1. Set up a workspace
Turn local secrets into commit-safe refs
Authsia scans selected env files, stores chosen secrets in your vault, and leaves `authsia://` references in repo-local config.
authsia workspace init
authsia workspace status
Authsia keeps secrets in your Mac vault and lets terminal tools, SSH, and coding agents request scoped access only when they need it.
brew install --cask jamesliang-cs/authsia/authsia
No cloud broker
Secrets stay local and Keychain-backed.
Agent-aware
JIT grants with visible approval.
Workspace-first
Commit-safe refs for project env.
$ authsia workspace init
Detected .env keys. Wrote commit-safe refs.
$ eval "$(authsia workspace guard --print-env)"
npm, docker, aws, kubectl now run through Authsia shims.
$ authsia workspace run -- npm test
Touch ID approval requested for API_KEY.
Access Center
Codex can use Project/API for 15 minutes. Revoke anytime.
Authsia is built around the moments where secrets usually leak: env files, terminal sessions, agent tools, and SSH keys.
1. Set up a workspace
Authsia scans selected env files, stores chosen secrets in your vault, and leaves `authsia://` references in repo-local config.
authsia workspace init
authsia workspace status
2. Run guarded commands
Use explicit `workspace run` commands, or guarded-terminal shims for common developer tools when you want ordinary commands to route through Authsia.
eval "$(authsia workspace guard --print-env)"
authsia workspace run -- npm start
3. Approve only when needed
Access Center shows who is asking, what scope they want, and how long the grant lasts. Deny or revoke without changing project files.
authsia access create --name codex --ttl 15m --allow exec
authsia audit list
A focused local secret broker for macOS development, plus a vault for the credentials you already manage.
Project config stores references, not plaintext secrets.
PATH shims route tools through Authsia when secrets are needed.
Scoped, time-boxed grants for local coding agents and automation.
Keep keys in the vault while Git and SSH use Authsia's local agent.
Review sensitive CLI operations without sending telemetry away.
Passwords, notes, certificates, SSH keys, and OTP codes in one app.
Use Homebrew for the app and CLI. Launch Authsia once, enable CLI Access, then let workspace commands carry the security boundary.
# app + CLI
brew install --cask jamesliang-cs/authsia/authsia
# first terminal check
authsia status
authsia workspace init
authsia workspace run -- npm test