Zero-knowledge key management

Manage your API keys.
Expose nothing.

Your credentials are stored in an encrypted vault and never reach your machine. You operate with proxy keys bound to your wallet — revocable, auditable, and inert outside your session.

Download for macOS Download for Windows See how it works
How it works

Three steps. No config.

Import your secrets, use the proxy keys, forget the rest. HuGR handles the hard part.

Import your .env

Point HuGR at your .env file. The wallet scans it, absorbs every API key, and stores each one in an AES-256 encrypted vault.

Get proxy keys

HuGR generates a unique proxy key for each secret. Your .env is rewritten with proxy keys. The real credentials are gone from your filesystem.

Use them everywhere

Your app sends requests to HuGR Cloud. The real key is decrypted and used entirely within Cloudflare's edge — it never leaves their infrastructure and never reaches your machine.

Security

Leaked key? So what.

Proxy keys are bound to your wallet. No active wallet, no access. The real secret never reaches your machine.

VAULT

Wallet-bound keys

Every proxy key is tied to your wallet session. If someone grabs the key but doesn't have your wallet running — it does nothing.

AES-256-GCM

Encrypted at rest

Secrets are encrypted with per-user AES-256-GCM keys. During proxy, the real key is decrypted inside Cloudflare's edge for 5ms, used to call the API, then the isolate is destroyed.

PBKDF2

Password never stored

Your password is hashed on your device before transmission. The server applies 100,000 additional PBKDF2 iterations. We never see your plaintext password.

KEYCHAIN

OS-native sessions

Session tokens live in your OS keychain (Keychain on macOS, Credential Manager on Windows) — not in files, cookies, or localStorage. Tokens rotate every 24 hours.

Ecosystem

Built to work together.

HuGR Vault

Zero-exposure API key management. Import your .env, get wallet-bound proxy keys, and let Cloudflare handle authentication. Your real credentials are completely isolated from your machine.

Explore Vault

HuGR Shield

Password manager, privacy email, and portable browser state. Credentials encrypted on your device. History, cookies, and sessions travel with your wallet — not with the browser.

Explore Shield

HuGR Pilot

Connect your phone and operate any mobile app from your desktop. AI agents control real apps through the native accessibility layer — no APIs, no screenshots, no root.

Explore Pilot
Pricing

Start free. Scale when ready.

No credit card to start. Pix and Boleto accepted for Brazilian users.

Free

$0/mo
For individual developers getting started.
  • 1 email alias
  • 5 vault secrets
  • 200 proxy requests/day
  • 1 Shield profile
  • 7-day audit log
Get Started

Budget 7-day free trial

$9/mo
For developers and small teams shipping fast.
  • 10 email aliases
  • 15 vault secrets
  • 2,000 proxy requests/day
  • SSE streaming for LLMs
  • 30-day audit log
Start Free Trial

Pro

$29/mo
For power users and teams that need everything.
  • Unlimited aliases and secrets
  • Unlimited proxy requests
  • Device routing
  • Custom domains
  • 90-day audit log + priority support
Upgrade

Your .env is a liability.
Fix it in one import.

Download HuGR Wallet. Import your secrets. Ship with confidence.

Download for macOS Download for Windows