What does AI see when Phantom is installed?

The .env file contains phm_xxxxxxxx tokens instead of real values. AI tools read those tokens. The local proxy swaps them for real keys just before the outbound TLS connection.

Which editors does Phantom work with?

Claude Code, Cursor, Windsurf, Codex via MCP. Any tool that reads .env files works automatically because Phantom rewrites the file.

Is Phantom open source?

Yes. MIT licensed. Source at github.com/ashlrai/phantom-secrets. Rust workspace — phantom-core, phantom-vault, phantom-proxy, phantom-cli, phantom-mcp.

For Claude Code · Cursor · Windsurf · Codex

Delegate everything to AI.
Without sharing a single key.

Name: Phantom
Availability: InStock
Author: AshlrAI

Phantom hands every AI tool a worthless phm_ token. The local proxy injects the real key at the network layer. Full access. Zero exposure.

Get started View on GitHub

MIT licensedOpen sourceLocal-firstEnd-to-end encryptedZero data sent

github.com/ashlrai/phantom-secrets →

Replaces real keys for 35+ services and counting

OpenAIsafe

OPENAI_API_KEY=phm_a8f2c4d9

xAIsafe

XAI_API_KEY=phm_4a91c70b

Mistralsafe

MISTRAL_API_KEY=phm_b6c1f827

Replicatesafe

REPLICATE_API_TOKEN=phm_e8c40b71

Windsurfsafe

WINDSURF_API_KEY=phm_1c9e2a40

Railwaysafe

RAILWAY_TOKEN=phm_8b4d6f93

GCPsafe

GCP_API_KEY=phm_c7f9b203

Supabasesafe

SUPABASE_KEY=phm_4f1c8ae3

MongoDBsafe

MONGODB_URI=phm_6e0fb529

Upstashsafe

UPSTASH_REDIS_TOKEN=phm_3fc0e851

Stripesafe

STRIPE_SECRET_KEY=phm_2ccb5a91

Resendsafe

RESEND_API_KEY=phm_f1a82b57

Slacksafe

SLACK_BOT_TOKEN=phm_71e0d493

Clerksafe

CLERK_SECRET_KEY=phm_8af216c3

Sentrysafe

SENTRY_AUTH_TOKEN=phm_3187a4d0

GitHubsafe

GITHUB_TOKEN=phm_99a8d2bf

Notionsafe

NOTION_API_KEY=phm_d04c1f86

Figmasafe

FIGMA_TOKEN=phm_82bd5a14

OpenAIsafe

OPENAI_API_KEY=phm_a8f2c4d9

xAIsafe

XAI_API_KEY=phm_4a91c70b

Mistralsafe

MISTRAL_API_KEY=phm_b6c1f827

Replicatesafe

REPLICATE_API_TOKEN=phm_e8c40b71

Windsurfsafe

WINDSURF_API_KEY=phm_1c9e2a40

Railwaysafe

RAILWAY_TOKEN=phm_8b4d6f93

GCPsafe

GCP_API_KEY=phm_c7f9b203

Supabasesafe

SUPABASE_KEY=phm_4f1c8ae3

MongoDBsafe

MONGODB_URI=phm_6e0fb529

Upstashsafe

UPSTASH_REDIS_TOKEN=phm_3fc0e851

Stripesafe

STRIPE_SECRET_KEY=phm_2ccb5a91

Resendsafe

RESEND_API_KEY=phm_f1a82b57

Slacksafe

SLACK_BOT_TOKEN=phm_71e0d493

Clerksafe

CLERK_SECRET_KEY=phm_8af216c3

Sentrysafe

SENTRY_AUTH_TOKEN=phm_3187a4d0

GitHubsafe

GITHUB_TOKEN=phm_99a8d2bf

Notionsafe

NOTION_API_KEY=phm_d04c1f86

Figmasafe

FIGMA_TOKEN=phm_82bd5a14

Anthropicsafe

ANTHROPIC_API_KEY=phm_e1b773c0

Geminisafe

GEMINI_API_KEY=phm_38d2e6a4

Perplexitysafe

PERPLEXITY_API_KEY=phm_05fa9d3e

Cursorsafe

CURSOR_API_KEY=phm_77b3e5f1

Vercelsafe

VERCEL_TOKEN=phm_d9f1c102

AWSsafe

AWS_SECRET_KEY=phm_5e2a8d61

Cloudflaresafe

CF_API_TOKEN=phm_ae15f627

Postgressafe

DATABASE_URL=phm_3a2e7c81

Neonsafe

NEON_API_KEY=phm_aa9d34f0

Pineconesafe

PINECONE_API_KEY=phm_b71204e5

Twiliosafe

TWILIO_AUTH_TOKEN=phm_9d4b3e12

SendGridsafe

SENDGRID_API_KEY=phm_2940bf16

Discordsafe

DISCORD_BOT_TOKEN=phm_e74cb201

PostHogsafe

POSTHOG_API_KEY=phm_d2bf1e95

Datadogsafe

DATADOG_API_KEY=phm_f5e290bc

Dockersafe

DOCKER_TOKEN=phm_b5817d4c

Linearsafe

LINEAR_API_KEY=phm_e2f37a91

Anthropicsafe

ANTHROPIC_API_KEY=phm_e1b773c0

Geminisafe

GEMINI_API_KEY=phm_38d2e6a4

Perplexitysafe

PERPLEXITY_API_KEY=phm_05fa9d3e

Cursorsafe

CURSOR_API_KEY=phm_77b3e5f1

Vercelsafe

VERCEL_TOKEN=phm_d9f1c102

AWSsafe

AWS_SECRET_KEY=phm_5e2a8d61

Cloudflaresafe

CF_API_TOKEN=phm_ae15f627

Postgressafe

DATABASE_URL=phm_3a2e7c81

Neonsafe

NEON_API_KEY=phm_aa9d34f0

Pineconesafe

PINECONE_API_KEY=phm_b71204e5

Twiliosafe

TWILIO_AUTH_TOKEN=phm_9d4b3e12

SendGridsafe

SENDGRID_API_KEY=phm_2940bf16

Discordsafe

DISCORD_BOT_TOKEN=phm_e74cb201

PostHogsafe

POSTHOG_API_KEY=phm_d2bf1e95

Datadogsafe

DATADOG_API_KEY=phm_f5e290bc

Dockersafe

DOCKER_TOKEN=phm_b5817d4c

Linearsafe

LINEAR_API_KEY=phm_e2f37a91

Same workflow. Different posture.

One command rewrites your .env. Real secrets move to the vault. AI sees only the phantoms.

.env

Before

OPENAI_API_KEY=sk-proj-aB3xK9…
ANTHROPIC_API_KEY=sk-ant-api03-9X2v…
STRIPE_SECRET_KEY=sk_live_51HxAb…
DATABASE_URL=postgres://app:••••@db.prod:5432/app

What AI sees if you paste your .env into Claude or Cursor.

.env

After phantom init

OPENAI_API_KEY=phm_a8f2c4d9e1b7
ANTHROPIC_API_KEY=phm_2ccb5a91f604
STRIPE_SECRET_KEY=phm_491e6dc8a273
DATABASE_URL=phm_99a8d2bf17e0

What AI sees now. Decoys only. Proxy injects the real keys.

Built like a real CLI.

No dashboard required. Everything lives in your terminal, your editor, and your existing infrastructure.

MCP-native, every editor

Claude Code, Cursor, Windsurf, Codex. Phantom registers as an MCP server so AI can manage secrets through a tool interface — without ever seeing the values.

$ claude mcp add phantom-secrets-mcp \
    -- npx phantom-secrets-mcp
ok  registered 24 tools

Catches leaks before they ship

phantom check runs as a pre-commit hook and blocks any commit containing an unprotected secret. Nothing slips past.

$ git commit -m "wip"
!  3 unprotected secrets in src/config.ts:
   line 4:  OPENAI_API_KEY=sk-proj-...
   line 7:  STRIPE_KEY=sk_live_...
fix: run `phantom add` to vault them.

One source of truth, everywhere

Push secrets to Vercel and Railway. Pull on a new machine. Sync to Phantom Cloud (end-to-end encrypted) so your team is never stuck Slacking a .env.

$ phantom sync --platform vercel
ok  vercel: 4 created, 1 updated
$ phantom pull --from vercel
ok  imported 5 secrets to vault

Why not just use what you have?

Every other secrets manager assumes the wrong threat model. They protect secrets at rest and in transit — but the moment you give one to an AI tool, it leaks. Phantom protects them in context.

Capability comparison: Phantom vs five alternative secrets managers.
Capability	Phantom	.env file	Doppler	1Password CLI	Infisical	AWS Secrets Mgr
AI tools never see real keys	Yes	No	No	No	No	No
Open source	Yes	—	No	No	Yes	No
Local-first vault	Yes	Yes	No	Yes	No	No
MCP-native (every editor)	Yes	No	No	No	No	No
Pre-commit secret scanning	Yes	No	Yes	No	Yes	No
Free tier	Yes	—	Limited	No	Yes	Limited
Setup time	10 seconds	—	minutes	minutes	minutes	hours
Cloud sync (E2E encrypted)	Yes	No	Yes	Yes	Yes	Yes

Comparison reflects each tool's default tier and primary use-case as of April 2026. Phantom is purpose-built for the AI-coding-tool workflow; the others are general-purpose secrets managers retrofitted to the same problem.

Install in ten seconds.

One CLI, one MCP registration. Pick your editor.

One command. Claude registers the MCP server and discovers all 24 tools.

Sixty seconds to a safe .env.

Three commands. Real output. Nothing hidden. If anything looks different on your machine, run phantom doctor.

Step 01

Install

One command. Downloads the binary for your platform.

$ npx phantom-secrets init
->  Found 4 secrets in .env
ok  vault initialized · macOS Keychain
ok  .env rewritten with phm_ tokens
ok  pre-commit hook installed
ok  CLAUDE.md updated

Step 02

Wire it to your editor

MCP registration so Claude / Cursor / Windsurf see Phantom as a tool.

$ claude mcp add phantom-secrets-mcp \
    -- npx phantom-secrets-mcp
ok  registered phantom-secrets-mcp
ok  24 tools available to Claude

Step 03

Code with AI normally

Your AI tool reads phm_ tokens. The proxy injects real keys at the network layer.

$ phantom exec -- claude
->  proxy started on 127.0.0.1:8484
->  intercepting api.openai.com, api.anthropic.com,
    api.stripe.com (+10)
->  launching claude with PHANTOM_PROXY env

Free for you. Eight bucks for your team.

The CLI, vault, proxy, and MCP server are open source forever. Cloud sync and multi-device cost what a coffee costs.

Free

$0/mo

Local-first. Open source. Forever.

Local vault (OS keychain or encrypted file)
Proxy with full streaming support
MCP server for every editor
1 cloud vault, up to 10 secrets

Install free

Popular

Pro

$8/mo

Cloud sync, multi-device, full backup.

Everything in Free
Unlimited cloud vaults
Multi-device sync (E2E encrypted)
Vault backup & restore

Start with Pro

Enterprise

Custom

Teams, audit, SSO, dedicated support.

Everything in Pro
Team vaults & sharing
Audit log + SSO/SAML
Dedicated support

Talk to us

End-to-end encrypted. Cancel any time. Open source forever.

One CLI. Three layers.

Real secrets never touch the AI context window. Phantom sits between your code and the API, swapping decoys for real keys at the network layer.

Architecture diagram: .env file with phm_ tokens flows through local proxy and vault to AI tools

Step 1

Read your .env

Phantom auto-detects 13+ services and replaces real values with phm_ tokens.

Step 2

Lock in the vault

Real keys move to your OS keychain. ChaCha20-Poly1305 + Argon2id. Encrypted-file fallback for CI and Docker.

Step 3

Inject on the wire

AI calls APIs with the phm_ token. The proxy on 127.0.0.1 swaps it for the real key and forwards over TLS. AI never sees a real secret.

Questions a security-minded developer would ask.

If yours isn't here, file an issue on GitHub or email mason@ashlr.ai.

Does Phantom slow down my AI requests?

About 0.5 ms of proxy overhead per request — not measurable in practice. The proxy is a Rust HTTP server bound to 127.0.0.1 and uses zero-copy streaming for response bodies, so SSE and large downloads pass through at native speed.

What does AI actually see when Phantom is installed?

Your .env file contains phm_xxxxxxxx tokens instead of real values. Every AI tool (Claude Code, Cursor, Windsurf, Codex, anything else that reads .env) reads those tokens and only those tokens. The local proxy swaps them for real keys just before the outbound TLS connection — the AI never touches a real secret.

What if a phm_ token leaks from AI logs?

Nothing happens. phm_ tokens are session-scoped placeholders that have no value outside your local proxy. The real key never left your machine. Rotate the token with phantom rotate and the leaked one becomes inert.

How are real keys stored?

OS keychain on macOS and Linux (Keychain Services / libsecret). Encrypted file fallback for CI and Docker, using ChaCha20-Poly1305 with Argon2id key derivation. Vault retrieval returns Zeroizing<String> so plaintext is scrubbed from RAM by Drop. No plaintext ever touches disk outside the encrypted vault file.

Can the proxy be tricked into revealing the real key?

Not through the AI tool. The real key only ever materialises in the outbound TLS connection to the upstream API — never in HTTP responses (those go back to the AI verbatim) and never in proxy logs (proxy logs the phm_ token, not the real value). Auth tokens on the proxy itself use constant-time comparison.

What about secrets in HTTP request bodies, not just headers?

Yes — the proxy scans request headers, URL parameters, and JSON body fields for phm_ tokens and replaces all of them. Streaming bodies (SSE, large uploads) are scanned chunk-by-chunk without buffering.

Can my team share secrets without sharing the .env?

Yes — Pro tier ships shared cloud vaults with envelope encryption. Each team member has their own keypair; the vault is encrypted to every member's public key. We never see plaintext.

What if I want to leave Phantom?

Your original .env is backed up automatically on init. Run phantom unwrap to restore it. Delete .phantom.toml and Phantom is gone — no lock-in, no migration scripts.

Stop rationing.
Start delegating.

ashlrai/phantom-secrets·MIT licensed·Local-first