Catalog, not vault
Every credential mapped to every project, .env, and deployed surface — without ever holding the secret value.
Watchknot maps every key across every project, .env, and deployment —
then flags the ones that are exposed or quietly running up a bill.
The secret values never leave your machine.
No cloud upload. Your keys stay in macOS Keychain, opt-in.
Watchknot is a catalog, not a vault. It inventories where your keys live — it never stores the secret value. The one place a raw key is ever read is a short-lived scanner that emits a fingerprint and dies.
Every credential mapped to every project, .env, and deployed surface — without ever holding the secret value.
Flags keys hardcoded in source, committed to git, or shipped in a public bundle — before they leak.
Surfaces uncapped, metered keys — Maps, model APIs, and more — so a leak or a runaway loop can't quietly run up a bill.
Tracks rotation due-dates and lifecycle so nothing goes stale — with one-click re-verify after you rotate.
Point Watchknot at your projects. An isolated scanner reads your .env files and source and emits only fingerprints — prefix, last four, length — never the raw secret.
A local dashboard maps every credential to every place it's used, with exposure, cost, and rotation status at a glance.
Rotate, cap, and clean up with a clear before/after. Store full values in macOS Keychain behind Touch ID — only if you opt in.
Run it from your terminal, or wire the scanner into Claude Code and Cursor as an MCP server. Same engine, same guarantee: fingerprints out, secrets never.
Watchknot is in early access for solo builders shipping across a lot of projects.
Get early access