Support
We answer email, usually within two business days.
Need a hand, found a bug, or have a feature request? Email support@jybrd.io — a real person reads it. Because Rook stores nothing on a server, please include your macOS version and a description of what you saw (never paste actual secret values).
System requirements
- macOS 26 or later.
- A Mac with Touch ID is recommended (for unlock), but not required.
Frequently asked
Where is my data stored?
On your Mac, only. Your vault is an AES-GCM–encrypted file in the app's container; the key lives in the macOS Keychain, this-device-only. Nothing is uploaded or synced.
Is there a master password to reset?
No. There's no account and no password to forget — Rook unlocks with Touch ID, and the encryption key is bound to your Mac's Keychain. The flip side: if you lose your Mac (or erase its Keychain) with no backup, the vault cannot be decrypted by anyone, including us. Keep an encrypted backup.
How do I move my vault to a new Mac?
In the app, use Backup → Export to write a passphrase-encrypted file, copy it to the new Mac, and use Backup → Import. Your secrets are protected by the passphrase in transit — choose a strong one, because it can't be recovered.
What's the difference between the two editions?
The Mac App Store edition is the sandboxed, GUI-only app. The
direct (Developer ID) edition adds a vault command line and an
MCP server so an MCP-compatible AI agent — Claude Code, Cursor, VS Code, Codex, Gemini, and
others — can use your secrets without printing them into a transcript. The two keep separate
vaults; move data between them with backup export/import.
Can an AI agent really read my secrets?
Only in the direct edition, and only by your design. It's injection-first: prefer
vault run, which hands secrets to a subprocess as environment variables and keeps the
values out of the model's context entirely. vault get is the explicit "I need to see
the value" escape hatch.