AI-friendly secrets management CLI using OS-native keyring encryption
Project description
ai-secrets
AI-friendly secrets management CLI using OS-native encryption.
Supported Backends:
Windows Credential Manager • macOS Keychain • Linux Secret Service
Features
- 🔒 Secure — OS-native keyring encryption
- 🤖 AI-friendly — Consistent JSON with
successflags,--revealmode - 📊 Flexible — JSON, Table, and Bash output formats
- 🎯 Type-safe — Full type hints and validation
- ✅ Tested — 34 passing tests
- 🚀 Simple — Clean API with proper error handling
Installation
# From PyPI
pip install ai-secrets
# Or with uv
uv add ai-secrets
# Development install
git clone https://github.com/BjornBethge/ai-secrets.git
cd ai-secrets
uv sync
Quick Start
# Store a secret
ai-secrets set HF_TOKEN "hf_your_token_here"
# Check if secret exists
ai-secrets get HF_TOKEN
# List all secrets (names only)
ai-secrets list
# AI-friendly: Get secret value in JSON
ai-secrets get HF_TOKEN --reveal -f json
# Delete secret
ai-secrets delete HF_TOKEN --yes
Note: The command
secretsis also available as an alias forai-secrets.
Commands
set — Store secret
ai-secrets set API_KEY "sk-1234" -f json
# {"success": true, "name": "API_KEY", "message": "..."}
get — Retrieve secret
# Check existence only
ai-secrets get API_KEY
# ✓ Secret 'API_KEY' exists
# For AI workflows (returns value in JSON)
ai-secrets get API_KEY --reveal -f json
# {"success": true, "name": "API_KEY", "exists": true, "value": "sk-1234"}
# For humans (prints to terminal)
ai-secrets get API_KEY --print
list — List all secrets
ai-secrets list -f json
# {"success": true, "secrets": ["API_KEY", "HF_TOKEN"], "count": 2}
delete — Delete secret
ai-secrets delete API_KEY --yes -f json
# {"success": true, "name": "API_KEY", "deleted": true}
status — Show manager status
ai-secrets status -f json
# {"success": true, "service_name": "ai-secrets", "secret_count": 3, ...}
export — Export as environment variables
# Bash format (prints export statements)
ai-secrets export -f bash
# export API_KEY=sk-1234
# export HF_TOKEN=hf_xxx
# JSON format
ai-secrets export -f json
# {"success": true, "secrets": {"API_KEY": "sk-1234", ...}, "count": 2}
AI-Friendly JSON
All JSON responses follow a consistent structure:
Success:
{
"success": true,
"name": "API_KEY",
...
}
Error:
{
"success": false,
"error": "Secret 'MISSING' not found",
"name": "MISSING"
}
The --reveal flag:
- Works only with
-f json - Returns actual secret value
- Designed for AI workflows where value is needed programmatically
Multi-Project Support
Use --service-name to isolate secrets per project:
# Production secrets
ai-secrets --service-name myapp-prod set DB_PASSWORD "secret"
# Development secrets
ai-secrets --service-name myapp-dev set DB_PASSWORD "dev123"
# Custom metadata location
ai-secrets --service-name myapp --base-dir .secrets set API_KEY "key"
Python API:
from ai_secrets.storage import SecretsStore
from pathlib import Path
# Per-environment stores
prod_store = SecretsStore(service_name="myapp-prod")
dev_store = SecretsStore(service_name="myapp-dev", base_dir=Path(".secrets"))
# Set and get secrets
prod_store.set("API_KEY", "sk-prod-xxx")
print(prod_store.get("API_KEY")) # "sk-prod-xxx"
# List all secret names
secrets = prod_store.list_names() # ["API_KEY", ...]
# Export as dict
env_vars = prod_store.export_env() # {"API_KEY": "sk-prod-xxx", ...}
# Delete a secret
prod_store.delete("API_KEY")
Direct keyring usage:
import keyring
# Store secret (basic keyring API)
keyring.set_password("myapp", "API_KEY", "secret-value")
# Get secret
value = keyring.get_password("myapp", "API_KEY")
# Delete secret
keyring.delete_password("myapp", "API_KEY")
Why use ai-secrets instead of raw keyring?
- ✅ Secret name management (list all secrets)
- ✅ Metadata tracking (knows what secrets exist)
- ✅ Multi-environment support (
--service-name)- ✅ JSON export for AI workflows
- ✅ CLI convenience
Development
# Install dependencies
uv sync
# Run tests
uv run pytest tests/ -v
Notes
- Default service name:
ai-secrets(before v0.1.0:ai-keys) - Metadata stored in:
~/.secrets/metadata_<service-name>.json(only names, not values) - Secret values stored in: OS keyring (encrypted)
- Each service has its own metadata file to avoid conflicts
export -f bashprints warning to stderr- Linux/KeePassXC: May prompt for database unlock
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
ai_secrets-0.1.1.tar.gz
(46.7 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_secrets-0.1.1.tar.gz.
File metadata
- Download URL: ai_secrets-0.1.1.tar.gz
- Upload date:
- Size: 46.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
597c84b48f906fd9fbe8575465add34af4664543c6a1ddd55ea7fe55d4d2a8e8
|
|
| MD5 |
e449ee65e0078f425bfd8a986c9f7adf
|
|
| BLAKE2b-256 |
f2f8e5c80f5e62a1262dc53da1b455c867789cd9e6d11b589e306c0261c85710
|
File details
Details for the file ai_secrets-0.1.1-py3-none-any.whl.
File metadata
- Download URL: ai_secrets-0.1.1-py3-none-any.whl
- Upload date:
- Size: 9.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d6a7c7acb7bd93b47b2ab9dfc9ed11e9e1644426d7ec0de9b92009be8249cf62
|
|
| MD5 |
935f4fbf8a580ef5c6ad77632a0f2d0c
|
|
| BLAKE2b-256 |
c8d0c64e8d85c6093a4595d0e0da8204d0471e8de78e1edf7bafdedb0b7b37a5
|
