What does AI see when Phantom is installed?

The .env file contains phm_xxxxxxxx tokens instead of real values. AI tools read those tokens. The local proxy swaps them for real keys just before the outbound TLS connection.

Which editors does Phantom work with?

Claude Code, Cursor, Windsurf, Codex via MCP. Any tool that reads .env files works automatically because Phantom rewrites the file.

Is Phantom open source?

Yes. MIT licensed. Source at github.com/ashlrai/phantom-secrets. Rust workspace — phantom-core, phantom-vault, phantom-proxy, phantom-cli, phantom-mcp.

Pricing · transparent · cancel any time

Free for you.
Eight bucks for your team.

Name: Phantom
Availability: InStock
Author: AshlrAI

The CLI, vault, proxy, and MCP server are open source forever. Cloud sync and multi-device cost what a coffee costs.

Free

$0/mo

Local-first. Open source. Forever.

Local vault (OS keychain or encrypted file)
Proxy with full streaming support
MCP server for every editor
27 CLI commands · 24 MCP tools
Unlimited local secrets
1 cloud vault (up to 10 secrets)
Vercel & Railway sync

Install free

Pro

$8/mo

Cloud sync, multi-device, full backup.

Everything in Free
Unlimited cloud vaults
Multi-device sync (E2E encrypted)
Vault backup & restore
Pre-commit secret scanning
Priority support

Enterprise

Custom

Teams, audit, SSO, dedicated support.

Everything in Pro
Team vaults & shared secrets
Audit log + SSO/SAML
Centralised secret rotation
On-prem deployment option
Dedicated support

Talk to sales

All plans include the open-source CLI, the local proxy, the MCP server, and the local vault. Cloud features require a Phantom account. Vaults are end-to-end encrypted — we never see your secrets, even on Pro or Enterprise.

Why not just use what you have?

Every other secrets manager assumes the wrong threat model. They protect secrets at rest and in transit — but the moment you give one to an AI tool, it leaks. Phantom protects them in context.

Capability comparison: Phantom vs five alternative secrets managers.
Capability	Phantom	.env file	Doppler	1Password CLI	Infisical	AWS Secrets Mgr
AI tools never see real keys	Yes	No	No	No	No	No
Open source	Yes	—	No	No	Yes	No
Local-first vault	Yes	Yes	No	Yes	No	No
MCP-native (every editor)	Yes	No	No	No	No	No
Pre-commit secret scanning	Yes	No	Yes	No	Yes	No
Free tier	Yes	—	Limited	No	Yes	Limited
Setup time	10 seconds	—	minutes	minutes	minutes	hours
Cloud sync (E2E encrypted)	Yes	No	Yes	Yes	Yes	Yes

Comparison reflects each tool's default tier and primary use-case as of April 2026. Phantom is purpose-built for the AI-coding-tool workflow; the others are general-purpose secrets managers retrofitted to the same problem.

Questions a security-minded developer would ask.

If yours isn't here, file an issue on GitHub or email mason@ashlr.ai.

Does Phantom slow down my AI requests?

About 0.5 ms of proxy overhead per request — not measurable in practice. The proxy is a Rust HTTP server bound to 127.0.0.1 and uses zero-copy streaming for response bodies, so SSE and large downloads pass through at native speed.

What does AI actually see when Phantom is installed?

Your .env file contains phm_xxxxxxxx tokens instead of real values. Every AI tool (Claude Code, Cursor, Windsurf, Codex, anything else that reads .env) reads those tokens and only those tokens. The local proxy swaps them for real keys just before the outbound TLS connection — the AI never touches a real secret.

What if a phm_ token leaks from AI logs?

Nothing happens. phm_ tokens are session-scoped placeholders that have no value outside your local proxy. The real key never left your machine. Rotate the token with phantom rotate and the leaked one becomes inert.

How are real keys stored?

OS keychain on macOS and Linux (Keychain Services / libsecret). Encrypted file fallback for CI and Docker, using ChaCha20-Poly1305 with Argon2id key derivation. Vault retrieval returns Zeroizing<String> so plaintext is scrubbed from RAM by Drop. No plaintext ever touches disk outside the encrypted vault file.

Can the proxy be tricked into revealing the real key?

Not through the AI tool. The real key only ever materialises in the outbound TLS connection to the upstream API — never in HTTP responses (those go back to the AI verbatim) and never in proxy logs (proxy logs the phm_ token, not the real value). Auth tokens on the proxy itself use constant-time comparison.

What about secrets in HTTP request bodies, not just headers?

Yes — the proxy scans request headers, URL parameters, and JSON body fields for phm_ tokens and replaces all of them. Streaming bodies (SSE, large uploads) are scanned chunk-by-chunk without buffering.

Can my team share secrets without sharing the .env?

Yes — Pro tier ships shared cloud vaults with envelope encryption. Each team member has their own keypair; the vault is encrypted to every member's public key. We never see plaintext.

What if I want to leave Phantom?

Your original .env is backed up automatically on init. Run phantom unwrap to restore it. Delete .phantom.toml and Phantom is gone — no lock-in, no migration scripts.