# API Key Storage

> Store API keys securely in macOS Keychain and auto-inject them into shell sessions.

Crystl stores your API keys in the macOS Keychain and automatically injects them as environment variables into every shell session. No more exporting keys in your `.zshrc` or `.env` files.

## How It Works

When you add an API key to Crystl, it:

1. Saves the key to your macOS Keychain (encrypted at rest by the OS)
2. Injects the key as an environment variable when any shard starts
3. Masks the key in the settings UI, showing only the first 6 and last 4 characters

Your keys are always available in your shards without being stored in plaintext config files.

## Supported Providers

Crystl recognizes keys for these providers and sets the correct environment variable automatically:

| Provider | Environment Variable |
|----------|---------------------|
| Anthropic | `ANTHROPIC_API_KEY` |
| OpenAI | `OPENAI_API_KEY` |
| Google AI | `GOOGLE_API_KEY` |
| OpenRouter | `OPENROUTER_API_KEY` |

## Adding a Key

1. Open **Settings > API Keys** (`Cmd + ,` then navigate to API Keys)
2. Select a provider
3. Paste your key
4. Click **Save**

The key is stored in macOS Keychain immediately. New shards will pick it up on creation; restart existing shards to load the updated key.

## Removing a Key

Delete a key from **Settings > API Keys**. Crystl removes it from the macOS Keychain and stops injecting it into new sessions.

## Security

Keys are stored using the macOS Keychain Services API, the same system Safari and other native apps use for credential storage. Crystl never writes keys to disk in plaintext — they exist only in memory within active shell sessions.

## Availability

API key storage is available on all plans, including Free.

---
Source: https://crystl.dev/docs/api-keys/