Janee

Janee is an AI agent key management tool based on the MCP protocol. It securely stores and injects API keys as an intermediary, enabling agents to call services without touching the original keys. It also provides complete audit logs, access policy control, and session management functions.

Security Developer tools #Key management #AI agent security #Audit log #Access control .TypeScript

rating : 2.5 points

downloads : 6.4K

update time : 2026-03-13

Open Site

What is Janee?

Janee is a key management solution specifically designed for AI agents. It addresses the security issue where AI agents need to access APIs but should not directly access sensitive API keys. Janee runs locally, encrypts and stores your API keys, and provides a secure API access channel to AI agents through the MCP protocol.

How to use Janee?

Using Janee is very simple: 1) Install Janee and initialize the configuration; 2) Add your API services (such as Stripe, GitHub, etc.); 3) Start the Janee MCP server; 4) Configure your AI agent to connect to Janee. After that, your agent can securely call APIs through Janee without directly handling the keys.

Use cases

Janee is particularly suitable for the following scenarios: - When using AI development tools such as Claude Desktop, Cursor, OpenClaw, etc. - When you need to let AI agents access sensitive APIs (payment, database, email, etc.) - When you need to audit the API call records of AI agents - When sharing API access among multiple devices or agents - When running CLI tools that require environment variable injection.

Main features

Zero-knowledge proxy

AI agents can call APIs through Janee but will never see the actual API keys. All keys are encrypted and stored locally, and only the Janee server can access them.

Complete audit trail

Records the timestamp, method, path, and status of each API request, providing a complete operation history for easy monitoring and troubleshooting.

Request policy control

Set allow/deny rules for each capability. For example, you can create read-only Stripe access permissions to restrict agents to perform specific operations.

Session validity management

Set the validity period of access tokens and support immediate revocation of access permissions to ensure the security of temporary access.

MCP client compatibility

Supports all MCP clients, including Claude Desktop, Cursor, OpenClaw, etc., without the need for separate configuration for different tools.

Local-first design

All keys are encrypted and stored on your machine and will never be sent to the cloud, ensuring the highest level of data security.

Execution mode

Supports running CLI tools that require environment variable injection. Agents can execute commands without seeing the actual credentials.

GitHub app authentication

Provides short-term tokens for autonomous agents without using static personal access tokens, improving the security of GitHub operations.

Automatic Git authentication

When the credentials contain a GitHub token, operations such as git push/pull work automatically without additional configuration.

Advantages

🔒 Enhanced security: AI agents will never directly access your API keys.

📊 Complete visibility: All API calls are logged in detail.

⚡ One configuration, multiple uses: Configure once and use in all MCP clients.

🛡️ Fine-grained control: Set access permissions by service and operation.

🔧 Easy integration: Seamlessly integrate with existing AI development tools.

🏠 Data sovereignty: All data is stored locally without relying on cloud services.

Limitations

📚 Learning curve: Requires understanding of the MCP protocol and basic configuration concepts.

🔌 Dependence on MCP: Only applicable to AI tools that support the MCP protocol.

💻 Local operation: Requires installation and configuration on each device.

⚙️ Initial setup: Adding multiple API services requires a certain amount of configuration time.

How to use

Install Janee

Install the Janee package globally via npm.

Initialize the configuration

Create an initial configuration file containing sample service configurations.

Add API services

Add the API services you need to manage, such as Stripe, GitHub, etc.

Start the MCP server

Start the Janee server and start accepting connections from AI agents.

Configure the AI agent

Configure the MCP connection in your AI tool to point to the Janee server.

Usage examples

Let AI agents securely access the Stripe API

You need to let an AI agent check the Stripe account balance but don't want to directly provide the API key. Through Janee, you can create a read-only Stripe access capability.

Publish a tweet via a CLI tool

You want an AI agent to use the Twitter CLI tool to publish a tweet but don't want to expose the Twitter API key.

Let multiple AI tools share GitHub access

You use AI agents in both Claude Desktop and Cursor, and both need to access the GitHub API.

Frequently Asked Questions

What is the difference between Janee and directly configuring API keys in an AI tool?

Which AI tools does Janee support?

Where are my API keys stored? Is it secure?

How do I revoke an AI agent's access permission?

Will Janee affect API call performance?

Can I use Janee on multiple machines?

Which types of API authentication does Janee support?

How can I view the API usage of an AI agent?

Related resources

Official GitHub repository

Janee's source code, issue tracking, and contribution guidelines

npm package page

Janee's npm package information and installation instructions

Model Context Protocol official website

Official documentation and specifications of the MCP protocol

OpenClaw integration guide

Detailed guide on how to integrate Janee in OpenClaw

Cursor configuration guide

Step - by - step instructions for configuring Janee in Cursor AI

🚀 Janee 🔐

Secrets management for AI agents via MCP. Janee provides a secure way to manage API access for AI agents, ensuring that agents can use APIs without exposing raw API keys.

✨ Features

Property	Details
🔒 Zero-knowledge agents	Agents call APIs without ever seeing keys
📋 Full audit trail	Every request logged with timestamp, method, path, status
🛡️ Request policies	Allow/deny rules per capability (e.g., read-only Stripe)
⏱️ Session TTLs	Time-limited access with instant revocation
🔌 Works with any MCP client	Claude Desktop, Cursor, OpenClaw, and more
🏠 Local-first	Keys encrypted on your machine, never sent to a cloud
🖥️ Exec mode	Run CLI tools with injected credentials — agents never see the keys
🤖 GitHub App auth	Short-lived tokens for autonomous agents — no static PATs
🔧 Automatic git auth	`git push/pull` just works when credentials include GitHub tokens

🚀 Quick Start

Install

npm install -g @true-and-useful/janee

Initialize

janee init

This creates ~/.janee/config.yaml with example services.

Add Services

Option 1: Interactive (recommended for first-time users)

janee add

Janee will guide you through adding a service:

Service name: stripe
Base URL: https://api.stripe.com
Auth type: bearer
API key: sk_live_xxx

✓ Added service "stripe"

Create a capability for this service? (Y/n): y
Capability name (default: stripe): 
TTL (e.g., 1h, 30m): 1h
Auto-approve? (Y/n): y

✓ Added capability "stripe"

Done! Run 'janee serve' to start.

Using an AI agent? See Non-interactive Setup for flags that skip prompts, or the agent-specific guides below.

Option 2: Edit config directly Edit ~/.janee/config.yaml:

services:
  stripe:
    baseUrl: https://api.stripe.com
    auth:
      type: bearer
      key: sk_live_xxx

capabilities:
  stripe:
    service: stripe
    ttl: 1h
    autoApprove: true

Add CLI tools (exec mode)

Some tools need credentials as environment variables, not HTTP headers. Exec mode handles this:

janee add twitter --exec \
  --key "tvly-xxx" \
  --allow-commands "bird,tweet-cli" \
  --env-map "TWITTER_API_KEY={{credential}}"

Now agents can run CLI tools through Janee without ever seeing the API key:

// Agent calls janee_exec tool
janee_exec({
  capability: "twitter",
  command: ["bird", "post", "Hello world!"],
  cwd: "/home/agent/project",  // optional working directory
  reason: "User asked to post a tweet"
})

Janee spawns the process with TWITTER_API_KEY injected, runs the command, and returns stdout/stderr. The credential never enters the agent's context.

Key flags:

--exec — configure as exec-mode (CLI wrapper instead of HTTP proxy)
--allow-commands — whitelist of allowed executables (security)
--env-map — map credentials to environment variables
--work-dir — working directory for the subprocess
--timeout — max execution time (default: 30s)

Git operations (automatic HTTPS auth)

When using exec mode with GitHub credentials, Janee automatically handles git authentication. No extra configuration needed — git push, git pull, and git clone just work:

capabilities:
  - name: git-ops
    service: github
    mode: exec
    allowCommands: [git]
    env:
      GH_TOKEN: "{{credential}}"

// Agent can push code without ever seeing the token
janee_exec({
  capability: "git-ops",
  command: ["git", "push", "origin", "main"],
  cwd: "/workspace/my-repo"
})

Janee detects git commands with GH_TOKEN/GITHUB_TOKEN in the environment and creates a temporary askpass script for HTTPS authentication. The script is cleaned up automatically after the command completes.

Add GitHub App auth (for autonomous agents)

Static tokens are risky for long-running agents. GitHub App auth generates short-lived installation tokens on demand — no long-lived PATs required.

Option 1: Use create-gh-app (recommended)

npx @true-and-useful/create-gh-app create my-agent --owner @me
# Opens browser → creates app → saves credentials locally

# Install the app on your repos
# https://github.com/apps/my-agent/installations/new

# Register with Janee in one command
npx @true-and-useful/create-gh-app janee-add my-agent

Done. Your agent now gets short-lived GitHub tokens through Janee's MCP proxy.

Option 2: Manual setup

janee add github-app \
  --auth-type github-app \
  --app-id 123456 \
  --pem-file /path/to/private-key.pem \
  --installation-id 789

Or via config:

services:
  github:
    baseUrl: https://api.github.com
    auth:
      type: github-app
      appId: "123456"
      pemFile: /path/to/private-key.pem
      installationId: "789"

How it works: When an agent requests access, Janee signs a JWT with the app's private key, exchanges it for a 1-hour installation token via GitHub's API, and caches the token until expiry. The agent never sees the private key — only the short-lived token reaches the API.

Start the MCP server

janee serve

Use with your agent

Agents that support MCP (Claude Desktop, Cursor, OpenClaw) can now call the execute tool to make API requests through Janee:

// Agent calls the execute tool
execute({
  capability: "stripe",
  method: "GET",
  path: "/v1/balance",
  reason: "User asked for account balance"
})

Janee decrypts the key, makes the request, logs everything, and returns the response.

📚 Documentation

Integrations

Works with any agent that speaks MCP:

OpenClaw — Native plugin (@true-and-useful/janee-openclaw)
- Containerized agents? See Container setup guide
Cursor — Setup guide
Claude Code — Setup guide
Codex CLI — Setup guide
Any MCP client — just point at janee serve

OpenClaw Integration

If you're using OpenClaw, install the plugin for native tool support:

npm install -g @true-and-useful/janee
janee init
# Edit ~/.janee/config.yaml with your services

# Install the OpenClaw plugin
openclaw plugins install @true-and-useful/janee-openclaw

Enable in your agent config:

{
  agents: {
    list: [{
      id: "main",
      tools: { allow: ["janee"] }
    }]
  }
}

Your agent now has these tools:

janee_list_services — Discover available APIs
janee_execute — Make API requests through Janee

The plugin spawns janee serve automatically. All requests are logged to ~/.janee/logs/.

MCP Tools

Janee exposes three MCP tools:

Tool	Description
`list_services`	Discover available APIs and their policies
`execute`	Make an API request through Janee (HTTP proxy mode)
`exec`	Run a CLI command with injected credentials (exec mode)
`manage_credential`	View, grant, or revoke access to agent-scoped credentials
`reload_config`	Reload config from disk after adding/removing services (available when started with `janee serve`)

Agents discover what's available, then call APIs through Janee. Same audit trail, same protection.

Configuration

Config lives in ~/.janee/config.yaml:

server:
  host: localhost

services:
  stripe:
    baseUrl: https://api.stripe.com
    auth:
      type: bearer
      key: sk_live_xxx  # encrypted at rest

  github:
    baseUrl: https://api.github.com
    auth:
      type: bearer
      key: ghp_xxx

capabilities:
  stripe:
    service: stripe
    ttl: 1h
    autoApprove: true

  stripe_sensitive:
    service: stripe
    ttl: 5m
    requiresReason: true

Services = Real APIs with real keys
Capabilities = What agents can request, with policies

Access control

Control which agents can use which capabilities:

server:
  host: localhost
  defaultAccess: restricted   # capabilities require explicit allowlist

capabilities:
  stripe:
    service: stripe
    ttl: 1h
    allowedAgents: ["agent-a", "agent-b"]   # only these agents can use it

  github:
    service: github
    ttl: 1h
    # no allowedAgents + defaultAccess: restricted → no agent can use this

defaultAccess: restricted — capabilities without an allowedAgents list are hidden from all agents
defaultAccess: open (default) — capabilities without an allowedAgents list are available to all agents
allowedAgents — per-capability list of agent names (matched against clientInfo.name from the MCP initialize handshake)

Credentials created by agents at runtime default to agent-only access — only the creating agent can use them unless it explicitly grants access via the manage_credential tool.

Exec mode capabilities

services:
  twitter:
    auth:
      type: bearer
      key: tvly-xxx

capabilities:
  twitter:
    service: twitter
    mode: exec
    allowCommands: ["bird", "tweet-cli"]
    envMap:
      TWITTER_API_KEY: "{{credential}}"
    ttl: 1h
    autoApprove: true

Exec-mode capabilities use janee_exec instead of execute. The credential is injected as an environment variable — the agent sees only stdout/stderr.

Runner hardening defaults in exec mode:

isolated minimal environment (no full host env inheritance)
temporary HOME per command
timeout kills the process group

Runner/Authority mode (for containers)

When agents run inside Docker containers, janee_exec on a remote host cannot access the container filesystem. The Runner/Authority architecture solves this:

Authority runs on the host: holds credentials, enforces policy, proxies API requests
Runner runs inside each container: serves MCP to the agent, forwards non-exec calls to the Authority, runs janee_exec locally

# Host: start Authority (MCP + exec authorization on one port)
janee serve -t http -p 3100 --host 0.0.0.0 --runner-key "$JANEE_RUNNER_KEY"

# Container: start Runner (agent talks to this)
janee serve -t http -p 3200 --host 127.0.0.1 \
  --authority http://host.docker.internal:3100 --runner-key "$JANEE_RUNNER_KEY"

The agent only needs JANEE_URL=http://localhost:3200.

You can also run the Authority as a standalone process:

janee authority --runner-key "$JANEE_RUNNER_KEY" --host 127.0.0.1 --port 9120

See the Runner/Authority guide for the full architecture, exec authorization flow, Docker Compose example, and troubleshooting.

Request Policies

Control exactly what requests each capability can make using rules:

capabilities:
  stripe_readonly:
    service: stripe
    ttl: 1h
    rules:
      allow:
        - GET *
      deny:
        - POST *
        - PUT *
        - DELETE *

  stripe_billing:
    service: stripe
    ttl: 15m
    requiresReason: true
    rules:
      allow:
        - GET *
        - POST /v1/refunds/*
        - POST /v1/invoices/*
      deny:
        - POST /v1/charges/*  # Can't charge cards
        - DELETE *

How rules work:

deny patterns are checked first — explicit deny always wins
Then allow patterns are checked — must match to proceed
No rules defined → allow all (backward compatible)
Rules defined but no match → denied by default

Pattern format: METHOD PATH

GET * → any GET request
POST /v1/charges/* → POST to /v1/charges/ and subpaths
* /v1/customers → any method to /v1/customers
DELETE /v1/customers/* → DELETE any customer

This makes security real: Even if an agent lies about its "reason", it can only access the endpoints the policy allows. Enforcement happens server-side.

CLI Reference

janee init                    # Set up ~/.janee/ with example config
janee add                     # Add a service (interactive)
janee add stripe -u https://api.stripe.com -k sk_xxx  # Add with args
janee remove <service>        # Remove a service
janee remove <service> --yes  # Remove without confirmation
janee list                    # List configured services
janee list --json             # Output as JSON (for integrations)
janee search [query]          # Search service directory
janee search stripe --json    # Search with JSON output
janee cap list                # List capabilities
janee cap list --json         # List capabilities as JSON
janee cap add <name> --service <service>  # Add capability
janee cap edit <name>         # Edit capability
janee cap remove <name>       # Remove capability
janee serve                   # Start MCP server (stdio, default)
janee serve --transport http --port 9100  # Start with HTTP transport (for containers)
janee serve --authority https://janee.example.com --runner-key $JANEE_RUNNER_KEY  # Runner mode
janee authority --runner-key $JANEE_RUNNER_KEY  # Start authority API
janee logs                    # View audit log
janee logs -f                 # Tail audit log
janee logs --json             # Output as JSON
janee sessions                # List active sessions
janee sessions --json         # Output as JSON
janee revoke <id>             # Kill a session

Non-interactive Setup (for AI agents)

AI agents can't respond to interactive prompts. Use --*-from-env flags to read credentials from environment variables — this keeps secrets out of the agent's context window:

# Bearer auth (Stripe, OpenAI, etc.)
janee add stripe -u https://api.stripe.com --auth-type bearer --key-from-env STRIPE_KEY

# HMAC auth (Bybit)
janee add bybit --auth-type hmac-bybit --key-from-env BYBIT_KEY --secret-from-env BYBIT_SECRET

# HMAC auth with passphrase (OKX)
janee add okx --auth-type hmac-okx --key-from-env OKX_KEY --secret-from-env OKX_SECRET --passphrase-from-env OKX_PASS

# GitHub App auth (short-lived tokens)
janee add github --auth-type github-app --app-id-from-env GH_APP_ID --pem-from-env GH_PEM --installation-id-from-env GH_INSTALL_ID

When all required credentials are provided via flags, Janee:

Never opens readline (no hanging on stdin)
Auto-creates a capability with sensible defaults (1h TTL, auto-approve)

You can also edit ~/.janee/config.yaml directly if you prefer.

🔧 Technical Details

How It Works

┌─────────────┐      ┌──────────┐      ┌─────────┐
│  AI Agent   │─────▶│  Janee   │─────▶│  Stripe │
│             │ MCP  │   MCP    │ HTTP │   API   │
└─────────────┘      └──────────┘      └─────────┘
      │                   │
   No key           Injects key
                    + logs request

Agent calls execute MCP tool with capability, method, path
Janee looks up service config, decrypts the real key
Makes HTTP request to real API with key
Logs: timestamp, service, method, path, status
Returns response to agent

Agent never touches the real key.

📐 Deep dive: See Architecture & Security Model for detailed diagrams, threat model, and comparison with alternatives.

Security

Encryption: Keys stored with AES-256-GCM
Agent identity: Derived from clientInfo.name in the MCP initialize handshake — no custom headers needed
Agent isolation: Each agent gets its own session with isolated identity (HTTP transport creates a Server+Transport per session)
Access control: Per-capability allowedAgents whitelist + server-wide defaultAccess policy
Credential scoping: Agent-created credentials default to agent-only
Audit log: Every request logged to ~/.janee/logs/
Sessions: Time-limited, revocable
Kill switch: janee revoke or delete config

📦 Installation

Docker

Run Janee as a container — no local Node.js required:

# Build
docker build -t janee .

# Run in HTTP mode
docker run -d -p 3000:3000 \
  -v ~/.janee:/root/.janee:ro \
  janee --transport http --port 3000 --host 0.0.0.0

Or use Docker Compose:

mkdir -p config && cp ~/.janee/config.yaml config/
docker compose up -d

For Claude Desktop with Docker, see Docker docs.

📄 License

MIT — Built by True and Useful LLC

Stop giving AI agents your keys. Start controlling access. 🔐

list_services

List the available API capabilities managed by Janee

execute

Execute an API request through the Janee proxy

Parameters

capability : string*

Description

The name of the capability to use (from list_services)

Parameters

method : string*

Description

HTTP method

Parameters

path : string*

Description

API path (e.g., /v1/customers)

Parameters

body : string*

Description

Request body (JSON string, optional)

Parameters

headers : object*

Description

Additional headers (optional)

Parameters

reason : string*

Description

The reason for this request (required for some capabilities)

reload_config

Reload the Janee configuration from disk without restarting the server. Use after adding new services or capabilities

janee_exec

Execute a CLI command by injecting credentials through environment variables. The agent never sees the actual credentials - Janee injects and cleans the output

Parameters

capability : string*

Description

Capability name (must be in exec mode, from list_services)

Parameters

command : array*

Description

Command and parameters as an array, e.g., ["gh", "issue", "list"]

Parameters

cwd : string*

Description

Working directory of the command (default: process cwd)

Parameters

stdin : string*

Description

Optional standard input, passed to the command through a pipe

Parameters

reason : string*

Description

The reason for this execution (required for some capabilities)

manage_credential

View or manage the access policies of agent - scope credentials. Agents can check who has access, grant access to other agents, or revoke access

Parameters

action : string*

Description

The action to perform: view ownership information, grant access to other agents, or revoke access

Parameters

service : string*

Description

The name of the service to manage

Parameters

targetAgentId : string*

Description

The ID of the agent to grant/revoke access to (required for grant/revoke actions)

test_service

Test the connectivity and authentication of the configured services. Verify that Janee can access the service and that the credentials are valid

Parameters

service : string*

Description

The name of the service to test (from list_services). Omit to test all services

Parameters

timeout : number*

Description

Timeout for the health check (milliseconds, default: 10000)

whoami

Display the resolved agent identity seen by Janee, the capabilities you can access, and the server access policies. Helps understand the allowedAgents restrictions

explain_access

Track why a specific agent can or cannot access a certain capability. Returns a step - by - step policy evaluation (capability existence, mode, allowedAgents, defaultAccess, ownership, rules). Used for debugging access issues

Parameters

agent : string*

Description

The ID of the agent to evaluate access for. Defaults to the calling agent

Parameters

capability : string*

Description

The name of the capability to check access for

Parameters

method : string*

Description

HTTP method for rule evaluation (optional, only applicable to agent capabilities)

Parameters

path : string*

Description

Request path for rule evaluation (optional, only applicable to agent capabilities)

doctor

Run the runner - to - authority diagnosis. Check authority reachability, authentication, tool forwarding, and identity consistency. Only available in runner mode