Latchkey: Credential layer for local AI agents

2 min read Original article ↗

The credential layer for local AI agents

25+ services supported out of the box. Register any HTTP API at runtime. Works with Claude Code, OpenCode, Codex, and more.

The credential layer for local AI agents

We built Latchkey to help

masking tape

sketchy Imbue logo

Features

Sign in like a human

Latchkey opens a browser, you log in, it captures the token and closes the tab.

Keys encrypted at rest

Tokens live under ~/.latchkey, locked with a password from your system keyring.

Handles the weird auth

AWS signatures, Telegram URL tokens, anything that won't fit in a static header. Latchkey rewrites each call.

Self-hosted, same syntax

Point it at your GitLab, your internal Sentry, any HTTP API behind your VPN. Register once, call it like any public service.

Survives token refresh

Re-auth in one command. Your long-running agent picks up the new credentials without a restart.

One command to inspect

Latchkey services info tells you whether a credential is valid, invalid, or missing. No more guessing why a call 401'd.

That's the key detail - decoupled credential lifecycle means the agent can keep running across token refreshes. Makes Latchkey much more practical for long-running workflows.

Mykola Kondratiuk

paperclip

Latchkey keeps creds local, no extra config.

@TheCesarCross

paperclip

Sent this to a couple of engineers I know who are building local agent setups. They've been duct-taping credential management together for months, this is right up their alley.

Gabriel P.

paperclip

Frequently asked questions

What is Latchkey?

A command-line tool that injects API credentials into your agent's curl calls. You log in once. Your agent runs standard curl. Latchkey adds the auth header on the way out.

How is this different from MCP?

No intermediary, no new protocol. Latchkey hands your request straight to the API. MCP wraps every service in a server you have to host. Latchkey just patches the auth into curl.

How do I get started?

npm install -g latchkey, then latchkey auth browser <service> to log in. Your agent calls latchkey curl ... from there. Run latchkey ensure-browser once if you want browser login.

Which services are supported?

AWS, Calendly, Discord, Dropbox, Figma, GitHub, GitLab, Gmail, Google Workspace, Linear, Mailchimp, Notion, Sentry, Slack, Stripe, Telegram, Yelp, Zoom, and more landing each release.

Can I add a service that isn't on the list?

Yes. latchkey services register <name> --base-api-url=... plus latchkey auth set with your token. Works for self-hosted GitLab, Mastodon, internal APIs, anything that takes static auth.

Where are my credentials stored?

Encrypted on your machine under ~/.latchkey. Nothing leaves your computer except the actual API calls you make.