Launching today

Keyholdr
One hotkey to your API keys, guarded by Touch ID
6 followers
One hotkey to your API keys, guarded by Touch ID
6 followers
Keyholdr is a macOS app for developers juggling API keys and secrets. Press ⌃⌥⌘K anywhere and your vault appears - Touch ID required for every copy. Keys live in the macOS Keychain, the same store Safari and iCloud use. No accounts, no sync, no analytics, no network access. Unlike password managers, Keyholdr is single-purpose: organize by platform and tag, multi-select to copy. Ships with a CLI - keyholdr pick / run - to inject secrets as env vars without aenv file.


big fan of no-network single-purpose vaults, this looks solid. one thing i'd love is a quick way to set per-key expiration or a ttl, so old tokens stop working automatically instead of lingering in my vault forever. also rotation reminders would be clutch for the api keys i forget about until something breaks
@yeliz957285 Thanks, really glad the no-network angle resonates, that's the whole point of the thing.
Good news on one of these: rotation reminders already exist today. Any key whose secret hasn't changed in 6 months gets a quiet ⚠ 6MO · ROTATE? hint right in the list, both in the app and in keyholdr list from the terminal. No setup needed, it's automatic. Just don't expect to see it on day one; it only lights up once a key actually crosses that 6-month mark, so a freshly added key won't show anything yet.
TTL/expiration is a great callout though, and it's not there yet. Worth being upfront about the shape it'd take: since Keyholdr never talks to the network, it can't actually revoke a key with the provider when a TTL hits. Only the provider (OpenAI, AWS, etc.) can truly invalidate it server-side. What I could do is a local enforcement layer: set an expiry per key, and once it's passed, Keyholdr refuses to copy/reveal it (maybe greys it out and nudges you to rotate or delete) until you explicitly renew it. That gets you "stops working automatically" in the sense that matters day-to-day, since you can't accidentally keep using a token you meant to retire, even though the actual kill switch is always on the provider's end.
Appreciate you taking the time to write this up. Feel free to send more thoughts my way anytime at ashwini.sharma0807@gmail.com.
the cli integration is what got me - being able to inject secrets straight into a script without a .env file feels like the obvious way this should have always worked