LOCAL-FIRST KEY MANAGEMENT

HARDWARE-BOUND
SECURITY FOR
AI AGENTS

Hardware-bound key management and encrypted secret storage for AI agents. Powered by Mac Secure Enclave and passkeys. Local-first architecture so you never rely on a cloud provider, and no one can extract your keys: not your agent and not even Apple.

# Store secrets in an encrypted vault
keypo-signer vault init --label my-vault
keypo-signer vault set --label my-vault --name API_KEY --value sk-...

# Run a command with secrets injected
keypo-signer vault exec --label my-vault -- env

# Set up a programmable hardware wallet
keypo-wallet setup --key agent-key --key-policy open

# Send a transaction — key never leaves the Secure Enclave
keypo-wallet send --key agent-key --to 0x... --value 1000000000000000

Protect your secrets from your agents using Keypo Vault

$ brew install keypo-us/tap/keypo-signer

Copied!

Give your agent a programmable hardware wallet

$ brew install keypo-us/tap/keypo-wallet

Copied!

Secure Enclave Keys

P-256 signing keys live in the Mac Secure Enclave. They can never be exported — not by your agent, not by your code, and not even by Apple.

Local-First

No cloud dependency. Everything runs on your machine, backed by Apple's Secure Enclave hardware.

Programmable Policies

Each encryption key can have one of the following policies: Biometric (TouchID), Passcode or Open (no policy). Policies are enforced at the hardware level and can only be changed by you, not your agent.

Programmable Wallet

An ERC-4337 smart account your AI agent can operate autonomously — sign transactions, batch calls, and manage assets without ever seeing the private key.

HARDWARE-BOUNDSECURITY FORAI AGENTS