ToolBelt

API Keys Vault

Encrypted store for service-scoped API keys.

Open tool

Overview

The API Keys Vault is an encrypted, service-scoped store for the credentials developers accumulate across cloud providers, payment processors, analytics platforms, and internal tools. Instead of leaving keys in plain-text notes, half-forgotten password managers, or sprawling environment files, you keep each key beside the service it belongs to, with a label, the environment it targets, and any rotation reminders that matter.

Everything is encrypted in the browser with a passphrase you choose, and only the ciphertext is persisted. That means even somebody with full access to the device cannot read your keys without the passphrase, and there is no server-side copy to leak. The vault is built for the realistic case where a single developer juggles dozens of keys across personal projects, side gigs, and freelance clients, and needs a quick reveal-and-copy workflow rather than a heavyweight enterprise secrets system.

How it works

On first use you set a passphrase. The vault derives an encryption key from it and encrypts every secret you add. Each entry has a service name, an optional environment label such as production or staging, the key itself, and free-form notes. The key is masked by default, with one-click reveal and copy actions, plus a fast search across labels and services.

Because the vault lives entirely in local storage, you can lock it by clearing the unlocked state without losing data. Re-entering the passphrase decrypts the entries again. Forgetting the passphrase means the data cannot be recovered, so keep a backup.

Examples

  • Storing a Stripe live secret key under the service "Stripe", environment "production", with a note "rotate quarterly".
  • Saving an OpenAI key for a side project, environment "development", with the model and rate limits in the notes.
  • Keeping a SendGrid API key for a client's transactional email, labelled with the client's name.
  • Tracking a personal GitHub fine-grained token, with the repository scopes documented in notes so future rotations are easy.

FAQ

How are the keys encrypted?
A key derived from your passphrase encrypts each entry before it is saved. Only ciphertext is written to local storage.

What happens if I forget the passphrase?
There is no recovery. The encrypted data becomes unreadable. Treat the passphrase like a master credential.

Can I sync the vault across devices?
Not automatically. Each browser holds its own encrypted store. Manual export and re-import is the supported path.

Is this a replacement for a team secrets manager?
No. It is a single-user, single-device tool. For shared production secrets use a dedicated secrets backend.

Can I copy a key without revealing it on screen?
Yes. A copy action puts the plaintext on the clipboard while the key stays masked.

Try API Keys Vault

An unhandled error has occurred. Reload ×