The local-first credential vault your AI agents can use โ but never see.
No server. No account. One encrypted file. Your coding agents get a handle, a human approves at the terminal, and the secret is injected at the edge โ the agent process never receives the bytes.
Developers now work alongside AI agents that read their files, run their shells, and โ if a secret sits in a .env or an MCP config โ read their credentials too. In 2026 researchers found ~24,000 secrets exposed in public MCP configuration files on GitHub. The industry's own answer is converging on one principle: the agent should never hold or see the secret. Blindkey is that principle, built local-first.
The agent gets a scoped handle; a human approves; the secret is delivered to the destination, never to the requesting process.
Not a cloud platform or a MITM HTTPS proxy in your traffic. One encrypted file plus a local broker โ nothing to stand up, nothing to trust with your connection.
URLs, titles, timestamps โ all encrypted. Argon2id with an enforced floor; XChaCha20-Poly1305 STREAM; whole-file rollback detected.
zeroize + mlock, panic = "abort", and no unsafe outside one designated FFI crate.
66 numbered security constraints, each with a test โ not a trust-us page. Read the whole design in an afternoon.
Zero network, zero telemetry. Sync the encrypted blob over any storage you don't trust; rollback is still detected.
$ blindkey init Created vault at ~/.blindkey/vault.vlt $ blindkey import --format raw --yes keys.txt Imported 2 entries into ~/.blindkey/vault.vlt $ blindkey get github # copies to clipboard, model-blind by default โ copied github password to clipboard (clears in 30s)