context-aware routing · role-based access · auto-detect

The right key.
For the right context. Automatically.

Keychain reads your browser profile, active domain, email alias, and app context — then routes the right credential to the right role without you lifting a finger.

Set up contexts →See full comparison
ROUTING

Context in. Right credential out.

keychain — context routing
CONTEXTROLECREDENTIAL
chrome / profile:workinfraaws/prod/access-key
chrome / profile:devengstripe/test_key
firefoxossgithub/personal-pat
email: +billing@co.combillingstripe/live_key
cli --role=deploydeployk8s/prod/token
# context resolved in <1ms · decrypted locally · zero server round-trip
Detection

Four signal sources. One resolved context.

BROWSER

Profile detection

Chrome, Firefox, Arc, and Brave profiles auto-tag your session. Switch profiles — context switches with you. No manual selection.

chrome/profile:work → context:work
DOMAIN

Site matching

URL patterns bind to credential contexts. *.stripe.com always gets the billing key. console.aws.amazon.com routes to infra.

*.stripe.com → role:billing
EMAIL

Alias parsing

Email domains and +tags resolve to org and role automatically. Sign up with a tagged address and the credential is already where it belongs.

ops+infra@acme.io → org:acme / role:infra
APP / CLI

Runtime context

IDE plugins, native apps, and the CLI declare context at invocation. keychain run --role=deploy injects exactly the right secrets.

--role=deploy → k8s/prod/token
Email

Your email address already knows your role.

Every email alias you use for work carries structure you already created — domain, organization, service, role. Keychain parses that structure and uses it to tag and route credentials automatically.

keychain — email parse
# parse an email alias
keychain parse "ops+aws-prod@acme.io"
usernameopsidentity
tagaws-prod→ service: aws, context: prod
domainacme.io→ org: acme
resolvedorg:acme · role:infra · ctx:prod
credential → acme/infra/aws/prod/key
ALIAS PATTERNS
alice@company.com
org:company — default context
alice+dev@company.com
org:company · role:dev
ops+stripe-billing@co.io
org:co · role:billing · svc:stripe
ci+deploy-prod@team.dev
org:team · role:deploy · ctx:prod
client+projectA@agency.co
org:agency · client:projectA
Roles

Define once. Everyone gets the right key.

Roles bind credential path patterns to team members. When a member's context matches a role, they get that role's credentials — no individual copies, no drift, no stale shared docs.

role:infra
14 keys

Cloud infra and platform ops

members
@alice@bob
credential patterns
aws/*
terraform/*
k8s/*
vault/*
role:billing
8 keys

Payment systems and finance

members
@carol@dave
credential patterns
stripe/*
quickbooks/*
paypal/*
role:eng
22 keys

Product engineers and tools

members
@alice@carol@eve@frank
credential patterns
github/*
openai/*
stripe/test_*
npm/*
.keychain/roles.yml
# define roles in your vault config
roles:
infra:
members: [alice, bob]
patterns: [aws/*, k8s/*]
contexts:
- chrome/profile:work
- email:+infra@*
billing:
members: [carol, dave]
patterns: [stripe/*]
contexts:
- domain:*.stripe.com
- email:+billing@*
# check resolved context for current session
keychain context
detected signals:
browser chrome/profile:work
domain console.aws.amazon.com
email ops+infra@acme.io
resolved:
role infra
org acme
context prod
serving 14 credentials for role:infra
How it works

Three steps. Zero friction.

01

Define roles

Create named roles (infra, billing, eng) and bind credential path patterns to each. Assign team members.

02

Context detected

Keychain reads your browser profile, active domain, email alias, or CLI flag and resolves your current context automatically.

03

Credential served

The right key for that role is decrypted locally and delivered — to your browser, terminal, or app. No copy-paste. No vault hunting.

🗝️

Context-aware. Role-scoped.
Zero server.

Define your roles, tag your emails, and let Keychain do the routing. Credentials live in your bucket. Intelligence lives in the client.

Set up roles →Compare to alternatives