Key Ring

Key Ring

Your secrets, found.

A native macOS vault that scans your machine for every API key and keeps them one search away. Local-only. Touch ID protected.

Download for macOS
Key Ring command palette with search, commands, and recent keys
Key Ring
Search keys... ⌘K
OpenAI
sk-proj-****7xQ2
~/work/agent
Anthropic
sk-ant-****mN4k
~/mcp-server
Stripe
sk_live_****dW9p
~/api/.env
AWS
AKIA****R8FQ
~/.aws/creds
Vercel
vc_****x9Lm
~/deploy
macOS 14+
Platform
Touch ID
Auth
Local-only
Architecture
Menu bar
Access
18
Providers
Zero
Telemetry
10s
Auto-clear

API keys are everywhere. Managing them isn't.

Every tool, agent, and service wants an API key. But there's no single place to find them, track what they cost, or generate new ones without a scavenger hunt.

~/project-*/.env

Scattered across projects

Local, staging, production — every environment has its own secrets. Dozens of .env files across dozens of repos. No single view of what you have.

$0.00 → $???

No usage insights

Which keys are burning budget? Which ones expired? You only find out when something breaks or the bill arrives.

→ Settings → API → ???

Generating keys is a maze

Every provider buries their key generation page somewhere different. Find the dashboard, find the settings, find the API section, find the button. Every. Single. Time.

dev / staging / prod

Environments multiply fast

One project, three environments, five services each. That's 15 secrets to track before you've even shipped. It doesn't scale.

Generate

New key in
two clicks.

Need a fresh API key? Pick a provider and Key Ring opens the right page instantly. No hunting through dashboards, no bookmarks, no "where do I generate this again?"

Key Ring generate screen with provider shortcuts and a new project key form
Telemetry

Know what your
keys cost.

Track API usage and costs across providers. Key Ring reads local usage caches to surface spend without making a single network request. See which keys are burning budget from one view.

Key Ring telemetry dashboard with demo spend, token, and fingerprint charts
Search

One search.
Every key.

Raycast-style instant search across every project on your machine. Filter by provider, project, or status. Find any key in under a second.

Key Ring lookup screen showing detected demo API keys and local source paths
Search
openai
OpenAI
sk-proj-****7xQ2
~/work/agent
OpenAI
sk-prod-****mN4k
~/api-server
OpenAI
sk-test-****8dWp
~/sandbox
Scanner

Scan.
Don't remember.

Key Ring auto-scans your workspace on launch using ripgrep. It detects API keys from 18 providers across every .env, config, and source file.

Key Ring scanner screen with demo findings and fingerprint telemetry
Scanner
Scanning ~/Developer...
Found ANTHROPIC_API_KEY ~/work/mcp/.env
Found STRIPE_SECRET_KEY ~/api/.env.local
Found AWS_ACCESS_KEY_ID ~/.aws/credentials
Found GITHUB_TOKEN ~/dotfiles/.zshrc
Found VERCEL_TOKEN ~/deploy/.env
5 secrets found across 3 workspaces
Rotation

Rotate once.
Update local envs.

When a key changes, Key Ring can find matching local references and offer a redacted update review before touching files.

  • Plain .env updates with timestamped backups
  • dotenvx encrypted import and re-encrypt through local .env.keys
  • Conflict checks when a file changed since the vault value was saved
Rotation Review
Ready OPENAI_API_KEY ~/agent/.env
Ready ANTHROPIC_API_KEY ~/api/.env.stg
Conflict STRIPE_SECRET_KEY ~/billing/.env.local
Backups are created before every selected write
2FA

Codes in
the menu bar.

Import authenticator setup URLs, Base32 secrets, QR screenshots, uploaded images, Google Authenticator migration QR codes, and one-time recovery-code lists. Codes refresh locally and copy from the menu bar when you need them.

Key Ring two-factor screen with sanitized demo authenticator codes
Security

Touch ID.
Not trust.

Every secret is locked behind biometric authentication. When you copy a key, it's cleared from your clipboard in 10 seconds. No window to leak.

Key Ring settings screen with vault, scanner, and sound effect controls
Authenticate
Touch ID to copy key Auto-clears clipboard in 10 seconds
Privacy

Your keys
never leave.

No cloud sync. No remote storage. No analytics. Key Ring runs entirely on your machine. Secrets and 2FA seeds stay in macOS Keychain with hardware-backed encryption.

Key Ring local-only key detail screen using sanitized demo paths
Network
Network requests
0
Everything stays on your Mac.
Menu bar

Always one
click away.

Key Ring lives in your menu bar. Click the icon, search, copy, and grab 2FA or recovery codes without leaving the app you're working in.

Key Ring menu bar popover with sanitized demo keys and verification codes
Key Ring
Menu bar
Quick search...
Recent
Anthropic
sk-ant-****mN4k
OpenAI
sk-proj-****7xQ2
Stripe
sk_live_****dW9p

Works with everything you use.

Auto-detects keys from 18 supported providers.

Questions

Key Ring scans your local filesystem for API keys and secrets using ripgrep-powered pattern detection. It identifies keys from 18 supported providers, stores them in a Touch ID-protected vault, manages local 2FA codes, and gives you instant access from the menu bar.
No. Key Ring is entirely local. There is no cloud component, no sync, no analytics, and no telemetry that includes raw secrets. API keys and 2FA seeds stay on your machine.
Key Ring uses ripgrep to search your filesystem for known API key patterns across .env files, config files, and source code. It recognizes provider-specific formats for OpenAI, Anthropic, AWS, Stripe, GitHub, and more.
Yes. Key Ring is free to use. No subscription, no recurring fees, no hidden costs.
Yes. Key Ring scans .env files natively and supports drag-and-drop import. When you rotate a key, it can offer to update matching local .env references with a redacted review and timestamped backup before writing.
Yes. Key Ring recognizes dotenvx public metadata, can import encrypted .env values locally when .env.keys is available, and can re-encrypt rotated values through the installed dotenvx CLI. Decrypted values and .env.keys contents are not printed or sent anywhere.
Yes. Key Ring includes direct links to key generation pages for supported providers. Pick a provider and you'll be taken straight to their API key creation page.
Yes. Key Ring supports otpauth setup URLs, Base32 secrets, pasted text, QR screenshots, uploaded QR images, screen-area QR capture, Google Authenticator migration QR codes, and recovery-code lists for local 2FA accounts.
Key Ring

Try Key Ring

Free. Local-only. macOS 14+.

Download for macOS
KeyRing