veil

Stop showing your API
keys to your agents.

Veil is a local proxy. It gives your agents fake keys and swaps in the real ones at the socket. They never see them.

.ENV DIFF · AFTER VEIL INIT
3 - ANTHROPIC_API_KEY=sk-ant-api03-aT8kPqNrL2mZ9vBcDfGhJ7tYrUiOeQz
3 + ANTHROPIC_API_KEY=sk-ant-api03-VEIL00NrL2mZ9vBcDfGhJ7tYrUiOeQz
real key moved to keychain · agents see the fake

how it works

  1. 01
    $veil init

    Pulls keys out of .env and MCP configs into your OS keychain. Leaves convincing-looking fakes behind.

  2. 02
    $veil run claude

    Runs your agent through the local proxy. Works with Claude Code, Cursor, Aider, curl — anything that respects HTTP_PROXY.

  3. 03
    at the socket

    Each outgoing request gets its fake swapped for the real key before leaving your machine. Every swap is logged to SQLite — grep it if you want.

install

brew install getveil/tap/veil go install github.com/getveil/veil/cmd/veil@latest git clone github.com/getveil/veil && cd veil && make build