Rook

Local secrets vault · macOS

Your secrets stay on your machine. Nowhere else.

Rook keeps API keys, tokens, TOTP codes and .env bundles encrypted on-device with AES-GCM, unlocked with Touch ID. No account. No cloud. No sync. A vault built for developers — and for the AI agents working alongside them.

Get Rook — soon See what it does
vault — zsh
$ vault list # metadata only — never values cloudflare/api [apiKey] Cloudflare ew-dev.bitbolt.io/admin [login] Admin $ vault run cloudflare/api -- \ sh -c 'curl -H "Authorization: Bearer $token" $url/zones' # fields injected as env vars — secrets never touch your shell history, # the transcript, or any disk. then they're gone. { "result": [ ... ], "success": true }

§ Capabilities

A keep for the things you can't afford to leak.

Everything you'd expect from a modern secrets manager — without an account to sign into or a server to trust.

On-device & encrypted

AES-GCM at rest, key in the data-protection Keychain, this-device-only. Never synced, never backed up to anyone's cloud.

Live TOTP codes

Paste an otpauth:// URI and Rook shows a ticking 2FA code with a countdown — your authenticator, in the vault.

Quick-copy from the menu bar

Lives in the menu bar. Star your favorites and copy any field straight from the tray — copies auto-clear after 30 seconds.

Strong generator

Generate passwords, hex tokens and base64url secrets with a system CSPRNG — right where you're editing a field.

Auto-lock & Trash

Locks on idle, sleep and screen-lock. Deletes go to a recoverable Trash — restore until you empty it for good.

Portable backups

Export the whole vault as a passphrase-encrypted file and carry it to another Mac. Standard crypto, no lock-in.

§ The deal

The most private secrets manager is the one that has nothing to leak. Rook collects nothing because Rook sends nothing.

Account requiredNone
Data sent to a serverNone
Analytics / trackingNone
Sync serviceNone
Where your vault livesYour Mac
Who holds the keyYou

§ Editions

One vault, two ways to run it.

The same on-device vault. Choose the App Store build, or the direct build that an AI agent can drive from your shell.

Mac App Store

Rook

$4.99 · one-time

  • The full menu-bar app
  • TOTP, generator, Trash, backups
  • Touch ID unlock & auto-lock
  • Sandboxed & notarized by Apple
  • No command line / agent access
Mac App Store — soon
Direct · Developer ID

Rook for Agents

one-time · direct download

  • Everything in the App Store build
  • A vault CLI for your shell
  • An MCP server for Claude Code
  • Injection-first: values stay out of transcripts
  • Unattended access for trusted local tools
Get notified — soon