veil

Stop showing your API keys
to your agents.

Veil is a local proxy. It gives your agents fake keys and swaps in the real ones at the socket. They never see them.

- ANTHROPIC_API_KEY=sk-ant-api03-aT8kPqNrL2mZ9vBcDfGhJ7tYrUiOeQz
+ ANTHROPIC_API_KEY=sk-ant-api03-VEIL00NrL2mZ9vBcDfGhJ7tYrUiOeQz
.env · diff after veil init · real key moved to keychain
how it works
  1. 01
    $veil init

    Pulls keys out of .env and MCP configs into your OS keychain. Leaves convincing-looking fakes behind.

  2. 02
    $veil run claude

    Runs your agent through the local proxy. Works with Claude Code, Cursor, Aider, curl — anything that respects HTTP_PROXY.

  3. 03
    at the socket

    Each outgoing request gets its fake swapped for the real key before leaving your machine. Every swap is logged to SQLite — grep it if you want.

install
brew install getveil/tap/veil