K0KEYZERO

Introduction

What keyzero is, how it works, and what you can do with it

keyzero is a secret resolver and policy engine. It sits between your workloads and your secret backends, resolving credentials at runtime so nothing is stored on disk or exposed in environment files.

The core idea: secrets should be earned, not given. Instead of scattering API keys in .env files or passing them as environment variables, keyzero resolves secrets from any vault at runtime.

How It Works

The CLI binary is kz. For individual developers:

kz init                    # create .keyzero.toml
kz add                     # add secret mappings interactively
kz put --missing           # store values in your provider
kz run -- npm start        # run with secrets injected
kz run --blind -- agent.js # AI-safe: masked tokens + MITM proxy

For teams, kz server start runs a policy decision point (PDP) server with JWT identity, CEL policies, and audit logging.

The Pipeline (Team Mode)

When running as a server (kz server start --bundle <path>), every request flows through three stages:

JWT --> Policy --> Resolve
  1. JWT Verification -- validate the caller's identity (signature, issuer, expiration) and normalize claims into standard identity fields (org, service, env, action, branch, actor, groups) via built-in issuer profiles
  2. Policy Evaluation -- evaluate CEL rules top-down using normalized identity fields, first match wins
  3. Secret Resolution -- if allowed, fetch secrets from the configured backend

If any stage fails, the request is denied. Secrets are only fetched after policy allows it.

Supported Providers

ProviderBackendWrite
keychainmacOS Keychain / Linux Secret ServiceYes
1password1Password CLIYes
awsAWS Secrets Manager (sm://) + SSM (ssm://)Yes
hashicorpHashiCorp VaultYes
gcpGCP Secret ManagerNo
ageAge-encrypted filesNo
envEnvironment variablesNo
keyzeroKeyZero serverNo

Next Steps