Quick Start

Get keyzero running locally in under 5 minutes

$ npm i -g @keyzero/cli

added 1 package in 3s

$ kz init

created .keyzero.toml

Next steps:

kz add — add a secret mapping

kz put --missing — fill in secret values

kz run -- <cmd> — run with secrets injected

$ kz import --file .env --resolver keychain

✓ Imported 3 secrets from .env to .keyzero.toml

Run 'kz put --missing' to set secret values in your resolver.

$ kz list

NAME RESOLVER REF

DATABASE_URL keychain myapp-db-url

API_KEY keychain myapp-api-key

STRIPE_SECRET keychain myapp-stripe

$ kz put --missing

DATABASE_URL (keychain/myapp-db-url): ********

API_KEY (keychain/myapp-api-key): ********

STRIPE_SECRET (keychain/myapp-stripe): ********

✓ 3 secrets written

$ kz run -- npm start

> myapp@1.0.0 start

> node server.js

Server listening on :3000

What just happened?

Your .keyzero.toml maps environment variable names to secret providers:

[secrets]
DATABASE_URL = { provider = "keychain", ref = "myapp-db-url" }
API_KEY      = { provider = "keychain", ref = "myapp-api-key" }

When you run kz run, keyzero reads this config, resolves each secret from the configured provider, and injects them into the subprocess environment.

Blind mode (for AI agents)

kz run --blind -- node agent.js

In blind mode, the subprocess sees masked tokens instead of real secrets. A local MITM proxy swaps the tokens for real values on outgoing requests -- the subprocess never sees the raw credentials.

Next Steps

Core Concepts -- understand how keyzero works
kz CLI -- detailed CLI documentation
Secret Backends -- connect to Vault, AWS, 1Password, and more