explaingit

hezebang/keybearer

Analysis updated 2026-05-18

13RustAudience · developerComplexity · 4/5LicenseSetup · moderate

TLDR

A Rust command line tool that lets you use AI coding assistants like Claude Code on a remote server without ever storing your API key on that server.

Mindmap

mindmap
  root((Keybearer))
    What it does
      Hides API keys
      Tunnels over SSH
      Intercepts file reads
    Tech stack
      Rust
      seccomp
      SSH forwarding
    Use cases
      Remote AI coding
      Multi server profiles
      Instant key rotation
    Audience
      Developers
      Remote server users

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Use Claude Code, Codex, or OpenCode on a rented remote server without leaving your API key on that machine.

USE CASE 2

Set up separate API key profiles for a work cluster and a personal server from one local config file.

USE CASE 3

Rotate an API key locally and have the change apply to every active remote connection immediately.

What is it built with?

RustSSHseccompYAML

How does it compare?

hezebang/keybeareranthropics/cargo-nix-pluginbrassworks-smp/brassworkslauncher
Stars131313
LanguageRustRustRust
Setup difficultymoderatehard
Complexity4/54/53/5
Audiencedeveloperdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires building a Rust binary with cargo and configuring SSH agent forwarding.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

Keybearer is a Rust command-line tool that solves a specific problem: you want to use AI coding assistants like Claude Code, Codex, or OpenCode on a remote server, but you do not want to store your API keys on that server where other users or a compromised root account could read them. The README is written primarily in Chinese. The way it works is that your API keys stay on your local machine in a configuration file. When you SSH into a remote server, Keybearer uses a feature called SSH agent forwarding to create a secure tunnel back to your local machine. When an AI tool on the remote server tries to read its config file and pick up an API key, Keybearer intercepts that file-read operation at the operating system level using a Linux security feature called seccomp. Instead of letting the tool read a real file from disk, Keybearer injects the API key into a temporary in-memory location that disappears the moment the session ends. The key is never written to the remote server's disk, never appears in shell history, and never sits in a remote config file. The project supports three AI tools: Codex, OpenCode, and Claude Code. You can set up different API key profiles for different servers, so your work cluster uses one provider and your personal server uses another, all controlled from the single config file on your local machine. Changing a key locally takes effect on all remote connections immediately without touching any remote files. Setup requires building the Rust binary with cargo, copying it to the remote server, writing a YAML config file on your local machine, and starting the local agent process before connecting via SSH. The README includes a comparison table showing how this approach differs from simply putting a key in a remote config file or using a proxy that forwards requests, noting that the key in this approach has no persistent form on the remote side at all. The project is MIT-licensed and credits an earlier tool called CC-Switch for some of its configuration design ideas.

Copy-paste prompts

Prompt 1
Walk me through building Keybearer's Rust binary with cargo and copying it to a remote server.
Prompt 2
Help me write a YAML config file for Keybearer with separate API key profiles per server.
Prompt 3
Explain how Keybearer uses SSH agent forwarding and seccomp to keep my API key off the remote disk.
Prompt 4
Show me how to start the local Keybearer agent before SSHing into a remote server that runs Claude Code.

Frequently asked questions

What is keybearer?

A Rust command line tool that lets you use AI coding assistants like Claude Code on a remote server without ever storing your API key on that server.

What language is keybearer written in?

Mainly Rust. The stack also includes Rust, SSH, seccomp.

What license does keybearer use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is keybearer to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is keybearer for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.