A catalog, not a vault · local-first · macOS

Know where every
API key lives.

Watchknot maps every key across every project, .env, and deployment — then flags the ones that are exposed or quietly running up a bill. The secret values never leave your machine.

$ npx watchknot scan ~/Documents

No cloud upload. Your keys stay in macOS Keychain, opt-in.

Watchknot is a catalog, not a vault. It inventories where your keys live — it never stores the secret value. The one place a raw key is ever read is a short-lived scanner that emits a fingerprint and dies.

Built to end key sprawl

Catalog, not vault

Every credential mapped to every project, .env, and deployed surface — without ever holding the secret value.

Exposure radar

Flags keys hardcoded in source, committed to git, or shipped in a public bundle — before they leak.

Cost guard

Surfaces uncapped, metered keys — Maps, model APIs, and more — so a leak or a runaway loop can't quietly run up a bill.

Rotation calendar

Tracks rotation due-dates and lifecycle so nothing goes stale — with one-click re-verify after you rotate.

Scan · See · Secure

  1. 01

    Scan

    Point Watchknot at your projects. An isolated scanner reads your .env files and source and emits only fingerprints — prefix, last four, length — never the raw secret.

  2. 02

    See

    A local dashboard maps every credential to every place it's used, with exposure, cost, and rotation status at a glance.

  3. 03

    Secure

    Rotate, cap, and clean up with a clear before/after. Store full values in macOS Keychain behind Touch ID — only if you opt in.

Works where you already work

Run it from your terminal, or wire the scanner into Claude Code and Cursor as an MCP server. Same engine, same guarantee: fingerprints out, secrets never.

$npx watchknot scan .
$claude mcp add watchknot -- npx -y watchknot mcp

Stop guessing where your keys are.

Watchknot is in early access for solo builders shipping across a lot of projects.

Get early access