Skip to content

Add system keychain support for secure API key storage #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GiGurra wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add system keychain support for secure API key storage #9

GiGurra wants to merge 3 commits into from

Conversation

@GiGurra
Copy link

@GiGurra GiGurra commented Jan 24, 2026
edited
Loading

Summary

  • Adds sag keychain set/status/delete commands for storing the ElevenLabs API key securely in the system keychain
  • Supports macOS Keychain, Windows Credential Manager, and Linux Secret Service (GNOME Keyring)
  • Uses zalando/go-keyring - a cross-platform library with no CGO dependencies

Security note: The status command only reports whether a key is stored, not its value - prevents compromised agents from extracting the key.

Priority order

The keychain is checked after --api-key-file but before environment variables:

  1. --api-key flag
  2. --api-key-file flag / ELEVENLABS_API_KEY_FILE env vars
  3. System keychain (new)
  4. ELEVENLABS_API_KEY / SAG_API_KEY env vars

Test plan

  • All existing tests pass
  • New unit tests for keychain integration using go-keyring's mock
  • Linter passes
  • Manual testing on macOS/Windows/Linux (would appreciate help here!)

Closes #6

🤖 Generated with Claude Code

@GiGurra @claude
Add system keychain support for secure API key storage
be061a4 
Adds `sag keychain set/get/delete` commands for storing the ElevenLabs
API key in the system keychain. Supports macOS Keychain, Windows
Credential Manager, and Linux Secret Service (GNOME Keyring).

The keychain is checked after --api-key-file but before environment
variables, providing a more secure alternative to storing keys in
plain text files or environment variables.

Closes steipete#6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@GiGurra
Copy link
Author

GiGurra commented Jan 24, 2026

Marking as draft for now - I'll review the code Claude generated this afternoon and continue working on it if everything looks good.

GiGurra and others added 2 commits January 24, 2026 13:33
@GiGurra @claude
Remove author mention from changelog entry
f31f001 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@GiGurra @claude
Replace keychain get with status command
4ae3f26 
For security, don't expose a command that prints the API key - a
compromised agent could extract it. Instead, provide a status command
that only reports whether a key is stored.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@GiGurra GiGurra marked this pull request as ready for review January 24, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature request: support storing api key in more safe storage

1 participant

@GiGurra