Welcome back, friend.
Here's what's in your vault today.
Your keys
Encrypted credentials stored in your vault.
Your vault is waiting
Store your first credential — an OpenAI API key, a Stripe secret, a Google OAuth client — anything you'd normally drop into a .env file. Encrypted with AES-256-GCM before it hits disk.
store_key.LLM API Keys
OpenAI, Anthropic, Gemini, Groq, Mistral
Service API Keys
Stripe, Twilio, Resend, ElevenLabs, and anything with a .env line
OAuth Credentials
Google, GitHub, Slack, Microsoft, Notion, Spotify, and more
Scoped tokens
Per-app tokens that authorize proxy access without exposing the underlying credentials.
No scoped tokens issued
Scoped tokens let your apps (or AI agents, or CI pipelines) call stored credentials through the proxy without ever seeing the raw value. Rotate on a schedule, revoke instantly, audit every call.
Recent activity
Every proxied request, logged in real time.
Quiet so far
Every proxied request, credential reveal, rotation, and MCP tool call will show up here in real time — with timestamp, source IP, country, latency, and status code.
Devices
Every machine where you've signed into the CLI. Revoke any you no longer use.
No devices registered
Every machine that runs the apilocker CLI needs to register once via a browser-based flow (no pasted master tokens, ever). Registered devices can be revoked individually without touching any others.
npm install -g apilocker apilocker register
Vault health
Rotation hygiene, unused keys, stale devices, and security warnings — refreshed on every visit.
MCP server
Let AI assistants (Claude Desktop, Cursor, Zed, etc.) read and manage your vault via the Model Context Protocol.
Connect your AI tool
Pick your client below. Copy the config, paste it into your client, done.
Paste this into your Claude Desktop config file. On macOS that's ~/Library/Application Support/Claude/claude_desktop_config.json. Restart Claude Desktop after saving.
{
"mcpServers": {
"apilocker": {
"command": "apilocker",
"args": ["mcp"]
}
}
}
Once Claude Desktop restarts, all 21 API Locker tools become available in the tool picker — list_keys, reveal_key, run_doctor, proxy_request, and more.
Run this command in any terminal (Claude Code is the CLI you're already using for this conversation):
claude mcp add apilocker -- apilocker mcp
Verify with claude mcp list. The server appears in the next Claude Code session automatically.
Open Cursor Settings → Features → Model Context Protocol → Add Server, and paste this config:
{
"mcpServers": {
"apilocker": {
"command": "apilocker",
"args": ["mcp"]
}
}
}
Restart Cursor. The agent gets the full API Locker toolset inside your IDE.
Continue (VS Code extension) reads ~/.continue/config.json. Add an mcpServers section with this entry:
{
"mcpServers": {
"apilocker": {
"command": "apilocker",
"args": ["mcp"]
}
}
}
Reload VS Code after saving.
Zed uses context_servers in its settings.json. Add this entry:
{
"context_servers": {
"apilocker": {
"command": {
"path": "apilocker",
"args": ["mcp"],
"env": {}
}
}
}
}
Reload Zed after saving.
Is it working?
Recent reveal and proxy calls show up here the moment a connected MCP client uses your vault.
Connected MCP clients
AI clients (Claude on claude.ai, Cursor, etc.) that you've authorized via the OAuth 2.1 flow show up here. Each entry can be revoked instantly — both the access token and the refresh token are invalidated.
apilocker CLI to bridge MCP over stdio. Make sure the CLI is installed globally (npm install -g apilocker) and registered (apilocker register) on the same machine as your MCP client. The bridge reads your master token from ~/.apilocker/config.json automatically.
Stop using .env files
Your keys live here; your code can use them directly. Install the CLI, then apilocker run -- npm start injects your secrets as environment variables for the duration of a single command. No .env file, no shell history, no leaks.