logoalt Hacker News

Show HN: Kontext CLI – Credential broker for AI coding agents in Go

57 pointsby mc-serioustoday at 1:26 PM24 commentsview on HN

We built the Kontext CLI because AI coding agents need access to GitHub, Stripe, databases, and dozens of other services — and right now most teams handle this by copy-pasting long-lived API keys into .env files, or the actual chat interface, whilst hoping for the best.

The problem isn't just secret sprawl. It's that there's no lineage of access. You don't know which developer launched which agent, what it accessed, or whether it should have been allowed to. The moment you hand raw credentials to a process, you've lost the ability to enforce policy, audit access, or rotate without pain. The credential is the authorization, and that's fundamentally broken when autonomous agents are making hundreds of API calls per session.

Kontext takes a different approach. You declare what credentials a project needs in a .env.kontext file:

  GITHUB_TOKEN={{kontext:github}}
  STRIPE_KEY={{kontext:stripe}}
  LINEAR_TOKEN={{kontext:linear}}
Then run `kontext start --agent claude`. The CLI authenticates you via OIDC, and for each placeholder: if the service supports OAuth, it exchanges the placeholder for a short-lived access token via RFC 8693 token exchange; for static API keys, the backend injects the credential directly into the agent's runtime environment. Either way, secrets exist only in memory during the session — never written to disk on your machine. Every tool call is streamed for audit as the agent runs.

The closest analogy is a Security Token Service (STS): you authenticate once, and the backend mints short-lived, scoped credentials on-the-fly — except unlike a classical STS, we hold the upstream secrets, so nothing long-lived ever reaches the agent. The backend holds your OAuth refresh tokens and API keys; the CLI never sees them. It gets back short-lived access tokens scoped to the session.

What the CLI captures for every tool call: what the agent tried to do, what happened, whether it was allowed, and who did it — attributed to a user, session, and org.

Install with one command: `brew install kontext-dev/tap/kontext`

The CLI is written in Go (~5ms hook overhead per tool call), uses ConnectRPC for backend communication, and stores auth in the system keyring. Works with Claude Code today, Codex support coming soon.

We're working on server-side policy enforcement next — the infrastructure for allow/deny decisions on every tool call is already wired, we just need to close the loop so tool calls can also be rejected.

We'd love feedback on the approach. Especially curious: how are teams handling credential management for AI agents today? Are you just pasting env vars into the agent chat, or have you found something better?

GitHub: https://github.com/kontext-dev/kontext-cli Site: https://kontext.security

Comments

james-cleftoday at 7:22 PM

Very cool project. Providing credentials agents and standardizing that whole process seems like valuable work. Question though on the OSS/paid boundary... is the OSS cli the client for the paid service? What is the custody model? Does this service store all my credentials?

show 2 replies
e12etoday at 7:09 PM

> for static API keys, the backend injects the credential directly into the agent's runtime environment.

What prevents the agent from presisering or leaking the API key - or reading it from the environment?

show 1 reply
zimbatmtoday at 6:38 PM

This is how keychains should be designed. Never return the secret, but mint a new token, or sign a request.

We need this also for normal usage like development environments. Or when invoking a command on a remote server.

Are you going to add support for services that don't support OIDC or this going to be a known limitation?

show 1 reply
sjdv1982today at 5:57 PM

What if kontext runs under the same user as Claude? Could it in principle inspect the kontext process and extract the key from memory?

show 1 reply
amjdtoday at 4:03 PM

Congrats on the launch! What are the key advantages of this compared to OneCLI[1]?

[1]: https://github.com/onecli/onecli

show 1 reply
traceroute66today at 4:17 PM

Sounds awfully similar to Tailscale Aperture[1]

[1] https://tailscale.com/blog/aperture-self-serve

show 1 reply
sarahroehmtoday at 4:50 PM

Finally a solution which focuses on contextual authorization - evaluating the agent's reasoning trace when it requests a credential, only issuing it if the intent matches what the user authorized.. developer-focused and self-serve.Happy Launch day!!

airstriketoday at 4:37 PM

Really cool and much needed!

I was actually just about to get started writing this but in Rust....

show 1 reply
0xOspreytoday at 4:57 PM

Yup I needed this bad for my NanoClaw

Nice work

show 1 reply
measurablefunctoday at 6:36 PM

It should be possible to do this w/ eBPF. Monitor network i/o & rewrite the request on the fly to include the proper tokens & signatures. The agent can just be given placeholder tokens. That way all the usual libraries work as expected & the secrets/signatures are handled w/o worrying about another abstraction layer. Here is some prior art: https://riptides.io/blog/when-ebpf-isnt-enough-why-we-went-w...

show 1 reply
Vishi3today at 4:04 PM

Can I integrate this with my coding agents?

show 1 reply
priyac-dev8bcatoday at 6:26 PM

[dead]

yarivktoday at 7:37 PM

[dead]

augmentedmiketoday at 4:41 PM

[dead]