5-minute quickstart
Give your agent API access.
Without giving away your keys.
One command. Your agent can call any API. Your users approve each permission. Credentials never leave the server.
1
Install Keychains
Install the CLI globally, or use npx to run it directly.
terminal
npm i -g keychains2
Call any API
Just prefix curl with keychains. The only change vs. a classic curl call: replace hard-coded credentials with template variables.
{{OAUTH*_TOKEN}} — OAuth1 or OAuth2 access/refresh/request token (provider auto-detected from URL)↳
OAUTH2_ACCESS_TOKEN↳
OAUTH2_REFRESH_TOKEN↳
OAUTH1_ACCESS_TOKEN↳
OAUTH1_REQUEST_TOKEN{{ANY_NAME}} — Any non-OAUTH* string is treated as an API key name (eg {{STRIPE_PRIVATE_KEY}})terminal
keychains curl https://api.github.com/user/repos \ -H "Authorization: Bearer {{GITHUB_TOKEN}}"> 200 OK — 42 repositoriesHow the permission flow works
With wildcard tokens, permissions are approved on the fly. Here's what happens the first time your agent needs a new scope:
Your agent calls an API
$ keychains curl https://api.github.com/user/repos
403
First call? Keychains asks for permission
Scope not yet approved:
github::repoApprove at: https://keychains.dev/approve/pr_a1b2...
Your user approves — one click
Permission Request
my-agent wants access to:
github::repo
Read & write repositoriesSame call again — it just works
$ keychains curl https://api.github.com/user/repos
200 OK — 42 repositories
New scope needed
User approves
Access granted
Go further
Now that you have the basics, explore what else Keychains can do.
Delegating credentials to sub-agents
Give sub-agents or VMs temporary, scoped access derived from your permissions. Perfect for agentic workflows that spawn workers.
Pre-approved permission tokens
Know exactly which APIs you need? Create scoped permissions with predefined scopes — no back-and-forth approval needed.
What if my SSH key is stolen? Or my tokens?
Understand the threat model, automatic invalidation mechanisms, and what to do if credentials are compromised.