Free Tools Pricing Log in →

AI-invisible secret storage

The vault AI tools
can't read.

Lockbox stores your API keys in a binary format that blocks cat, grep, and every AI coding tool on the market. Import your .env files. Inject secrets at runtime. Delete the originals.

AI-invisible secret storage

Your AI can't leak
what it can't see.

Cursor, Claude, Windsurf -- they all read your API keys from plaintext config files. Lockbox hides them in a format no AI tool can open. One install. Your keys disappear from every context window.

AI-invisible secret storage

Secure your
MCP tool chain.

MCP server configs store API keys in plaintext JSON that every agent can read. Lockbox wraps your configs so keys are injected at runtime and never appear in the agent's context window.

7
protection layers
AES-256
encryption at rest
0
secrets in plaintext
19
CLI commands
1
command to set up
0
keys your AI can see
30+
services recognized
Free
to start
4
AI tools protected
0
keys in context window
MCP
config wrapping
7
verification layers
The problem

Your .env files are wide open

Path 1: Direct Read
AI reads your .env
Claude Code, Cursor, Windsurf, and Copilot can all read .env files with a single tool call. Your secrets land in the AI's context window.
Path 2: Runtime Leak
Error messages expose values
A crash log prints your DATABASE_URL. The AI agent reads the crash log. Your connection string is now in the conversation.
Path 3: Search Index
grep finds secrets
AI tools search your codebase with grep and ripgrep. Plaintext .env files are fully indexed. One search away from exposure.
Path 4: MCP Config
API keys in JSON configs
MCP server configs store API keys in plaintext JSON. Claude, Cursor, and Windsurf can all read their own config files.
The problem

Your AI already knows your keys

How it happens
You paste a key into your project
You saved your Stripe key in a .env file. Cursor or Claude reads your whole project folder. Now the AI has your payment key in its memory.
What goes wrong
The AI puts your key in code
The AI sees your API key and helpfully includes it in a code suggestion. You push to GitHub. Your key is now public. Bots find it in minutes.
The real cost
Surprise bills and locked accounts
Leaked Stripe keys get used for fraud. Leaked OpenAI keys run up thousands in charges. Leaked AWS keys spin up crypto miners. It happens fast.
Why it's hard
You can't just "be careful"
AI tools read files automatically. You don't get a warning. There's no pop-up asking "should I read your API keys?" It just happens in the background.
The problem

MCP configs are a plaintext attack surface

Vector 1: Config Exfiltration
Agent reads its own config
MCP server configs store API keys in plaintext JSON at known paths. Any agent with file-read can access claude_desktop_config.json and extract every key.
Vector 2: Tool Poisoning
Malicious MCP server reads secrets
A compromised or malicious MCP server can use file-read tools to access .env files and config files in the workspace. No permission boundary stops it.
Vector 3: Context Bleed
Secrets persist in conversation
Once a secret enters the context window, it stays for the entire session. Every subsequent tool call, every response, every log entry can contain the leaked value.
Vector 4: Multi-Agent Relay
Agents pass secrets to other agents
In multi-agent architectures, one agent's context can be forwarded to another. A secret leaked to one agent propagates across the entire agent graph.
See it work

Three commands. Zero exposure.

Terminal
# Import your .env into an encrypted binary vault
$ devsafe lockbox import .env
  + Stripe (3/4 fields)
  + Supabase (5/5 fields)
  + OpenAI (1/1 fields)
  + Imported 3 services into lockbox
 
# Run your app with secrets injected (never on disk)
$ devsafe lockbox run -- npm start
  + 9 secrets injected into process environment
  + Output filtering active (secrets redacted)
 
# Prove the lockbox is invisible to AI
$ devsafe lockbox proof
   Binary format (NUL at offset 0)
   AES-256-GCM encrypted
   .gitignore blocks lockbox
   .claudeignore blocks lockbox
   .cursorignore blocks lockbox
   .copilotignore blocks lockbox
   Process injection (no disk writes)
 
  7/7 protections active. AI cannot read this vault.
See the difference

Before and after Lockbox.

Before Lockbox

AI
Cursor
You
Help me connect Stripe to my app.
AI
Sure! I found your Stripe key in .env:

STRIPE_SECRET_KEY=sk_live_51Abc...xYz

I'll add it to your checkout page...

After Lockbox

AI
Cursor
You
Help me connect Stripe to my app.
AI
I can see you have a Stripe integration, but I can't read any API keys in your project. They appear to be stored in an encrypted format I can't access.

Your keys are protected. The AI never sees them.

You'll need to provide the key through your environment setup.
Agent trace

Before and after Lockbox.

Before: agent reads plaintext config

MCP Tool Call Trace
CREDENTIALS EXPOSED
file_read claude_desktop_config.json
"env": {
  "OPENAI_API_KEY": "sk-proj-abc123...xyz789",
  "STRIPE_SECRET_KEY": "sk_live_51TmN...QwE"
}
file_read .env
SUPABASE_SERVICE_KEY=eyJhbGciOiJIUzI1NiI...
3 credentials now in context window. Persists for entire session. Forwarded to sub-agents.

After: vault references, runtime injection

MCP Tool Call Trace
CREDENTIALS ISOLATED
file_read claude_desktop_config.json
"env": {
  "OPENAI_API_KEY": "lockbox://vault/openai",
  "STRIPE_SECRET_KEY": "lockbox://vault/stripe"
}
file_read .devsafe/lockbox.vault
Error: binary file, cannot read (NUL at offset 0)
0 credentials in context window. Secrets injected at process level only. Agent graph is clean.
Everything you need

Replace .env files. Permanently.

Import from .env
Auto-detects Stripe, Supabase, OpenAI, and 30+ services. Classifies by exact match, fuzzy match, and pattern inference. One command imports everything.
lockbox import .env
Runtime injection
Secrets are injected directly into your process environment. Never written to disk. Never in shell history. Output filtering redacts leaked values in real time.
lockbox run -- npm start
MCP config wrapping
Replace plaintext API keys in Claude Code, Cursor, Windsurf, and Continue configs with vault-backed references. One command rewrites all four.
lockbox wrap-mcp --all
Time-limited grants
Share a single secret with an expiration. 5 minutes to 24 hours. Once consumed, permanently destroyed. No account needed on the other end.
lockbox grant STRIPE_SECRET_KEY --ttl 1h
Client intake
Collect credentials from clients via secure, time-limited intake links. They fill a form. Secrets land in your lockbox. No shared accounts. No Slack DMs.
lockbox intake --fields "STRIPE_KEY,AWS_SECRET"
Project namespaces
Tag secrets by client or project. Filter list, run, and export by namespace. Offboard a client in one command with a deletion report.
lockbox revoke --client acme --project acme
What it does for you

Keep building. Stay safe.

Import your keys
Point it at your .env file. Lockbox recognizes Stripe, Supabase, OpenAI, and 30+ services automatically. One command, everything's protected.
lockbox import .env
Your app still works
Run your app the same way you always do. Lockbox feeds your keys to the app behind the scenes. Nothing changes except your keys are invisible now.
lockbox run -- npm start
Protects your AI tools
Cursor, Claude Code, Windsurf, and Continue all store API keys in plain config files. Lockbox rewrites those configs so your AI tools work without seeing your keys.
lockbox wrap-mcp --all
Share one key safely
Need to send an API key to someone? Create a link that expires. They open it once, the key disappears. No screenshots, no Slack messages with keys in them.
lockbox grant STRIPE_KEY --ttl 1h
Collect keys from clients
Send your client a secure link. They paste their keys into a form. The keys go straight into your vault. No more "can you DM me the API key?"
lockbox intake --fields "STRIPE_KEY"
Organize by project
Keep each client's keys separate. When a project ends, delete all their keys with one command. Clean separation, no leftover credentials.
lockbox revoke --project acme
Built for agent architectures

Credential isolation for AI tool chains.

MCP config wrapping
Rewrites claude_desktop_config.json, .cursor/mcp.json, windsurf, and continue configs. Replaces plaintext keys with vault references. Servers still work.
lockbox wrap-mcp --all
Process-level injection
Secrets exist only in the target process environment. Not on disk, not in shell history, not in the agent's file-read scope. Redacted from stdout if leaked.
lockbox run -- node server.js
Service classification
Auto-classifies 30+ services by key pattern (Stripe sk_live, Supabase eyJ, OpenAI sk-). Groups by provider for audit and rotation tracking.
lockbox import .env
Scoped grants
Issue time-limited, single-use tokens for individual secrets. TTL from 5 minutes to 24 hours. Auto-destroyed on consumption or expiry. Audit trail included.
lockbox grant OPENAI_KEY --ttl 30m
7-layer verification
Binary format, AES-256-GCM encryption, .gitignore, .claudeignore, .cursorignore, .copilotignore, process injection. Each layer independently blocks agent access.
lockbox proof
Namespace isolation
Scope secrets by project, client, or environment. Run, list, and revoke by namespace. Full deletion reports for compliance and offboarding.
lockbox revoke --client acme
Works with your stack

Protects secrets everywhere

Lockbox wraps MCP configs and blocks secret access across every major AI coding tool.

Works with your tools

Your favorite AI tools, protected

Lockbox works with every AI coding tool you already use. No configuration needed beyond the import.

Platform coverage

Every major MCP host, wrapped

Native config wrapping for all MCP-compatible hosts. Service classification covers 30+ API providers.

Claude Code
Cursor
Windsurf
Continue
GitHub Copilot
Stripe
Supabase
OpenAI
The competition

What others don't do

The difference

Why Lockbox is different

Competitive gap

Agent-aware secrets: the gap

Capability Lockbox Doppler 1Password Vault
Binary vault (blocks cat/grep/AI) Yes No No No
Process injection (not env vars) Yes No Partial No
MCP config wrapping Yes No No No
AI agent leakage prevention Yes No No No
Time-limited grants Yes No No Dynamic
Client intake forms Yes No No No
No server required Yes SaaS SaaS Server
Questions

Honest answers. No hedging.

How is this different from a .env file?

A .env file is plaintext. Any tool that can read files can read your secrets.

Lockbox stores secrets in an encrypted binary format with a NUL byte at offset 0 that stops every text-based tool before it sees a single character.

AI agents, grep, cat, less, VS Code preview -- none of them can read it.

How do my apps access the secrets?

devsafe lockbox run -- npm start injects secrets as environment variables directly into your process.

They never touch disk, never appear in shell history, and are automatically redacted from stdout if they leak in error messages.

What happens to my .env files after import?

Delete them. Once your secrets are in the lockbox, the .env files are redundant.

Lockbox also adds them to .gitignore, .claudeignore, .cursorignore, and .copilotignore automatically.

Can I share a single secret with someone?

Yes. lockbox grant creates a time-limited, single-use token for one secret.

The recipient runs lockbox use-grant <id> to receive it. Once consumed or expired, the grant is permanently destroyed. No shared accounts needed.

Does it work with MCP servers?

lockbox wrap-mcp rewrites your Claude Code, Cursor, Windsurf, and Continue configs to pull API keys from the vault instead of plaintext JSON.

Your MCP servers still work, but the keys are never exposed to the AI agent.

Is there a free tier?

Yes. 25 secrets across 3 projects, no credit card required.

Pro ($19/month) removes all limits.

Do I need to know how to code?

You need to be comfortable pasting one command in your terminal. That's it.

devsafe lockbox import .env does the rest. If you can run npm start, you can use Lockbox.

Will my app still work?

Yes. Instead of npm start, you run devsafe lockbox run -- npm start.

Your app gets all the same keys. The only difference is your AI tools can't see them anymore.

What if I lose my keys?

Lockbox stores them encrypted on your machine. As long as you have your machine, you have your keys.

You can also export a backup any time with lockbox export.

How do I know it's working?

Run devsafe lockbox proof. It checks all 7 protection layers and tells you exactly what's protected.

Green checkmarks across the board means your AI tools can't read your keys.

Is it free?

Yes. 25 secrets across 3 projects, no credit card needed.

That's enough for most side projects. Pro ($19/month) removes all limits when you're ready.

What happens if I need to share a key with someone?

Create a secure link that expires. They open it, get the key, and the link self-destructs.

No more pasting keys in Slack or Discord DMs.

How does the binary format block agent access?

The vault file starts with a NUL byte (0x00 at offset 0). Every text-based tool -- cat, grep, less, VS Code preview, and all LLM file-read tools -- stops reading at a NUL byte.

The remaining content is AES-256-GCM encrypted. Even if an agent bypasses the NUL byte, the content is ciphertext.

What about agents that use raw binary file reads?

Layer 1 (NUL byte) blocks text tools. Layers 2-6 are independent: AES-256-GCM encryption, .gitignore, .claudeignore, .cursorignore, .copilotignore. Layer 7 is process injection -- secrets never exist as files.

An agent would need to bypass all 7 layers simultaneously. Each is independently sufficient.

Does wrap-mcp break existing MCP server configs?

No. The config file still looks like valid JSON. The key values change from plaintext to lockbox://vault/service-name references.

When the MCP host starts, Lockbox intercepts the config load and injects the real values at runtime. The host sees the same keys it always did.

How does this compare to Vault or Doppler?

Vault and Doppler are secret managers. They protect secrets from unauthorized humans. Neither addresses AI agent access.

Lockbox is purpose-built for the AI context window threat model. Binary format, ignore-file coverage, and MCP config wrapping are agent-specific defenses that don't exist in traditional secret managers.

Does it work in multi-agent architectures?

Yes. Since secrets never enter any agent's context window, they can't propagate through agent-to-agent communication.

The process that needs the credential gets it via environment injection. The agents orchestrating that process never see the value.

Is there a free tier?

Yes. 25 secrets across 3 projects. No credit card required.

Pro ($19/month) removes all limits. Enterprise pricing available for fleet deployment.

Stop storing secrets in plaintext

One install. Import your .env. Run your app with injected secrets. Delete the originals. Your AI tools never see a single key.

Hide your keys from your AI

One install. Your API keys disappear from every AI tool. Your app still works. No leaks, no surprise bills, no stress.

Ship agents without leaking credentials

Wrap your MCP configs. Inject secrets at runtime. Keep credentials out of every context window in your agent graph.