Secure, plugin-based API credential management for AI assistants.
A personal vault that stores API credentials encrypted at rest, decrypts them just-in-time during sessions, and cleans up automatically when done. Designed for individual developers using AI assistants locally — not an enterprise secrets manager.
1. Install age (required system dependency):
brew install age # macOS
sudo dnf install age # Fedora2. Install nakimi:
pip install git+https://github.com/apitanga/nakimi.git3. Initialize your vault:
nakimi init
# Creates ~/.nakimi/key.txt (private) and key.txt.pub
# Back up your private key offline — losing it = losing access to all secrets4. Add credentials and use:
# Set up Gmail (see the full guide in the docs)
# Then:
nakimi gmail.unread
nakimi gmail.search "from:boss"
nakimi session # interactive session, same commands work insideSee the Installation Guide and Gmail Setup for the full walkthrough.
| Plugin | Status | Description |
|---|---|---|
| gmail | ✅ Ready | Read, search, and send emails |
| calendar | 🚧 Planned | Google Calendar integration |
| github | 🚧 Planned | GitHub API integration |
Plugins auto-load when you add credentials for them. Adding a new service is just a directory and a class — see the Plugin Development Guide.
- Encryption via age — modern, auditable, simple
- Optional YubiKey PIV support for hardware-backed keys
- Decrypted secrets go to
/dev/shm(RAM) when available, fall back to/tmpwithchmod 600+shredcleanup - Each session gets its own temp file; cleaned up on exit
Full threat model and details: Security Documentation.
- Plugin architecture
- Gmail plugin
- Google Calendar plugin
- GitHub plugin
- Custom HTTP API plugin
- MCP server mode
Contributions welcome. The plugin architecture makes it straightforward to add new services. See the Development docs for architecture, testing, and plugin guides.
MIT — see LICENSE.