A local-first, security-focused API key manager for AI developers.
Features • Screenshots • Installation • Usage • Security • Development
中文版:README_zh-CN.md
🔒 100% Local by Default. No Telemetry. AIKeyVault does not send analytics, crash reports, cloud sync data, or vault contents anywhere. Manual update checks contact GitHub Releases only when you explicitly click the update button.
AIKeyVault gives you instant, encrypted access to your AI provider API keys via a Raycast-style launcher.
- AES-256-GCM Encryption — Every key is independently encrypted with a random nonce. Your master password never leaves memory unprotected.
- Argon2id Key Derivation — 64 MiB memory-hard hashing with 3 iterations makes brute-force attacks infeasible.
- Raycast-Style Launcher — Global shortcut (
Ctrl+Shift+Space) pops up a transparent blur-glass search window. Type, copy, done. - Fuzzy Search — Search across titles, provider names, and tags. Keyboard-driven:
↑↓to navigate,Enterto copy. - Auto-Lock & Memory Safety — Idle timeout locks the vault and zeroizes the master key from memory. Clipboard auto-clears after configurable delay.
- Dark Mode + i18n — Dark-first glassmorphism UI. Supports English, 简体中文, 日本語, 한국어.
- Encrypted Backup — Export to
.kvx(AES-256-GCM encrypted). Safe to store or transfer anywhere. - System Tray — Runs minimized. Quick access via tray menu.
| Search Launcher | Keys Panel |
|---|---|
![]() |
![]() |
| Security Settings | Unlock Screen |
|---|---|
![]() |
![]() |
| Password Setup | Onboarding |
|---|---|
![]() |
![]() |
Pre-built installers will be available in the Releases page.
Last updated: add release date here
| Platform | Package |
|---|---|
| Windows | .msi / .exe installer |
| macOS | .dmg |
| Linux | .deb / .AppImage |
Prerequisites:
- Rust >= 1.70
- Node.js >= 18
- Windows: WebView2 Runtime (pre-installed on Windows 11)
- Linux:
libwebkit2gtk-4.1-devand system libraries (see CONTRIBUTING.md for exact package lists) - macOS: No extra dependencies
# Clone & install
git clone https://github.com/Awfp1314/AIKeyVault.git
cd AIKeyVault
npm install
# Development (hot-reload for both Rust and React)
npm run tauri dev
# Production build
npm run tauri build
# Output: src-tauri/target/release/bundle/- Choose your language
- Create a strong master password (6+ characters)
- The vault is ready — start adding API keys
| Action | Shortcut / Path |
|---|---|
| Open search | Ctrl+Shift+Space (configurable) |
| Search keys | Type title / provider / tag |
| Copy selected key | Enter |
| Open Dashboard | Search window gear icon or tray menu | | Lock vault | Tray menu → Lock Vault, or auto-lock timeout | | Export / Import | Dashboard → Keys panel |
- Open Dashboard (
Ctrl+Shift+Space→ gear icon, or tray menu) - Go to Keys panel
- Click Add Key
- Fill in: Title, Provider, API Key secret, Tags (optional)
- Save — the key is encrypted and stored locally
Export your encrypted vault as a .kvx file. Store it safely (USB drive, private cloud, etc.). Import with the same export password on any machine.
OpenAI · Anthropic (Claude) · Google (Gemini) · DeepSeek · OpenRouter · Azure OpenAI · SiliconFlow · Volcengine · Alibaba (百炼) · Tencent (混元) · Custom (any service with an API key)
Master Password
│
▼ Argon2id (64 MiB, 3 iter, 4 parallel)
256-bit Master Key
│
▼ AES-256-GCM (random 96-bit nonce per key)
Ciphertext → SQLite BLOB
- IPC Isolation — The React frontend receives only item IDs and metadata (
VaultItemMeta). All cryptographic operations happen in the Rust backend. Plaintext secrets never cross the IPC boundary (one exception:revealcommand auto-masks after 10 seconds). - Memory Hardening — Master key wrapped in
Zeroizing<Vec<u8>>. On lock, memory is zeroed before deallocation. No swap leakage. - Clipboard Protection — Privacy flags injected on macOS. Auto-clear timer (30s / 60s / 5min / never) clears the system clipboard.
- Per-Record Nonces — Each vault item gets its own 96-bit random nonce. Reusing a nonce would compromise AES-GCM security — we prevent that entirely.
- No Telemetry — AIKeyVault sends no analytics, crash reports, cloud sync data, or vault contents. The only network feature is a manual GitHub Releases update check initiated by the user.
- NOT a cloud service — Data never leaves your machine.
- NOT a password manager — It won't sync across devices, fill browser forms, or store credentials for non-AI services.
- NOT a CLI tool — It's a desktop GUI app designed for speed and visual feedback.
npm run dev # Frontend-only Vite dev server (port 1420)
npm run build # TypeScript type-check + Vite production build
npm run tauri dev # Full Tauri dev (Rust backend + React frontend)
npm run tauri build # Production installer
npm run check # Full check: tsc + cargo clippy
npm run lint # Rust lint + format checkSee CONTRIBUTING.md for development workflow, code style, and system dependency details.
AIKeyVault/
├── src/ # React 18 + TypeScript frontend
│ ├── components/ # Shared UI components
│ │ ├── GlobalStateListener.tsx # Cross-window lock event sync
│ │ ├── ProviderIcon.tsx # AI provider logo component
│ │ └── VaultItemRow.tsx # Key list row with mask/unmask
│ ├── pages/ # Page-level components
│ │ ├── OnboardingView.tsx # First-launch master password setup
│ │ ├── UnlockView.tsx # Lock screen / vault unlock
│ │ ├── SearchPage.tsx # Main search launcher window
│ │ ├── DashboardPage.tsx # Settings & key management window
│ │ └── dashboard/ # Dashboard sub-panels
│ ├── hooks/ # Custom React hooks
│ │ ├── useVault.ts # IPC wrapper for vault commands
│ │ ├── useHeartbeat.ts # User activity heartbeat throttle
│ │ └── useSearchKeyboard.ts # Search list keyboard navigation
│ └── i18n/locales/ # Language packs
│ ├── en-US.json
│ ├── zh-CN.json
│ ├── ja-JP.json
│ └── ko-KR.json
│
├── src-tauri/src/ # Rust backend
│ ├── crypto/ # Encryption layer
│ │ ├── argon2.rs # Argon2id: salt gen, key derivation, verification
│ │ └── aes.rs # AES-256-GCM: encrypt/decrypt with per-item nonce
│ ├── vault/ # Core vault logic
│ │ ├── state.rs # State machine (FirstLaunch → Unlocked ⇄ Locked)
│ │ └── manager.rs # VaultItem CRUD, search, clipboard copy
│ ├── database/sqlite.rs # SQLite operations (app_metadata + vault_items)
│ ├── clipboard/manager.rs # Clipboard write with auto-clear & privacy mark
│ ├── shortcut/manager.rs # Global shortcut register/update/unregister
│ ├── tray/manager.rs # System tray menu (Show / Lock / Quit)
│ ├── import_export/kvx.rs # .kvx encrypted backup format
│ └── commands/ # Tauri IPC command handlers
│ ├── vault.rs # Vault lifecycle + item CRUD commands
│ └── settings.rs # Settings, heartbeat, window management
│
├── docs/PRD.md # Product requirements document
├── design/app-icon.png # Source icon asset
├── CONTRIBUTING.md # Contribution guide
├── AGENTS.md # Architecture notes for AI coding assistants
└── CLAUDE.md # Project instructions for Claude Code
MIT — see LICENSE.
Built with Tauri 2.0, React, Rust, and Tailwind CSS.





