Sign inAdd to Chrome — free
Open source · Browser + Terminal · Free forever for personal use

Your API keys are credentials. Stop treating them like environment variables.

Moltypass is the password manager AI keys never had. One vault for the browser, the terminal, and every tool in between. Capture keys straight from the provider's console without ever copying. Unlock with Touch ID. Rotate or revoke in one click. See every call that ever used one.

Add to Chrome — freebrew install moltypassFor teams →

No account required. No telemetry. Keys stay on your machine.

// Before — three places to leak from
const client = new Anthropic({
  apiKey: process.env.ANTHROPIC_API_KEY  // …also in .env, .env.local, ~/.continue/.env
});

// After — browser
const client = new Anthropic({
  fetch: window.moltypass.fetchFor('anthropic')  // key stays in the vault
});

// After — terminal
$ moltypass exec npm run dev  # Touch ID; key injected per-process; nothing on disk
Why this exists

Even your AI agent's best advice is .env.

A real transcript from a real coding agent catching a real pasted credential. The agent does its job perfectly — and then recommends the status quo.

AI coding agent · 0.3s ago

⚠️ That looks like a live credential. I'm not going to use, store, or echo it.

  1. Treat it as compromised and rotate it now.
  2. For the live spot-check, the right pattern is to put the key in ~/.hermes/.env as NEBIUS_API_KEY=… — I read it from the environment at runtime and it never has to appear in the conversation:
    $ hermes config set NEBIUS_API_KEY <your-key>
  3. If this was a paste accident, just rotate it and resend.

This is the most secure thing the ecosystem could think to recommend.

Six dotfiles later, the key is still plaintext on disk. There's no audit trail. There's no central revoke. The next AI agent you install will need its own copy. The credit-card surprise is still coming.

Moltypass replaces this entire ritual.

Two surfaces, one vault

The browser. The terminal. Everywhere you use AI.

One encrypted vault on your machine. The Chrome extension handles every AI tool that runs in the browser. The macOS / Linux / Windows CLI handles every coding agent, script, and CLI that runs in the terminal. They share the vault, the audit log, the consent model, and rotations.

🌐

Browser

Chrome extension · Free

  • Capture without copying. Save a new key directly from console.anthropic.com, platform.openai.com, or aistudio.google.com — the banner reads it from the modal, never the clipboard.
  • Proxy without leaking. Sites call window.moltypass.fetchFor('anthropic'); the request goes out from the extension. The key never enters the page.
  • Consent per origin. First call shows the site and asks. Approve once, for a session, or until you revoke.
⌨️

Terminal

macOS · Linux · Windows · Free

  • Run any tool, no .env. moltypass exec npm run dev injects the right keys for the duration of the process. Nothing on disk.
  • Tool-aware. Knows hermes wants NEBIUS_API_KEY, continue wants ANTHROPIC_API_KEY, and the rest. You don't memorize env-var names anymore.
  • Last-resort dotfile management. If a tool refuses the parent-process approach, moltypass env --tool hermes writes a managed .env, tracks it, and rewrites it on rotation.

One revoke kills both surfaces. One rotate updates every browser grant and every managed .env file in lockstep. See how →

macOS

Unlock with Touch ID. Once.

Type your master password the day you install Moltypass. After that, the vault unlocks with your fingerprint — the same gesture you already use to approve App Store purchases and Safari logins.

  • Cached in the macOS Keychain with kSecAccessControlBiometryCurrentSet. Sleep, lock, or steal the laptop and the cached key is gone — even to root.
  • Works across surfaces. One Touch ID unlock applies to the browser extension, every moltypass exec, and the menu-bar app.
  • Configurable idle window. Default 5 minutes; lengthen if you trust your perimeter, shorten if you don't.
  • Linux: falls back to polkit/pam. Windows: Windows Hello.
How it works

Four steps. The key stays put.

🔒

Store

One master password (or Touch ID) unlocks an encrypted local vault. Keys are AES-GCM encrypted at rest with an Argon2id-derived key. Nothing leaves your machine.

📥

Capture

On the provider's key-creation page, a banner offers to save the new key directly to the vault. No copy. No paste. No clipboard managers sniffing in between.

Consent

When a site or CLI tool wants to use a key, Moltypass shows the caller and asks. Approve once, for a session, or until you revoke. Per origin, per tool, per service.

📒

Audit

The dashboard shows every site and every tool that has used each key — when, how often, how fast. Revoke any grant in one click. Anomalies get flagged.

The status quo, line by line

API keys are credentials. They've been treated like passwords from 2003.

Without Moltypass

  • Key sits in plaintext in .env files, dotfiles, shell history, and chat transcripts.
  • Copy-paste through the clipboard — read by clipboard managers and any extension with permission.
  • Every CLI tool wants its own dotfile with its own env-var naming convention.
  • No record of which site or tool received the key, or when.
  • Rotation means manually finding and replacing the key across six locations. You don't do it.
  • If a site is breached, you find out from a charge on your card.

With Moltypass

  • Keys encrypted at rest with Argon2id + AES-GCM. Decrypted briefly in memory only when used.
  • Capture flows read straight from the provider's DOM. The clipboard is never touched.
  • One vault. The browser, every CLI, every coding agent use the same encrypted source.
  • Every grant, every call logged: site, time, status, latency. Searchable and exportable.
  • One moltypass rotate updates every browser grant and every managed .env in lockstep.
  • Volume anomalies trigger an alert before the bill arrives.
Providers

Anthropic, OpenAI, Gemini out of the box.

Built-in support for each provider's key shapes, auth header, and key-creation page detector. More providers ship as the community adds them — a provider definition is a few lines of config.

Anthropic Claude OpenAI Google GeminiMistral · Cohere · Together · Groq · Nebius · Replicate · ElevenLabs · Fireworks · Perplexity — coming
Tool-aware CLI

Knows which env var your AI CLI wants. So you don't.

moltypass exec <command> looks at the command, picks the right provider keys, injects them only into that process, and revokes them when the process exits. A built-in library covers the agents most people use; adding yours is a pull request.

claude code
ANTHROPIC_API_KEY
cursor
(auto-detected)
continue
ANTHROPIC_API_KEY · OPENAI_API_KEY
aider
ANTHROPIC_API_KEY · OPENAI_API_KEY
hermes
NEBIUS_API_KEY · OPENAI_API_KEY
goose
OPENAI_API_KEY · ANTHROPIC_API_KEY
llm
(plugin-defined)
mods
OPENAI_API_KEY · ANTHROPIC_API_KEY
aichat
CLIENT_API_KEY (per provider)
open-interpreter
OPENAI_API_KEY · ANTHROPIC_API_KEY
sgpt
OPENAI_API_KEY
your custom CLI
PR welcome
+ Add via PR
The dashboard

Every call. Every site. Every tool. Searchable.

The single place to answer "where is my key being used right now?" — across every browser tab, every CLI session, every coding agent. Sort, filter, group, and revoke anything with one click. Export to JSON or CSV.

For IT & security teams

Centralized audit. Zero exposure.

Deploy Moltypass to your org via Chrome MDM and Homebrew. Devices report structured event metadata to a collector you control — never plaintext keys, never request bodies. Push policy, set rotation cadence, gate reveal mode, and audit who shared what with whom.

  • Magic-link SSO for the admin dashboard (SAML coming)
  • Self-host on your VPC or use our managed collector
  • Configurable retention from 30 days to forever
  • Export to Splunk, Datadog, or any HTTP sink
  • Per-org rotation policy enforced across browser + CLI surfaces
Book a demoSee pricing
Open source · STRIDE-reviewed · No telemetry

Read the crypto. Read the audit. Read the receipts.

Moltypass is MIT-licensed end-to-end — extension, CLI, native helper, collector. The trust model lives in SECURITY.md with a STRIDE table per surface. Personal Moltypass sends nothing to us — no analytics, no crash reports, no "optional" pings.

Argon2id KDF

Memory-hard. Versioned in the vault header so migration is clean.

AES-GCM at rest

Per-entry random IV. Authenticated — tamper is detected, not assumed away.

Revocation epoch

Read before and after every upstream fetch. Mid-flight revokes are honored.

CI key-shape guard

The build refuses any commit with a key-shaped string outside the test fixtures.

Vulnerability disclosure: security@moltypass.app. PGP key on the security page.

Pricing

Free for individuals. Real value for teams.

Personal
$0/forever
  • Encrypted local vault
  • Chrome extension + macOS/Linux/Windows CLI
  • Touch ID / Windows Hello / polkit unlock
  • Anthropic, OpenAI, Gemini built-in
  • Sharing dashboard & one-click revoke
  • Local audit log (365 days)
Get Moltypass
Team
$5/user/month
  • Everything in Personal
  • Centralized audit collector
  • Admin dashboard with magic-link sign-in
  • MDM policy push (Chrome Enterprise)
  • Anomaly & leak alerts
  • Org-wide rotation enforcement
Start trial
Enterprise
Custom
  • Everything in Team
  • Self-host or BAA
  • SOC 2 evidence pack
  • SAML 2.0 + SCIM
  • Unlimited audit retention
  • Dedicated support
Talk to us