Janee Setup Guide: Secure API Key Management for OpenClaw, Claude, and Other AI Agents

Source: Dev.to

AI coding agents are transforming software development. Tools like Claude Desktop, Cursor, and Cline can write code, debug issues, and even make API calls on your behalf.

But there’s a problem: how do you give these agents API access without compromising security?

The common approach — pasting API keys into config files or prompts — is risky:

• Keys stored in plaintext on disk
• Agents can read .env files
• No audit trail of what was accessed
• No way to revoke access without rotating keys
• One prompt‑injection away from full API access

This guide shows you how to use Janee, a local secrets manager designed for AI‑agent workflows, to solve these problems.

What is Janee?

Janee is an MCP (Model Context Protocol) server that stores API credentials encrypted on your machine and acts as a secure proxy.

How it works

1. Store API keys in ~/.janee/config.yaml (encrypted at rest).
2. Run janee serve to start the MCP server.
3. Your AI agents connect to Janee via MCP.
4. When an agent needs to call an API, it requests access through Janee.
5. Janee injects the real key server‑side, makes the request, and logs everything.
6. The agent receives the API response without ever seeing your actual key.

Key benefits

Prerequisites

• Node.js 18+ installed
• An AI agent that supports MCP (Claude Desktop, Cursor, OpenClaw, Cline, etc.)
• API keys you want to manage (Stripe, GitHub, OpenAI, …)

Installation

npm install -g @true-and-useful/janee

Verify the installation:

janee --version

Run the init command to set up your Janee configuration:

janee init

This creates ~/.janee/config.yaml with example services. You can add services interactively or via command‑line arguments.

Option A – Interactive (recommended for beginners)

janee add

Janee will prompt you for:

• Service name (e.g., stripe)
• Base URL (e.g., https://api.stripe.com)
• Auth type (bearer, basic, hmac‑bybit, etc.)
• API key / credentials

Option B – Command‑line arguments

janee add stripe \
  -u https://api.stripe.com \
  --auth-type bearer \
  -k sk_live_xxx

Defining Capabilities

Capabilities define what agents can do with each service. They include policies such as TTL, auto‑approval, and request rules.

Example: Read‑only Stripe access

capabilities:
  stripe_readonly:
    service: stripe
    ttl: 1h
    autoApprove: true
    rules:
      allow:
        - GET *
      deny:
        - POST *
        - DELETE *
        - PUT *

Example: Stripe billing (limited write access)

capabilities:
  stripe_billing:
    service: stripe
    ttl: 15m
    requiresReason: true
    rules:
      allow:
        - GET *
        - POST /v1/refunds/*
        - POST /v1/invoices/*
      deny:
        - POST /v1/charges/*   # Can't charge cards
        - DELETE *

Note: Policies are enforced server‑side. Even if an agent tries to bypass them, Janee blocks unauthorized requests.

Starting the Server

janee serve

You should see something like:

Janee MCP server running on stdio
Config: /Users/yourname/.janee/config.yaml
Logs:   /Users/yourname/.janee/logs/

Keep this process running – Janee is now ready to accept requests from MCP clients.

Integrating with AI Agents

Claude Desktop (macOS example)

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (or the equivalent on your OS):

{
  "mcpServers": {
    "janee": {
      "command": "janee",
      "args": ["serve"]
    }
  }
}

Restart Claude Desktop.

Cursor

1. Open Settings → Extensions → MCP.
2. Paste the same JSON snippet as above.

OpenClaw (native plugin)

npm install -g @true-and-useful/janee-openclaw
openclaw plugins install @true-and-useful/janee-openclaw

Enable it in your agent config:

{
  "agents": {
    "list": [
      {
        "id": "main",
        "tools": { "allow": ["janee"] }
      }
    ]
  }
}

Using Janee in a Prompt

Example prompt for Claude Desktop

“Can you check my Stripe account balance using Janee?”

Claude will:

1. Discover the execute tool from Janee’s MCP server.
2. Call execute with capability stripe, method GET, path /v1/balance.
3. Janee decrypts your Stripe key, makes the request, logs it.
4. Returns the balance data to Claude.

Viewing the audit log

janee logs

Sample output:

2025-02-11 14:32:15 | stripe | GET /v1/balance | 200 | User asked for account balance

Request‑Rule Syntax

Rules are expressed as METHOD PATH. Below is a quick reference.

How rules are evaluated

1. Deny rules are checked first – an explicit deny always wins.
2. Allow rules are checked next – a match is required to proceed.
3. If no rules are defined → allow all (backward compatible).
4. If rules exist but no match → request is denied by default.

Sample Service & Capability Configurations

GitHub (read‑only)

services:
  github:
    baseUrl: https://api.github.com
    auth:
      type: bearer
      key: ghp_xxx

capabilities:
  github_readonly:
    service: github
    ttl: 2h
    rules:
      allow: [GET *]
      deny: [POST *, DELETE *, PUT *, PATCH *]

Your agent can read repos, issues, PRs — but can’t create, update, or delete anything.

OpenAI

services:
  openai:
    baseUrl: https://api.openai.com
    auth:
      type: bearer
      key: sk-xxx

capabilities:
  openai:
    service: openai
    ttl: 30m
    requiresReason: true

Short TTL + requires reason lets you monitor usage and revoke access quickly.

Internal API (very short TTL, manual approval)

services:
  internal_api:
    baseUrl: https://api.yourcompany.com
    auth:
      type: bearer
      key: internal_xxx

capabilities:
  internal_readonly:
    service: internal_api
    ttl: 10m
    autoApprove: false   # Manual approval required
    rules:
      allow: [GET /v1/users/*, GET /v1/analytics/*]

Recap

1. Install Janee globally (npm i -g @true-and-useful/janee).
2. Initialize (janee init) and add your services (janee add).
3. Define capabilities with appropriate TTLs and request rules.
4. Run janee serve and configure your AI agents to use the MCP server.
5. Prompt your agents to perform API calls – Janee handles the keys, logs, and policy enforcement.

You now have a secure, auditable, and policy‑driven way to give AI coding agents access to your APIs without ever exposing raw secrets. Happy coding!

Janee Quick‑Reference Guide

Core Commands

Policy Recommendations

1. Use specific capabilities – Don’t grant broad access.
   Examples: stripe_readonly, stripe_billing, stripe_admin.

2. Set appropriate TTLs

   • Exploratory work: 1–2 h
   • Sensitive operations: 5–15 min

3. Enable requiresReason – For sensitive services, agents must supply a reason (logged for audit).

4. Use request rules – Default deny; explicitly allow only what’s needed.

5. Monitor audit logs – Regularly review janee logs to see what was accessed.

6. Rotate keys periodically – Janee makes this easy; update the config once and all agents pick up the new key.

7. Backup your config – ~/.janee/config.yaml is encrypted; back it up securely.

Troubleshooting

Running Janee in Docker / Kubernetes

If you’re containerising agents, use the HTTP transport:

janee serve --transport http --port 9100

Example docker‑compose.yml

services:
  janee:
    build: .
    ports:
      - "9100:9100"
    command: janee serve --transport http --port 9100

  agent:
    depends_on:
      - janee
    environment:
      - JANEE_HTTP_URL=http://janee:9100

What You’ve Gained

• Encrypted credential storage
• Zero‑knowledge agents (they never see your keys)
• Full audit trail
• Policy enforcement
• One config for all your agents

Next Steps

1. Add more services (janee add)
2. Experiment with request policies
3. Set up integrations for all your agent tools
4. Monitor audit logs (janee logs -f)

Resources

• Docs:
• GitHub:
• Issues / Support:

If you found this useful, give Janee a ⭐ on GitHub!