Local API key and secret rotation tracker. Monitor and manage all your API keys, webhooks, and credentials in one place. Track rotation status, detect stale keys, and enforce security policies. All data stays securely on your machine.
Use this skill when the user asks about:
Trigger phrases: "API key", "secret rotation", "which keys need rotation", "stale credentials", ".env file", "rotate key", "track secrets", "credential management", "security audit", "API token", "webhook", "database password", "rotation status", "scan environment"
If the database does not exist yet, run the setup script:
bash setup.sh
This creates the data directory (~/.nex-keyring), initializes the database, and verifies dependencies.
The CLI tool is nex-keyring. All commands output plain text.
Register a new API key or secret:
nex-keyring add --name "OpenAI API Key" --service openai --category API --env-var OPENAI_API_KEY --rotation 90
nex-keyring add --name "Cloudflare Token" --service cloudflare --description "Production API token" --rotation 180
nex-keyring add --name "Database Password" --service postgresql --category DATABASE --used-in "production app"
Options:
--name (required): Secret name (must be unique)--service: Service name (e.g., openai, cloudflare, firebase)--category: API, DATABASE, SSH, OAUTH, WEBHOOK, SMTP, DNS, HOSTING, AI, PAYMENT, OTHER--env-var: Environment variable name to track (e.g., OPENAI_API_KEY)--rotation: Rotation policy in days (default: 90, or service preset)--description: Human-readable description--tags: Comma-separated tags for organization--used-in: Project or script names using this keyShow all tracked secrets:
nex-keyring list
nex-keyring list --service openai
nex-keyring list --category API
nex-keyring list --category DATABASE
Display detailed information (never shows actual key values):
nex-keyring show "OpenAI API Key"
nex-keyring show "Cloudflare Token"
Shows:
Check which keys need rotation:
nex-keyring check
nex-keyring check --service openai
nex-keyring check --all
Reports overdue and stale keys with:
Record a rotation event:
nex-keyring rotate "OpenAI API Key"
nex-keyring rotate "OpenAI API Key" --hash abc123def456... --notes "Routine rotation"
The tool prompts for the new key hash if not provided. Hash is used to detect key changes without storing the actual key.
Scan .env files or environment variables for API keys:
nex-keyring scan --env-file .env
nex-keyring scan --env-file /path/to/.env.production
nex-keyring scan --environment
Detects:
Auto-register all keys from a .env file:
nex-keyring import .env
nex-keyring import .env.production --auto-register
Creates tracked secrets for each detected key with appropriate service detection and rotation policies.
List all keys needing attention:
nex-keyring stale
Shows:
Check rotation history for a specific key:
nex-keyring history "OpenAI API Key"
nex-keyring history "Cloudflare Token"
Displays:
Export secret registry (metadata only, never actual keys):
nex-keyring export --format json
nex-keyring export --format csv --output registry.csv
nex-keyring export --format markdown --output registry.md
Formats: JSON, CSV, Markdown (metadata only, no sensitive data)
Show all actions on tracked secrets:
nex-keyring audit
nex-keyring audit --limit 100
nex-keyring audit --secret "OpenAI API Key"
Tracks:
Overview of tracked secrets:
nex-keyring stats
Shows:
Show system configuration:
nex-keyring config
Displays:
Automatic rotation policies for common services:
Custom policies can be set per secret.
Secrets are assessed based on time since last rotation:
Scenario: Onboard new API keys
# Scan your .env file
nex-keyring scan --env-file .env
# Import all found keys
nex-keyring import .env
# Review what was added
nex-keyring list
# Check current rotation status
nex-keyring check
Scenario: Identify overdue keys
# Show all stale and overdue secrets
nex-keyring stale
# Check specific service
nex-keyring check --service stripe
Scenario: Rotate a key
# Show current details
nex-keyring show "OpenAI API Key"
# After rotating the key in OpenAI dashboard:
nex-keyring rotate "OpenAI API Key" --notes "Monthly rotation"
# Verify rotation was recorded
nex-keyring history "OpenAI API Key"
Scenario: Export for audit
# Export metadata for security review
nex-keyring export --format csv --output audit_$(date +%Y%m%d).csv
# View rotation history for compliance
nex-keyring audit --limit 200
cryptography (for Fernet encryption, recommended)Install cryptography for stronger encryption:
pip install cryptography
Without it, keys are obfuscated with base64 (not recommended for production).
Built by Nex AI | MIT-0 License
共 1 个版本