Secret management for the AI era
A scope-locked vault that sits between your AI coding agent and your credentials. Secrets only resolve for their intended destination. Exfiltration is blocked. Output is always redacted.
Linux, macOS & Windows — $7.99 one-time license to activate
Works with any AI tool that uses a shell
Every command is checked before secrets resolve. Every output is scrubbed after execution.
Each secret is locked to specific hosts. A GitHub token with host:github.com won't resolve for any other destination.
Blocks file redirections, netcat/socat pipes, base64 encoding, /dev/tcp, and split-destination attacks.
All secret values scrubbed from stdout and stderr. Generic redaction tags prevent oracle attacks.
Secrets pinned with mlock. Core dumps disabled. Process tracing blocked. Zeroed on reload.
Secrets never leave your machine. No cloud. AES-256-GCM encrypted vault, machine-bound.
Install, add secrets, go. Claude Code hook auto-configured. Systemd/launchd auto-start.
Download for your platform or use the one-line installer. Activate with your license key.
$ curl -fsSL https://secrets.waykee.com/install.sh | sh$ waykee-secrets-standalone license activate --key YOUR-KEYEach secret is locked to where it should be used.
$ waykee-secrets-standalone add GITHUB_TOKEN --scope "host:github.com"Enter secret value: ********Secret added. Scope: host:github.comThe agent writes {GITHUB_TOKEN} in commands. Waykee resolves it only if the destination matches.
$ waykee-secrets-standalone setup-claude-hook$ claudeNative app for macOS & Windows. Interactive CLI for Linux. No dependencies.
Apple Silicon (arm64)
Native app — open, unlock, manage your secrets visually.
Download for macOSx64
Native app — double-click to open, manage secrets with a GUI.
Download for Windowswaykee-secrets-gui.exex64
Interactive console app — guided menus, just like certbot.
Download for Linuxcurl -fsSL https://secrets.waykee.com/install.sh | shMost secret managers give agents the secret. We don't.
| Waykee Secrets | Infisical | HashiCorp | 1Password | Doppler | |
|---|---|---|---|---|---|
| Scope-locked | Yes | Partial | No | No | No |
| Output redaction | Yes | No | No | No | No |
| Anti-exfiltration | Yes | Partial | No | No | No |
| Works beyond HTTP | Yes | No | Yes | Yes | Yes |
| Memory protection | mlock | No | mlock | No | No |
| 100% local | Yes | Self-host | Self-host | No | No |
| Claude Code native | Yes | No | No | No | No |
| Price | $7.99 once | Free | $50K+/yr | $8/mo | $21/mo |
No subscriptions. No per-seat fees. No cloud bills.
One-time • Lifetime • 3 devices
Secure payment • 256-bit SSL
On your machine only. AES-256-GCM encrypted vault file, machine-bound. At runtime, loaded into locked memory. No cloud.
No. The agent writes markers like {GITHUB_TOKEN}. The daemon resolves them after security checks, executes the command, and returns redacted output.
Pay $7.99 once. Use forever. Includes 1 year of updates. Optionally renew for $4.99/year.
Each license activates on up to 3 devices. Deactivate a device to free up a slot.
Linux x64, macOS arm64 & x64, Windows x64. Native AOT binary — no runtime needed.
Agent Vault is an HTTP proxy. Waykee works at the shell level (any command), redacts output, and blocks exfiltration patterns.
Install in 60 seconds. $7.99 one-time.