Phantom

AI uses your keys. Safely.

AI coding agents read your .env files, putting API keys into LLM context windows where they leak via prompt injection, session logs, malicious MCP servers, or training data. GitGuardian reports AI-assisted commits leak secrets at 2x the baseline rate.

Phantom replaces real secrets with inert tokens. A local proxy swaps them back at the network layer. The AI never sees a real key.

Quick Start

$ npx phantom-secrets init
# Auto-detects .env, .env.local, or .env in subdirectories
# Stores real secrets in OS keychain, rewrites .env with phantom tokens
# Auto-configures Claude Code MCP server if detected

$ phantom exec -- claude
# Proxy running on 127.0.0.1:54321 — AI sees phantom tokens, proxy injects real keys

How It Works

  .env file (safe to leak)          OS Keychain / Vault
  +--------------------------+      +---------------------+
  | OPENAI_API_KEY=phm_a7f3  | ---> | sk-real-secret-key  |
  | STRIPE_KEY=phm_c9d1...   |      | sk_live_real-key... |
  +--------------------------+      +---------------------+
           |                                 |
           v                                 v
  AI Agent (Claude, Cursor)         Phantom Proxy (127.0.0.1)
  +--------------------------+      +------------------------------+
  | Reads .env               |      | Intercepts HTTP requests     |
  | Sees only phm_ tokens    | ---> | Replaces phm_ with real keys |
  | Makes API calls to proxy |      | Forwards over TLS to real API|
  +--------------------------+      +------------------------------+

phantom init reads .env, stores real secrets in the OS keychain, rewrites .env with phm_ tokens
phantom exec -- claude starts a local reverse proxy, sets OPENAI_BASE_URL=http://127.0.0.1:PORT/openai (and equivalents for other services)
API calls hit the proxy, which replaces phantom tokens with real secrets and forwards over TLS
When the session ends, the proxy shuts down. Phantom tokens are worthless outside the proxy.

MCP Integration (Claude Code, Cursor, Windsurf, Codex)

Phantom ships an MCP server so AI coding tools can manage secrets directly -- without ever seeing real values. 17 tools available: list, status, init, add, remove, rotate, copy, cloud push, cloud pull, cloud status.

Claude Code

$ claude mcp add phantom-secrets-mcp -- npx phantom-secrets-mcp

Cursor

Add to Cursor Settings > Features > MCP Servers:

Name: phantom
Command: npx phantom-secrets-mcp

Windsurf

Add to ~/.codeium/windsurf/mcp_config.json:

{"phantom": {"command": "npx", "args": ["phantom-secrets-mcp"]}}

Codex / Other MCP Clients

Add to your MCP configuration:

{"phantom": {"command": "npx", "args": ["phantom-secrets-mcp"]}}

Phantom works with any tool that supports the Model Context Protocol.

Cloud Sync

Sync vaults across machines with end-to-end encryption. The server never sees plaintext.

$ phantom login
# Opens GitHub OAuth (device code flow)

$ phantom cloud push
# Encrypted client-side, uploaded to phm.dev

$ phantom cloud pull   # on another machine
# Downloaded and decrypted locally

Cloud sync uses ChaCha20-Poly1305 with a client-side passphrase derived via Argon2id. The server stores only ciphertext.

Command Reference

Command	Description
`phantom init`	Import `.env` secrets into vault, rewrite with phantom tokens
`phantom exec -- <cmd>`	Start proxy and run a command with secret injection
`phantom start` / `stop`	Manage proxy lifecycle (standalone/daemon mode)
`phantom list`	Show secret names stored in vault (never values)
`phantom add <KEY> <VAL>`	Add a secret to the vault
`phantom remove <KEY>`	Remove a secret from the vault
`phantom reveal <KEY>`	Print a secret value (or `--clipboard` to copy)
`phantom status`	Show proxy state, vault info, and mapped services
`phantom rotate`	Regenerate all phantom tokens (old ones become invalid)
`phantom doctor`	Check configuration and vault health (`--fix` to auto-repair)
`phantom check`	Scan for unprotected secrets (pre-commit hook, `--staged`, `--runtime`)
`phantom sync`	Push secrets to Vercel / Railway
`phantom pull`	Pull secrets from Vercel / Railway into vault
`phantom setup`	Configure Claude Code MCP server + hooks
`phantom env`	Generate `.env.example` for team onboarding
`phantom export`	Export vault to encrypted backup file
`phantom import`	Import vault from encrypted backup
`phantom login`	Authenticate with Phantom Cloud via GitHub OAuth
`phantom logout`	Clear cloud credentials
`phantom cloud push`	Push encrypted vault to Phantom Cloud
`phantom cloud pull`	Pull and decrypt vault from Phantom Cloud
`phantom wrap`	Wrap package.json scripts with `phantom exec` automatically
`phantom unwrap`	Restore original package.json scripts
`phantom watch`	Watch .env files and auto-detect new unprotected secrets
`phantom why <KEY>`	Explain why a key is or is not protected
`phantom copy <KEY>`	Copy a secret to another project's vault
`phantom team list/create/members/invite`	Team vault management

Features

Encrypted vault -- OS keychain (macOS Keychain / Secure Enclave, Linux Secret Service) with encrypted file fallback for CI/Docker
Session-scoped tokens -- 256-bit CSPRNG phantom tokens with phm_ prefix, rotatable on demand
Streaming proxy -- Full SSE/streaming support for OpenAI, Anthropic, and other streaming APIs
Smart detection -- Heuristic engine distinguishes secrets (*_KEY, *_TOKEN, sk-*, ghp_*) from config (NODE_ENV, PORT)
Platform sync -- Push/pull secrets to Vercel and Railway
Pre-commit hook -- Blocks commits containing unprotected secrets
MCP server -- 17 tools for Claude Code, Cursor, Windsurf, and Codex to manage secrets without seeing values
Cloud sync -- E2E encrypted zero-knowledge vault sync across machines
Export/import -- Encrypted backup and restore with passphrase protection
Response scrubbing -- Prevents secrets from leaking in API responses back to the AI
Script wrapping -- phantom wrap patches package.json so every npm script runs through the proxy
Watch mode -- phantom watch monitors .env files for new unprotected secrets
Secret explainer -- phantom why <KEY> explains detection heuristics
Cross-project copy -- phantom copy shares secrets between project vaults
Team vaults -- Shared vaults with role-based access control
Built-in service routing -- OpenAI, Anthropic, Stripe, Supabase, and custom services via .phantom.toml

Installation

npm (recommended)

$ npm install -g phantom-secrets

Or use directly with npx:

$ npx phantom-secrets init

Claude Code MCP

$ claude mcp add phantom-secrets-mcp -- npx phantom-secrets-mcp

Cargo

$ cargo install phantom

Architecture

5-crate Rust workspace + Next.js cloud backend:

Crate	Role
`phantom-core`	Config (`.phantom.toml`), `.env` parsing/rewriting, token generation, auth, cloud client
`phantom-vault`	`VaultBackend` trait: OS keychain + encrypted file fallback, ChaCha20-Poly1305 crypto
`phantom-proxy`	HTTP reverse proxy on 127.0.0.1 with SSE/streaming, token replacement, TLS forwarding
`phantom-cli`	`clap`-based CLI binary, 27 commands
`phantom-mcp`	MCP server binary (`rmcp` SDK), stdio transport, 17 tools

apps/web -- Next.js backend at phm.dev for cloud vault sync, GitHub OAuth, and Stripe billing.

npm packages: phantom-secrets (CLI), phantom-secrets-mcp (MCP server).

69 tests across all crates, zero clippy warnings.

Security

Secrets never on disk in your project directory -- real values live only in the OS keychain or encrypted vault
ChaCha20-Poly1305 encryption for file vault and cloud sync, Argon2id key derivation
Zero-knowledge cloud -- server stores only ciphertext; encryption key never leaves the client
256-bit CSPRNG tokens -- phm_ prefix ensures they never collide with real API key formats
Proxy binds 127.0.0.1 only -- never exposed to the network
Secrets zeroized from memory after injection via the zeroize crate
Allowlist model -- proxy only injects secrets for explicitly configured service patterns

See SECURITY.md for the full threat model.

Pricing

	Free	Pro	Enterprise
Local vaults	Unlimited	Unlimited	Unlimited
Cloud vaults	1	Unlimited	Unlimited
MCP server	Yes	Yes	Yes
Cloud sync	Yes	Yes	Yes
Team features	--	--	Yes
Price	$0	$8/mo	Contact us

License

MIT -- see LICENSE

phantom-secrets