# API Key Storage

> Store API keys securely in macOS Keychain and auto-inject them into shell sessions.

crystl stores your API keys in the macOS Keychain and automatically injects them as environment variables into every shell session. No more exporting keys in your `.zshrc` or `.env` files.

## How it works

When you add an API key to crystl, it:

1. Saves the key to your macOS Keychain (encrypted at rest by the OS)
2. Injects the key as an environment variable when any shard starts
3. Masks the key in the settings UI, showing only the first 6 and last 4 characters

Your keys are always available in your shards without being stored in plaintext config files.

## Supported providers

crystl recognizes keys for these providers and sets the correct environment variable automatically:

| Provider | Environment Variable |
|----------|---------------------|
| Anthropic | `ANTHROPIC_API_KEY` |
| OpenAI | `OPENAI_API_KEY` |
| Google AI | `GOOGLE_API_KEY` |
| OpenRouter | `OPENROUTER_API_KEY` |

## Custom providers

You're not limited to the four providers above. Add a **custom provider** to store a key for any service that reads its credential from an environment variable — a self-hosted model, an OpenAI-compatible gateway, or any other tool.

When you add a custom provider, you specify the **environment variable name** crystl should set (for example `DEEPSEEK_API_KEY`) and paste the value. crystl saves it to the macOS Keychain and injects it into every new shard exactly like the built-in providers.

## Adding a key

1. Open **Settings > API Keys** (`Cmd + ,` then navigate to API Keys)
2. Select a provider (or add a custom one)
3. Paste your key
4. Click **Save**

The key is stored in macOS Keychain immediately. New shards will pick it up on creation; restart existing shards to load the updated key.

## Removing a key

Delete a key from **Settings > API Keys**. crystl removes it from the macOS Keychain and stops injecting it into new sessions.

## Security

Keys are stored using the macOS Keychain Services API, the same system Safari and other native apps use for credential storage. crystl never writes keys to disk in plaintext. They exist only in memory within active shell sessions.

## Availability

API key storage is available on all plans, including Free.

---
Source: https://crystl.dev/docs/api-keys/
