Kontext CLI: Credential Broker for AI Coding Agents
What Kontext CLI Does
Kontext CLI is an open-source command-line tool that wraps AI coding agents to provide credential management without exposing API keys. It addresses the problem of teams copy-pasting long-lived API keys into .env files or chat interfaces, which creates secret sprawl and lacks access lineage.
How It Works
You declare what credentials a project needs in a .env.kontext file with placeholders like:
GITHUB_TOKEN={{kontext:github}}
STRIPE_KEY={{kontext:stripe}}
LINEAR_TOKEN={{kontext:linear}}Then run kontext start --agent claude. The CLI authenticates you via OIDC and exchanges placeholders for credentials:
- For services supporting OAuth: short-lived access tokens via RFC 8693 token exchange
- For static API keys: credentials injected directly into the agent's runtime environment
Secrets exist only in memory during the session — never written to disk on your machine. The backend holds OAuth refresh tokens and API keys; the CLI never sees them, only getting back short-lived access tokens scoped to the session.
Key Features
- One command to launch Claude Code:
kontext start --agent claude - Ephemeral credentials: short-lived tokens scoped to the session, automatically expired on exit
- Declarative credential templates in
.env.kontextfiles - Governance telemetry: Claude hook events streamed to backend with user, session, and org attribution
- Secure by default: OIDC authentication, system keyring storage, RFC 8693 token exchange
- Lean runtime: native Go binary (~5ms hook overhead per tool call), uses ConnectRPC for backend communication
- Update notifications on
kontext start(cached for 24h, disable withKONTEXT_NO_UPDATE_CHECK=1)
Installation and Usage
Install with: brew install kontext-dev/tap/kontext
Or direct binary install:
tmpdir="$(mktemp -d)" \ && gh release download --repo kontext-dev/kontext-cli --pattern 'kontext_*_darwin_arm64.tar.gz' --dir "$tmpdir" \ && archive="$(find "$tmpdir" -maxdepth 1 -name 'kontext_*_darwin_arm64.tar.gz' -print -quit)" \ && tar -xzf "$archive" -C "$tmpdir" \ && sudo install -m 0755 "$tmpdir/kontext" /usr/local/bin/kontext
From any project directory with Claude Code installed: kontext start --agent claude
On first run, the CLI handles everything interactively — login, provider connections, credential resolution. Clear stored OIDC session with kontext logout.
Audit and Governance
The CLI captures for every tool call: what the agent tried to do, what happened, whether it was allowed, and who did it — attributed to a user, session, and org. Every tool call is streamed for audit as the agent runs.
Works with Claude Code today, Codex support coming soon. Server-side policy enforcement is in development — the infrastructure for allow/deny decisions on every tool call is already wired.
📖 Read the full source: HN AI Agents
👀 See Also
Super Claude browser extension makes Claude.ai UI fully customizable
A developer built a browser extension that lets users customize every aspect of Claude.ai's interface — colors, fonts, layout, plus usage tracking and token counting. The extension works on Chrome and Firefox and was developed using Claude itself.
Open-source Gmail MCP server adds multi-account support and write access
An open-source MCP server enables Claude AI to connect to multiple Gmail accounts with full read/write capabilities, including archiving, labeling, and auto-unsubscribe functionality. It supports Gmail search syntax and can be deployed to Railway in 5 minutes or self-hosted.
Atlas Inference Engine Goes Open Source: Pure Rust + CUDA, 100+ tok/s on DGX Spark
Atlas is now open source — a Rust + CUDA inference engine that achieves 130 tok/s peak on Qwen3.5-35B (NVFP4) on a single DGX Spark, with no Python runtime and <2 minute cold start.
Open-source methodology for agentic AI partnership with Claude
A developer has published a 25,000-word paper and open-sourced templates for building a persistent partnership system with Claude that uses shared memory across sessions, cognitive monitoring, and multi-AI consultation.