Abokado Labs · Keys

A vault for the keys you actually have.

Keys is a vault for the credentials you collect while shipping software. API keys, SSH keys, OAuth tokens, certificates, connection strings. The ones that end up in .env files, scratch notes, and screenshots because no password manager was really built for them.

Get Keys on the App Store → Take the tour

$4.99  ·  one purchase covers iPhone, iPad, and Mac  ·  no subscription

The library

Every credential, sorted by the things you actually search by.

Filter by app, environment, or credential type. Star the keys you reach for daily. Tags for the long tail. The sidebar reads like the way you'd describe your own setup out loud.

Keys for macOS — main library with apps, environments, and types in the sidebar.
What lives in a vault

Built around the seven things you keep losing.

Keys ships with first-class types. An API key has slots for the bearer token, the issuer, and the rotation policy. An SSH key has slots for public, private, and an optional passphrase. A connection string is parsed back into its URI components when you read it. Each kind has the right fields, the right validators, and the right copy buttons.

Smart import

Paste an .env. Get clean records.

Drop the file, paste the block, or point Keys at the path. Values are extracted locally with deterministic regex — no model touches the secret itself. A small AI classifier (running on your API key, with the provider you choose) handles the boring part: naming the record, guessing the service, picking the type.

  • Recognizes 30+ provider patterns out of the box.
  • Edit any guessed label before it's written.
  • Skip the AI entirely and just get the parsed fields.
Keys' Extract Credentials view, with a pasted .env block and detected provider classifications.
Record detail

Markdown notes, attachments, revision history.

Every record carries the context you'd otherwise lose in a Notion page. Which dashboard issued it. Which environment it belongs to. The bash one-liner you used to test it last time. Attach a config file, a cert, a screenshot — encrypted with the same key as the secret.

  • Markdown notes — bold, italic, code, lists, links, headings.
  • File attachments up to 10 MB, encrypted at rest.
  • Revision history per record. Rollback, diff, audit.
  • Tags, environment, owning app, URL — all searchable.
The Supabase Secret Key record open in Keys, showing identity, credential, metadata, attachments, and revision history.
Liveness & balance

Know which keys still work — and how much credit is left.

Keys validates stored credentials against their providers and surfaces the dead ones before you do. For AI providers it goes further: read account balance, per-key usage, character quotas. The dashboard you'd build yourself if you had a free afternoon.

  • Provider-aware checks: 401, expired, rate-limited, revoked.
  • Live balance for OpenAI, Anthropic, OpenRouter, DeepSeek, ElevenLabs, more.
  • Monitoring credentials are stored in macOS Keychain. Never synced.
Platforms screen on iPhone — DeepSeek, ElevenLabs, OpenRouter live-balance cards.
Developer tools

An SSH agent and a keys CLI, if you want them.

Opt in to use Keys as your system SSH agent — git push and ssh work without a private key on disk, each signing operation gated by Touch ID. Or install the keys command-line tool to read credentials, inject env vars, and exec commands with secrets from any terminal.

  • SSH agent: keys never leave the vault. Touch ID per signature.
  • keys exec — npm run deploy injects the right env and runs it.
  • Both off by default. Opt in from Settings → Developer.
Settings → Developer pane in Keys for macOS, showing SSH agent and CLI install options.
Everywhere you ship from

Mac in the morning. Phone on the train.

The vault syncs through your own iCloud, scoped to your Apple ID. New device, same passphrase, same library. No third party between you and your secrets — including us.

Keys home screen on iPhone — credentials list with tags and environments.
Library tab on iPhone — credential types and environments.
A MongoDB connection-string record open on iPhone.
How it works

Four working principles.

Built to be the vault you'd actually trust with the keys to production.

On-device encryption
Your secrets never leave your devices unencrypted. The encryption key derives from your passphrase and never leaves the device either. iCloud only ever sees ciphertext. There is no Abokado Labs server, which means there is no copy of your data anywhere that could be handed over, even if asked.
iCloud-native sync
Sync over your iCloud, not ours. Keys uses a private CloudKit container scoped to your Apple ID. New device, same account, same vault. No third party between you and your secrets.
AI that doesn't see secrets
Paste an .env file. Get clean records. The secret values are extracted locally with deterministic regex, no model involved. A small AI classifier (running on your own API key, with your provider of choice) only handles the labels: name, kind, service. It never sees, copies, or generates the secret itself.
Liveness
Know which keys still work. Keys checks stored credentials against their providers and flags the dead ones. The dashboard you'd build yourself if you had a free afternoon.
Abokado Labs doesn't keep a copy. The vault can't be restored if you lose your passphrase, and there's no version of "ask nicely" that opens it. That's on purpose.
FAQ

Reasonable questions.

What if I forget my passphrase?

Your passphrase is the only thing that can decrypt your vault. Any "recovery service" would have to break the encryption, so Keys doesn't offer one. Instead, Keys generates a one-time recovery code at setup. Print it, put it somewhere you'd find again in a year. That's the safety net.

How is this different from 1Password or iCloud Keychain?

1Password is great for households. Passwords, two-factor codes, family sharing, the works. iCloud Keychain is great for the websites you log into in Safari. Keys is for the rest. The credentials that show up when you actually build things: API keys, SSH keys, OAuth tokens, server creds, the .env files that quietly grow over time. It speaks that vocabulary natively.

How much do you need to trust Abokado Labs?

As little as possible, by design. Keys ships as a standard App Store app, sandboxed, with no analytics or telemetry baked in and no Abokado Labs server in the picture. Your data lives on your devices and in your iCloud, encrypted with a key only you have. The privacy policy walks through every data flow.

What happens if Keys disappears?

You can export an encrypted backup any time. The format is documented, and the secrets stay readable as long as you have the passphrase, whether or not Keys is still in the App Store.

Is there an Android version?

No, and no plans for one. Keys is built on iCloud sync, the Secure Enclave, and the macOS / iOS sandbox. Bringing the same guarantees to Android would mean rebuilding the trust model from scratch on different primitives. That's a different product, and the priority is building this one well.

From the same studio
Bandwidth Meter A free macOS menu bar app for live up/down rates, per-app traffic, and network identity. Open source, MIT-licensed. Version 1.1.1 now available.