Manager

A skill for managing API keys and secrets locally using the keys CLI tool.

Installation

The keys CLI must be installed first:

CODEBLOCK0

Or with Go:

CODEBLOCK1

Commands

Store a key

CODEBLOCK2

If the key already exists, the user is prompted to overwrite, edit, or cancel.

Retrieve a key

CODEBLOCK3

Browse keys interactively

CODEBLOCK4

Opens a TUI with fuzzy search, checkboxes, clipboard copy, and age indicators.

• - space — toggle selection
• INLINECODE3 — copy selected as INLINECODE4
• INLINECODE5 — copy selected as INLINECODE6
• INLINECODE7 — export selected to .env file
• INLINECODE9 — add a new key (when no matches found)
• INLINECODE10 — quit

Masked view

CODEBLOCK5

Same as see but values are hidden as ***. Press r to reveal individual keys. Useful for screen-sharing.

Edit a key

CODEBLOCK6

Opens a TUI editor. tab switches fields, enter saves, esc cancels.

Delete a key

CODEBLOCK7

Export keys

CODEBLOCK8

Import from .env

CODEBLOCK9

Parses .env files — handles comments, quotes, and export prefixes. Reports new vs updated counts.

Profiles

Isolate keys by project or environment:

CODEBLOCK10

All add, get, rm, see, and other commands operate within the active profile.

Inject keys into commands

CODEBLOCK11

Outputs keys as space-separated KEY=VAL pairs (or -e KEY=VAL with --docker) for use in command substitution.

Audit key access

CODEBLOCK12

Tracks when keys are accessed via get, inject, and expose. Useful for understanding which keys agents and scripts are using.

Check required keys

CODEBLOCK13

Reads key names from a file (one per line, # comments supported) and reports which are present or missing. Exits with code 1 if any are missing — useful for CI and agent pre-flight checks.

Example .keys.required:
CODEBLOCK14

Sync keys between machines

CODEBLOCK15

Peer-to-peer sync over the local network. Auto-discovers peers via mDNS (Bonjour), encrypted with a one-time passphrase (AES-256-GCM). Works over WiFi, Tailscale, or any reachable network. Smart merge: adds new keys, updates older ones, skips newer local ones.

Delete all keys

CODEBLOCK16

Requires typing nuke to confirm. Only affects the active profile.

Version

CODEBLOCK17

Authentication

On macOS, keys prompts for Touch ID before any command that accesses keys. Authentication is cached per terminal session — the first command triggers Touch ID, subsequent commands in the same shell skip the prompt.

Commands that skip authentication: profile, completion, version, help.

On non-macOS systems or when biometrics are unavailable, access is allowed without prompting.

Examples

Typical workflow

CODEBLOCK18

Multi-project setup

CODEBLOCK19

Quick export to shell

CODEBLOCK20

Guidelines

• - Always use keys get <name> when the user knows the exact key name
• Use keys get (no args) when the user wants to search/pick interactively
• Use keys peek instead of keys see when the user is screen-sharing or wants masked output
• Use keys profile to separate keys across different projects or environments
• Use keys import for bulk loading from existing .env files
• Suggest keys env when the user needs to generate a .env file for a specific project
• Use keys inject when the user wants to pass keys directly to a command or Docker container without creating files
• Use keys audit to review which keys are being accessed and how often
• Use keys check before running agents to verify all required keys are available
• Use keys sync serve + keys sync pull to transfer keys between machines without cloud services