Analysis updated 2026-05-18
Use Claude Code, Codex, or OpenCode on a rented remote server without leaving your API key on that machine.
Set up separate API key profiles for a work cluster and a personal server from one local config file.
Rotate an API key locally and have the change apply to every active remote connection immediately.
| hezebang/keybearer | anthropics/cargo-nix-plugin | brassworks-smp/brassworkslauncher | |
|---|---|---|---|
| Stars | 13 | 13 | 13 |
| Language | Rust | Rust | Rust |
| Setup difficulty | moderate | hard | — |
| Complexity | 4/5 | 4/5 | 3/5 |
| Audience | developer | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires building a Rust binary with cargo and configuring SSH agent forwarding.
Keybearer is a Rust command-line tool that solves a specific problem: you want to use AI coding assistants like Claude Code, Codex, or OpenCode on a remote server, but you do not want to store your API keys on that server where other users or a compromised root account could read them. The README is written primarily in Chinese. The way it works is that your API keys stay on your local machine in a configuration file. When you SSH into a remote server, Keybearer uses a feature called SSH agent forwarding to create a secure tunnel back to your local machine. When an AI tool on the remote server tries to read its config file and pick up an API key, Keybearer intercepts that file-read operation at the operating system level using a Linux security feature called seccomp. Instead of letting the tool read a real file from disk, Keybearer injects the API key into a temporary in-memory location that disappears the moment the session ends. The key is never written to the remote server's disk, never appears in shell history, and never sits in a remote config file. The project supports three AI tools: Codex, OpenCode, and Claude Code. You can set up different API key profiles for different servers, so your work cluster uses one provider and your personal server uses another, all controlled from the single config file on your local machine. Changing a key locally takes effect on all remote connections immediately without touching any remote files. Setup requires building the Rust binary with cargo, copying it to the remote server, writing a YAML config file on your local machine, and starting the local agent process before connecting via SSH. The README includes a comparison table showing how this approach differs from simply putting a key in a remote config file or using a proxy that forwards requests, noting that the key in this approach has no persistent form on the remote side at all. The project is MIT-licensed and credits an earlier tool called CC-Switch for some of its configuration design ideas.
A Rust command line tool that lets you use AI coding assistants like Claude Code on a remote server without ever storing your API key on that server.
Mainly Rust. The stack also includes Rust, SSH, seccomp.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.