Kontext CLI: Credential Broker for AI Coding Agents

✍️ OpenClawRadar📅 Published: April 17, 2026🔗 Source
Kontext CLI: Credential Broker for AI Coding Agents
Ad

What Kontext CLI Does

Kontext CLI is an open-source command-line tool that wraps AI coding agents to provide credential management without exposing API keys. It addresses the problem of teams copy-pasting long-lived API keys into .env files or chat interfaces, which creates secret sprawl and lacks access lineage.

How It Works

You declare what credentials a project needs in a .env.kontext file with placeholders like:

GITHUB_TOKEN={{kontext:github}}
STRIPE_KEY={{kontext:stripe}}
LINEAR_TOKEN={{kontext:linear}}

Then run kontext start --agent claude. The CLI authenticates you via OIDC and exchanges placeholders for credentials:

  • For services supporting OAuth: short-lived access tokens via RFC 8693 token exchange
  • For static API keys: credentials injected directly into the agent's runtime environment

Secrets exist only in memory during the session — never written to disk on your machine. The backend holds OAuth refresh tokens and API keys; the CLI never sees them, only getting back short-lived access tokens scoped to the session.

Key Features

  • One command to launch Claude Code: kontext start --agent claude
  • Ephemeral credentials: short-lived tokens scoped to the session, automatically expired on exit
  • Declarative credential templates in .env.kontext files
  • Governance telemetry: Claude hook events streamed to backend with user, session, and org attribution
  • Secure by default: OIDC authentication, system keyring storage, RFC 8693 token exchange
  • Lean runtime: native Go binary (~5ms hook overhead per tool call), uses ConnectRPC for backend communication
  • Update notifications on kontext start (cached for 24h, disable with KONTEXT_NO_UPDATE_CHECK=1)
Ad

Installation and Usage

Install with: brew install kontext-dev/tap/kontext

Or direct binary install:

tmpdir="$(mktemp -d)" \
&& gh release download --repo kontext-dev/kontext-cli --pattern 'kontext_*_darwin_arm64.tar.gz' --dir "$tmpdir" \
&& archive="$(find "$tmpdir" -maxdepth 1 -name 'kontext_*_darwin_arm64.tar.gz' -print -quit)" \
&& tar -xzf "$archive" -C "$tmpdir" \
&& sudo install -m 0755 "$tmpdir/kontext" /usr/local/bin/kontext

From any project directory with Claude Code installed: kontext start --agent claude

On first run, the CLI handles everything interactively — login, provider connections, credential resolution. Clear stored OIDC session with kontext logout.

Audit and Governance

The CLI captures for every tool call: what the agent tried to do, what happened, whether it was allowed, and who did it — attributed to a user, session, and org. Every tool call is streamed for audit as the agent runs.

Works with Claude Code today, Codex support coming soon. Server-side policy enforcement is in development — the infrastructure for allow/deny decisions on every tool call is already wired.

📖 Read the full source: HN AI Agents

Ad

👀 See Also