A tiny native app + CLI + Python library that keeps your Claude and ChatGPT API keys encrypted on your machine — and out of your code.
📥 Download for macOS / Linux / Windows — single-file binaries, no Python needed
🐍 Or install via pip:
curl -fsSL https://raw.githubusercontent.com/TDYSKY/dlyaka/main/install.sh | bashLatest release · Discord · agencyg.de · Shop
You've done it. Everyone has. API key in a .env file → forgot to gitignore it → pushed to GitHub → seconds later you're frantically revoking the key.
GitHub detects roughly 10 million leaked secrets per year. Most of them are API keys for AI providers, cloud platforms, and databases. Don't be the next one.
DLYAKA fixes this by keeping your API keys in an encrypted vault on your local machine, completely separated from your projects. Your scripts read them via a CLI wrapper or a one-line Python call — never as literal strings in code.
.env files |
OS keyring | DLYAKA | |
|---|---|---|---|
| Keys never in your repo | ✅ | ✅ | |
| Encrypted at rest | ❌ | ✅ | ✅ |
| Works in headless scripts | ✅ | ✅ | |
| Works across Mac / Linux / Win | ✅ | ✅ | |
Built-in run <cmd> wrapper |
❌ | ❌ | ✅ |
| Bundled Claude Code skill | ❌ | ❌ | ✅ |
| Zero config to use the keys | ❌ | ✅ |
- AES-256 encryption via Fernet with PBKDF2-HMAC-SHA256 (480k iterations)
- Master password protects the vault — only you can decrypt it
- Works with Claude, ChatGPT, and any other API — bring your own key name
dlyaka run <cmd>— execute any script with keys injected as env vars- Python library —
get_key("anthropic")from inside your code - Claude Code Skill included — teach Claude how to use the vault automatically
- Zero keys in your code, .env files, or git history
Download a single-file binary from the latest release. No Python install required — these are standalone executables.
| Platform | CLI binary | GUI app |
|---|---|---|
| macOS (Apple Silicon) | dlyaka-cli-X.Y.Z-macos-arm64 |
dlyaka-gui-X.Y.Z-macos-arm64 |
| macOS (Intel) | run the Apple Silicon binary via Rosetta 2 (arch -x86_64) or build from source |
|
| Linux (x86_64) | dlyaka-cli-X.Y.Z-linux-x86_64 |
dlyaka-gui-X.Y.Z-linux-x86_64 |
| Windows (x86_64) | dlyaka-cli-X.Y.Z-windows-x86_64.exe |
dlyaka-gui-X.Y.Z-windows-x86_64.exe |
macOS: the binary is unsigned. To run it the first time:
xattr -d com.apple.quarantine ~/Downloads/dlyaka-gui-*-macos-*
chmod +x ~/Downloads/dlyaka-cli-*-macos-*Or right-click → Open → confirm.
Windows: SmartScreen may show "Unknown publisher" — click "More info" → "Run anyway".
Linux: chmod +x the binary and run it. The GUI needs an X11 / Wayland session.
Checksums are in SHA256SUMS.txt attached to each release. Verify with shasum -c SHA256SUMS.txt.
curl -fsSL https://raw.githubusercontent.com/TDYSKY/dlyaka/main/install.sh | bashThis script:
- Queries the GitHub API for the latest release
- Downloads the wheel
- Verifies the SHA-256 checksum against the signed
SHA256SUMS.txt - Auto-detects the best install method (active venv →
pipxif available →pip --user) - Reports a
PATHhint if needed
Force pipx (recommended for CLI tools):
curl -fsSL https://raw.githubusercontent.com/TDYSKY/dlyaka/main/install.sh | bash -s -- --pipxPin a specific version:
curl -fsSL https://raw.githubusercontent.com/TDYSKY/dlyaka/main/install.sh | bash -s -- --version 0.2.0Inspect before running (always a good idea with curl | bash):
curl -fsSL https://raw.githubusercontent.com/TDYSKY/dlyaka/main/install.sh -o install.sh
less install.sh # review
bash install.shFrom the Releases page:
pip install dlyaka-0.2.0-py3-none-any.whlFrom source:
git clone https://github.com/TDYSKY/dlyaka
cd dlyaka
pip install -e .Direct from GitHub:
pip install git+https://github.com/TDYSKY/dlyaka.git1. Store your API keys:
dlyaka add anthropic # hidden prompt — no shell history, no chat
dlyaka add openai # sameYou'll be prompted for the API key (hidden input) and then a master password on first use. The master password encrypts the vault.
Power-user shortcut:
dlyaka add anthropic sk-ant-...works too, but the key lands in your shell history. Prefer the prompt mode.
2. Run any script with keys injected automatically:
dlyaka run python my_script.pyYour script reads ANTHROPIC_API_KEY / OPENAI_API_KEY from the environment — no keys in your code:
# my_script.py
import anthropic
client = anthropic.Anthropic() # picks up ANTHROPIC_API_KEY from env
print(client.messages.create(
model="claude-sonnet-4-6",
max_tokens=1024,
messages=[{"role": "user", "content": "Hi!"}],
).content[0].text)3. Or use the Python library directly:
from dlyaka import get_key
import anthropic
client = anthropic.Anthropic(api_key=get_key("anthropic"))Pasting an API key into a chat with Claude, ChatGPT, Copilot, or any AI tool puts that key into the conversation history — and possibly logs, training data, and backend storage. DLYAKA is built to make sure that never happens.
You: "Claude, query GPT-4 to compare answers on this prompt."
Claude: "Don't paste your OpenAI key. Run this in your own terminal:
dlyaka add openai
You'll get a hidden prompt — the key never enters chat
or shell history."
You: [adds key in your terminal]
You: "Done."
Claude: [writes a Python script that uses openai client]
[runs `dlyaka run python script.py`]
dlyaka: → decrypts vault locally (master password prompt)
→ injects OPENAI_API_KEY into the subprocess environment
→ captures stdout/stderr and redacts any accidental key leak
→ streams the cleaned output back
Claude: [sees only the GPT-4 answer — never the key value]
- The key never enters chat history — you add it in your own terminal via
dlyaka add <name>(hidden prompt) - The key never enters shell history — the prompt is hidden input, not a CLI argument
- The key never appears in Claude's tool input/output —
dlyaka runinjects it into the subprocess env, bypassing Claude entirely - Accidental leaks are redacted — if a script accidentally
print()s the key,dlyaka runreplaces it with[REDACTED-API-KEY]before output reaches Claude - The key never touches a
.envfile in your repo
./claude_skill/install.shAfter install, Claude Code will:
- Refuse to accept API keys pasted in chat (and tell you to revoke them)
- Use
dlyaka runfor every AI API call - Never run
dlyaka getordlyaka envfrom its shell tool - Verify key presence via
dlyaka fingerprint(a hash, safe to share)
See claude_skill/dlyaka/SKILL.md for the full skill definition.
| Command | Description |
|---|---|
dlyaka add <name> |
Store or update a key — hidden prompt, no shell history |
dlyaka add <name> <key> |
Same, but key on argv (lands in shell history — convenience only) |
dlyaka get <name> |
Print a stored key value (use in your own terminal only) |
dlyaka list |
List stored key names + fingerprints |
dlyaka fingerprint <name> |
Print a SHA-256 fingerprint of a key (safe to share) |
dlyaka remove <name> |
Delete a key |
dlyaka run <cmd> |
Run a command with keys as env vars — subprocess output is auto-redacted |
dlyaka run --no-redact <cmd> |
Same, without redaction (not recommended) |
dlyaka env |
Print export KEY=value lines (eval into your shell) |
# Inject all keys into the current shell session
eval $(dlyaka env)
# Then use however you like
python my_script.py| Stored name | Env var injected |
|---|---|
anthropic or claude |
ANTHROPIC_API_KEY |
openai or chatgpt |
OPENAI_API_KEY |
my-custom-service |
MY_CUSTOM_SERVICE_API_KEY |
from dlyaka import get_key
# Prompts for master password
api_key = get_key("anthropic")
# Or pass it programmatically (only for tests / automation)
api_key = get_key("anthropic", password="mypw")# Claude
from dlyaka.providers.claude import get_client
client = get_client()
client.messages.create(...)
# OpenAI / ChatGPT
from dlyaka.providers.gpt import get_client
client = get_client()
client.chat.completions.create(...)DLYAKA ships with a Claude Code skill so Claude knows how to use your vault automatically when writing or running AI-powered scripts.
Install globally:
./claude_skill/install.shInstall for the current project only:
./claude_skill/install.sh --projectOnce installed, Claude will:
- Check if
dlyakais set up before writing AI scripts - Use
dlyaka run python script.pyto execute code without leaking keys - Refuse to put API key literals into your code
- Warn you to rotate keys if they ever end up in chat
See claude_skill/dlyaka/SKILL.md for the full skill definition.
~/.dlyaka/
├── vault.enc ← Fernet-encrypted JSON blob containing your keys
└── salt.bin ← random salt for key derivation (not secret, but unique to you)
- On first use, you set a master password.
- DLYAKA derives a 256-bit key from the password + a random salt using PBKDF2-HMAC-SHA256 with 480,000 iterations.
- Your API keys are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) and stored in
vault.enc. - To use a key, you provide the master password → DLYAKA decrypts in memory only → injects into env vars or returns to your Python code.
Your master password is never stored anywhere. If you forget it, your vault cannot be recovered.
- The vault file is mode
0600(read/write owner only) - The salt file is
0600and is not secret — it's just random data - Fernet uses a random IV per encryption, so re-saving produces different ciphertext
- DLYAKA never writes the decrypted vault to disk
- If you suspect your master password was compromised, run
dlyaka removefor each key and re-add with new keys
If DLYAKA saved you 30 seconds of panicked key-rotation, a star takes 2.
git clone https://github.com/TDYSKY/dlyaka
cd dlyaka
pip install -e ".[dev]"
pytestSee CONTRIBUTING.md. Security issues → SECURITY.md.
MIT — do whatever you want with it.
DLYAKA is built and maintained by AgencyG — we ship high-quality developer tools and FiveM scripts.
If DLYAKA saved you from a leaked key, leave a star on the repo and come say hi in our Discord.
