Give autonomy.
Keep control.

mykeep is a secrets vault for your AI agents — and a password manager for you. Keys stay on your devices: your agent uses them, never sees them.

Secrets never leave your devices Open source No account · you approve every use
iOS Android macOS Windows Linux Chrome Safari Any AI agent · REST & MCP

one vault · every device · any agent

How it works

You hand over a decision, never a key.

The secret gets used on your device and never comes back — not to the agent, not to the cloud. (The gateway is keyless — it just passes the request along.)

Stays on your devices

Sealed under a key only your devices hold. The cloud just relays ciphertext it can't read.

You approve every use

The agent stops and waits. You approve on your device — face or fingerprint. Once, or for ten minutes. Kill it anytime.

Any agent

Claude Code, Cursor, ChatGPT, your scripts. Plain REST or MCP. No SDK.

One vault

Your whole secret life — and your agent's memory.

Right now your secrets are scattered — .env, a password manager, an authenticator app. mykeep puts them behind one unlock. Bring them over from 1Password, Bitwarden, or Chrome.

API keyssecret used by reference — the token never enters the agent you approve
Loginssecret autofilled on desktop and mobile you approve
Passkeyssecret phishing-proof. private key sealed on-device you approve
One-time codes2FA / OTP TOTP on-device. ditch the authenticator app you approve
Memorycontext recalled before your agent answers. updated as it learns on your devices

Connect your agent

Connect in a minute.

Two ways in — an MCP server or plain HTTPS. Both take one connect code from the app; no SDK, nothing to build.

1
Open the app → Connect.

Copy your connect code — your agent uses it to ask for access.

mk_obvious-tumble-bridge_••••••
2
Add it — MCP or REST.

Drop it in the MCP config (below), or send it as a bearer token over plain HTTPS. Your agent asks to join, you approve it once on your device — then every secret use is approved too.

MCP, one line

Drop the config in and you get memory_recall, vault_fetch, and more as tools. Works in Claude Code, Cursor, Cline, Codex.

Or just HTTPS

No MCP? Any agent that can call a URL works — send the code as Authorization: Bearer. The whole manual: GET www.mykeep.ai/connect.

You approve on your device

Every secret use asks for your face or fingerprint. Approve once, or for ten minutes. Revoke anytime from the app.

By reference, never by value

The agent acts with the key — and never sees it.

It asks; mykeep makes the call. A prompt injection can't leak a key the agent never had — that's the whole point.

Plain REST or MCP

HTTPS + a bearer token. GET /connect is the whole manual. MCP optional.

Memory, too

recall before answering, retain after. Embedded on-device.

You stay in the loop

Writes need approval. Names never reveal secrets. Revoke anytime.

Live manual: www.mykeep.ai/connect

Pricing

Self-host free. Or let us host it.

The code that touches your secrets is open source — the security core and gateway are Apache-2.0 — so you can audit exactly how your secrets are handled, and you're never locked in. Run the gateway yourself, free, forever. Or skip the ops and let us host it: free while we're in early access, founder pricing locked in when managed plans land.

Open source

Self-host

Run the gateway yourself

$0free, forever
  • Core + gateway open (Apache-2.0) — audit it, run it
  • Your own Cloudflare account — no vendor, no lock-in
  • Audit every line of the security-critical code
  • The escape hatch that keeps hosted honest
View the source

Teams — shared vaults, roles, off-boarding — is exploratory; tell us if you'd want it.

mykeep ♥ open source

The hard parts are out in the open.

Security you can't read isn't security. The security core and gateway are Apache-2.0 — read every line that touches your secrets, run it, fork it.

More at github.com/domuvn/mykeep.

Why I built this

I let an AI agent run my deploys. One day it freaked out and wiped my production database — gone. It had every key in my .env, and nothing was stopping it.

That's when it hit me: we hand agents access to everything and just hope. mykeep is my answer — your keys stay on your devices, your agent can ask to use one, and nothing happens until you approve.

Thanhfounder, mykeep

Your keys. Your call.

Give your agent the keys. Keep the keys.

Free on every device. Two steps to live. Nothing leaves your devices.