Local-first secrets for developer workspaces

Authsia keeps secrets in your Mac vault and lets terminal tools, SSH, and coding agents request scoped access only when they need it.

brew install --cask jamesliang-cs/authsia/authsia

No cloud broker

Secrets stay local and Keychain-backed.

Agent-aware

JIT grants with visible approval.

Workspace-first

Commit-safe refs for project env.

guarded workspace

$ authsia workspace init

Detected .env keys. Wrote commit-safe refs.

$ eval "$(authsia workspace guard --print-env)"

npm, docker, aws, kubectl now run through Authsia shims.

$ authsia workspace run -- npm test

Touch ID approval requested for API_KEY.

Access Center

Codex can use Project/API for 15 minutes. Revoke anytime.

The daily developer flow

Authsia is built around the moments where secrets usually leak: env files, terminal sessions, agent tools, and SSH keys.

1. Set up a workspace

Turn local secrets into commit-safe refs

Authsia scans selected env files, stores chosen secrets in your vault, and leaves `authsia://` references in repo-local config.

authsia workspace init
authsia workspace status

2. Run guarded commands

Keep secrets out of the parent shell

Use explicit `workspace run` commands, or guarded-terminal shims for common developer tools when you want ordinary commands to route through Authsia.

eval "$(authsia workspace guard --print-env)"
authsia workspace run -- npm start

3. Approve only when needed

JIT access for agents and tools

Access Center shows who is asking, what scope they want, and how long the grant lasts. Deny or revoke without changing project files.

authsia access create --name codex --ttl 15m --allow exec
authsia audit list

What ships today

A focused local secret broker for macOS development, plus a vault for the credentials you already manage.

Workspace env refs

Project config stores references, not plaintext secrets.

Guarded terminal

PATH shims route tools through Authsia when secrets are needed.

Agent JIT approvals

Scoped, time-boxed grants for local coding agents and automation.

SSH signing and keys

Keep keys in the vault while Git and SSH use Authsia's local agent.

Local audit trail

Review sensitive CLI operations without sending telemetry away.

Vault and 2FA

Passwords, notes, certificates, SSH keys, and OTP codes in one app.

Install once, then keep your agent workflow boring

Use Homebrew for the app and CLI. Launch Authsia once, enable CLI Access, then let workspace commands carry the security boundary.

# app + CLI
brew install --cask jamesliang-cs/authsia/authsia

# first terminal check
authsia status
authsia workspace init
authsia workspace run -- npm test