mask secrets before they leave your machine.
dotmask runs a local HTTPS proxy for Claude Code and similar tools. it replaces real secrets with format-preserving fakes on the way out, then restores them locally on the way back.
npm install -g @ducnmm/dotmask
dotmask installrestart Claude Code after install.
use Claude Code like normal. dotmask runs automatically after install.
api.anthropic.com- Anthropic (Claude)api.openai.com- OpenAI (GPT)openrouter.ai,api.openrouter.ai- OpenRoutergenerativelanguage.googleapis.com- Google AI (Gemini)api.deepseek.com- DeepSeekapi.groq.com- Groqapi.moonshot.ai- Moonshot (Kimi)api.together.ai- Together AIapi.fireworks.ai- Fireworks AIapi.cerebras.ai- Cerebrasapi.x.ai- xAI (Grok)api.inference.huggingface.co- Hugging Faceapi.minimax.io,api.minimax.chat- MiniMax
~/.dotmask/config.json controls the allowed host list.
add a custom host with:
dotmask allow chat.trollllm.xyzdotmask install- install proxydotmask install --port 18788- custom portdotmask allow <host>- add allowed hostdotmask disallow <host>- remove hostdotmask hosts- list allowed hostsdotmask status- show statusdotmask doctor- diagnose issuesdotmask uninstall- remove everything
- your prompt with API keys goes to Claude Code
- dotmask intercepts and replaces real keys with fakes
- fake keys go to the AI API - API thinks its valid
- response comes back with fake keys
- dotmask swaps fakes back to real keys
- Claude Code sees the real response
your secrets never leave your machine.
- Anthropic keys:
sk-ant-api03-... - OpenAI keys:
sk-proj-...,sk-... - Stripe:
sk_live_...,sk_test_... - AWS:
AKIA... - Google AI:
AIza... - GitHub PATs:
ghp_...,gho_...,github_pat_... - Slack:
xoxb-...,xoxp-... - JWT tokens
- Database URLs:
postgres://user:pass@... - EVM private keys:
0x...(64 chars)
# view logs
tail -f ~/.dotmask/proxy.err.log
# run manually with debug
DOTMASK_DEBUG=1 node dist/proxy/server.js --port 18787- macOS only
- Node.js 18+
opensslrequired- secrets stored in macOS Keychain
MIT