Your AI coding tool just saw your AWS key. Promtect makes sure it never happens again.

A local proxy that catches API keys, tokens, and passwords before they leave your laptop — swaps them for placeholders, then restores the real values in the response. The AI still works. Your secrets never travel.

brew install promtect/tap/promtectStar on GitHub

No cloud · no telemetry · no root certificate · secrets never written to disk

you ▸ fix the upload in s3.py (file has AKIAIOSFODNN7EXAMPLE)

promtect ▸ masked aws_key → «promtect:aws_key:0001» (model never sees your key)

claude ▸ here's the fix, using AKIAIOSFODNN7EXAMPLE (restored in the response)

You can rotate the key. You can't un-send it.

You pasted a .env to debug it. The file you asked Cursor to fix had a token in it. That secret is now in a request log on a server you don't own — under a retention policy you never read. 28 million secrets leaked to public repos in 2025; AI-assisted commits leak at ~2× the rate. The prompt box is the new leak surface. Promtect watches it.

The gap no one else fills

Other tools hand the model [REDACTED] and you get useless code back. Promtect restores.

Capability	Promtect	Veil	LiteLLM
Restore masked values in the response	✅ toggle	✕	✕
Streaming (SSE) restore, per-token	✅	✕	✕
No root CA required	✅	✕	n/a
Memory-safe secrets (Rust + zeroize)	✅	✕	✕
Value-free audit log	✅	✕	✕

Free stops the keys you know about. Pro stops the ones you don't.

Free protects a developer. Pro protects the company — and proves it.

Free — open source

Everything a developer needs. Not a trial.

✓ 71 known-credential detectors
✓ Mask + restore, local, streaming
✓ Value-free audit log + dashboard
✓ Claude, Cursor, Codex, Ollama, OpenRouter

Pro — Team / Business / Enterprise

A different capability class, plus fleet enforcement.

✦ Entropy detection for unknown-format secrets
✦ Scans the model's response for leaked secrets
✦ PII / PHI / PCI compliance (HIPAA/GDPR)
✦ Fleet deploy, central policy, SSO, audit