enveigh docs

What is enveigh?

A native macOS secrets vault built for the age of coding agents — agents use your API keys without ever seeing them.

enveigh keeps your API keys, tokens, and connection strings in a local, encrypted vault on your Mac — and hands them to your tools at runtime, so they never sit in a repo, a .env file, a shell history, or an AI agent's context window.

The core idea is use, don't see: an agent (Claude Code, Cursor, Codex, …) can run your test suite, your dev server, or your deploy with every secret present as an environment variable — while the values are redacted from everything the agent reads back. The model never receives a plaintext key.

The enveigh vault — secrets with rotation status on macOS

The CLI and your agents — a 37-second walkthrough

Why this exists — in 35 seconds

How the pieces fit

PieceWhat it isSees plaintext?
The appThe vault UI: secrets, environments, rotation, audit log, Touch ID lockYes — it is the vault
macOS KeychainWhere every secret value actually lives, device-only
The brokerA local socket the unlocked app exposes, so tools can request valuesYes (it serves them, policy-gated)
enveigh CLIYour terminal tool: enveigh run --env prod -- ./deploy.shInjects values into your command
enveigh-mcpThe MCP server agents talk toNo — output is redacted by default

Three properties hold everywhere:

  1. Values live in the Keychain, encrypted at rest, and only flow while the app is running and unlocked. Lock the app (or quit it) and every path goes dark.
  2. Every value access is audited — reveal, render, export, CLI, and agent access all land in a local audit log before the value is released.
  3. Agents get a working environment, not keys. The default agent tool runs your command with secrets injected and returns output with the values redacted.

Where to go next

  • Quickstart — install, import your .env files, connect your agents.
  • CLI reference — every command, with examples.
  • MCP server — the agent tools, per-client scoping, and the reveal opt-in.
  • Security model — exactly what protects what, and from whom.

Quickstart

From download to your first agent run in about five minutes.

On this page

The CLI and your agents — a 37-second walkthroughWhy this exists — in 35 secondsHow the pieces fitWhere to go next