AI-invisible secret storage
The vault AI tools
can't read.
Lockbox stores your API keys in a binary format that blocks cat, grep, and every AI coding tool on the market. Import your .env files. Inject secrets at runtime. Delete the originals.
AI-invisible secret storage
Your AI can't leak
what it can't see.
Cursor, Claude, Windsurf -- they all read your API keys from plaintext config files. Lockbox hides them in a format no AI tool can open. One install. Your keys disappear from every context window.
AI-invisible secret storage
Secure your
MCP tool chain.
MCP server configs store API keys in plaintext JSON that every agent can read. Lockbox wraps your configs so keys are injected at runtime and never appear in the agent's context window.
Your .env files are wide open
Your AI already knows your keys
MCP configs are a plaintext attack surface
Three commands. Zero exposure.
Before and after Lockbox.
Before Lockbox
.env:STRIPE_SECRET_KEY=sk_live_51Abc...xYz
I'll add it to your checkout page...
After Lockbox
Your keys are protected. The AI never sees them.
You'll need to provide the key through your environment setup.
Before and after Lockbox.
Before: agent reads plaintext config
"OPENAI_API_KEY": "sk-proj-abc123...xyz789",
"STRIPE_SECRET_KEY": "sk_live_51TmN...QwE"
}
After: vault references, runtime injection
"OPENAI_API_KEY": "lockbox://vault/openai",
"STRIPE_SECRET_KEY": "lockbox://vault/stripe"
}
Replace .env files. Permanently.
Keep building. Stay safe.
Credential isolation for AI tool chains.
Protects secrets everywhere
Lockbox wraps MCP configs and blocks secret access across every major AI coding tool.
Your favorite AI tools, protected
Lockbox works with every AI coding tool you already use. No configuration needed beyond the import.
Every major MCP host, wrapped
Native config wrapping for all MCP-compatible hosts. Service classification covers 30+ API providers.
What others don't do
Why Lockbox is different
Agent-aware secrets: the gap
| Capability | Lockbox | Doppler | 1Password | Vault |
|---|---|---|---|---|
| Binary vault (blocks cat/grep/AI) | Yes | No | No | No |
| Process injection (not env vars) | Yes | No | Partial | No |
| MCP config wrapping | Yes | No | No | No |
| AI agent leakage prevention | Yes | No | No | No |
| Time-limited grants | Yes | No | No | Dynamic |
| Client intake forms | Yes | No | No | No |
| No server required | Yes | SaaS | SaaS | Server |
Honest answers. No hedging.
How is this different from a .env file?
A .env file is plaintext. Any tool that can read files can read your secrets.
Lockbox stores secrets in an encrypted binary format with a NUL byte at offset 0 that stops every text-based tool before it sees a single character.
AI agents, grep, cat, less, VS Code preview -- none of them can read it.
How do my apps access the secrets?
devsafe lockbox run -- npm start injects secrets as environment variables directly into your process.
They never touch disk, never appear in shell history, and are automatically redacted from stdout if they leak in error messages.
What happens to my .env files after import?
Delete them. Once your secrets are in the lockbox, the .env files are redundant.
Lockbox also adds them to .gitignore, .claudeignore, .cursorignore, and .copilotignore automatically.
Can I share a single secret with someone?
Yes. lockbox grant creates a time-limited, single-use token for one secret.
The recipient runs lockbox use-grant <id> to receive it. Once consumed or expired, the grant is permanently destroyed. No shared accounts needed.
Does it work with MCP servers?
lockbox wrap-mcp rewrites your Claude Code, Cursor, Windsurf, and Continue configs to pull API keys from the vault instead of plaintext JSON.
Your MCP servers still work, but the keys are never exposed to the AI agent.
Is there a free tier?
Yes. 25 secrets across 3 projects, no credit card required.
Pro ($19/month) removes all limits.
Do I need to know how to code?
You need to be comfortable pasting one command in your terminal. That's it.
devsafe lockbox import .env does the rest. If you can run npm start, you can use Lockbox.
Will my app still work?
Yes. Instead of npm start, you run devsafe lockbox run -- npm start.
Your app gets all the same keys. The only difference is your AI tools can't see them anymore.
What if I lose my keys?
Lockbox stores them encrypted on your machine. As long as you have your machine, you have your keys.
You can also export a backup any time with lockbox export.
How do I know it's working?
Run devsafe lockbox proof. It checks all 7 protection layers and tells you exactly what's protected.
Green checkmarks across the board means your AI tools can't read your keys.
Is it free?
Yes. 25 secrets across 3 projects, no credit card needed.
That's enough for most side projects. Pro ($19/month) removes all limits when you're ready.
What happens if I need to share a key with someone?
Create a secure link that expires. They open it, get the key, and the link self-destructs.
No more pasting keys in Slack or Discord DMs.
How does the binary format block agent access?
The vault file starts with a NUL byte (0x00 at offset 0). Every text-based tool -- cat, grep, less, VS Code preview, and all LLM file-read tools -- stops reading at a NUL byte.
The remaining content is AES-256-GCM encrypted. Even if an agent bypasses the NUL byte, the content is ciphertext.
What about agents that use raw binary file reads?
Layer 1 (NUL byte) blocks text tools. Layers 2-6 are independent: AES-256-GCM encryption, .gitignore, .claudeignore, .cursorignore, .copilotignore. Layer 7 is process injection -- secrets never exist as files.
An agent would need to bypass all 7 layers simultaneously. Each is independently sufficient.
Does wrap-mcp break existing MCP server configs?
No. The config file still looks like valid JSON. The key values change from plaintext to lockbox://vault/service-name references.
When the MCP host starts, Lockbox intercepts the config load and injects the real values at runtime. The host sees the same keys it always did.
How does this compare to Vault or Doppler?
Vault and Doppler are secret managers. They protect secrets from unauthorized humans. Neither addresses AI agent access.
Lockbox is purpose-built for the AI context window threat model. Binary format, ignore-file coverage, and MCP config wrapping are agent-specific defenses that don't exist in traditional secret managers.
Does it work in multi-agent architectures?
Yes. Since secrets never enter any agent's context window, they can't propagate through agent-to-agent communication.
The process that needs the credential gets it via environment injection. The agents orchestrating that process never see the value.
Is there a free tier?
Yes. 25 secrets across 3 projects. No credit card required.
Pro ($19/month) removes all limits. Enterprise pricing available for fleet deployment.
Stop storing secrets in plaintext
One install. Import your .env. Run your app with injected secrets. Delete the originals. Your AI tools never see a single key.
Hide your keys from your AI
One install. Your API keys disappear from every AI tool. Your app still works. No leaks, no surprise bills, no stress.
Ship agents without leaking credentials
Wrap your MCP configs. Inject secrets at runtime. Keep credentials out of every context window in your agent graph.