API Key Storage
Updated March 22, 2026
Crystl stores your API keys in the macOS Keychain and automatically injects them as environment variables into every shell session. No more exporting keys in your .zshrc or .env files.
How It Works
When you add an API key to Crystl, it:
- Saves the key to your macOS Keychain (encrypted at rest by the OS)
- Injects the key as an environment variable when any shard starts
- Masks the key in the settings UI, showing only the first 6 and last 4 characters
Your keys are always available in your shards without being stored in plaintext config files.
Supported Providers
Crystl recognizes keys for these providers and sets the correct environment variable automatically:
| Provider | Environment Variable |
|---|---|
| Anthropic | ANTHROPIC_API_KEY |
| OpenAI | OPENAI_API_KEY |
| Google AI | GOOGLE_API_KEY |
| OpenRouter | OPENROUTER_API_KEY |
Adding a Key
- Open Settings > API Keys (
Cmd + ,then navigate to API Keys) - Select a provider
- Paste your key
- Click Save
The key is stored in macOS Keychain immediately. New shards will pick it up on creation; restart existing shards to load the updated key.
Removing a Key
Delete a key from Settings > API Keys. Crystl removes it from the macOS Keychain and stops injecting it into new sessions.
Security
Keys are stored using the macOS Keychain Services API, the same system Safari and other native apps use for credential storage. Crystl never writes keys to disk in plaintext — they exist only in memory within active shell sessions.
Availability
API key storage is available on all plans, including Free.