Credential Gateway
No .env files. Ever.
Credentials live outside your worktree, injected at runtime.
Open source View on GitHub
Credential Gateway sits between your app and upstream services, holding all credentials in a single root-owned config file outside every worktree. Your app connects to localhost with no credentials; the gateway injects them before forwarding.
app / agent
ββ HTTP β localhost:8080/openai/β¦ β api.openai.com (Authorization injected)
ββ MySQL β localhost:3307 (no passwd) β real MySQL (credentials injected at handshake)
ββ Redis β localhost:6380 (no auth) β real Redis (AUTH injected)
ββ PostgreSQL β localhost:5433 (no passwd) β real PostgreSQL (MD5 / SCRAM-SHA-256 injected)
ββ Oracle β localhost:1522 (no passwd) β real Oracle DB (TNS/TTC auth injected)
The problem
.env files and secrets managers donβt solve three things:
- Credentials leak into worktrees β
.envfiles get committed, shared, or left behind in old branches - Per-project setup overhead β every new worktree or teammate needs the same credentials wired up again
- Rotating a key means touching every project β rotate once in
config.yaml, nothing else changes
One config file. One process. All projects on the machine share it.
Config
# HTTP β injects arbitrary headers
http:
- name: openai
listen: "127.0.0.1:8080"
upstream: "https://api.openai.com"
headers:
Authorization: "Bearer sk-β¦"
# MySQL β injects credentials at handshake
mysql:
- listen: "127.0.0.1:3307"
upstream: "real-db-host:3306"
user: dbuser
password: "β¦"
database: mydb
# Redis β sends AUTH before piping client traffic
redis:
- listen: "127.0.0.1:6380"
upstream: "real-redis-host:6379"
password: "β¦"
# PostgreSQL β MD5 and SCRAM-SHA-256 auth
postgres:
- listen: "127.0.0.1:5433"
upstream: "real-pg-host:5432"
user: dbuser
password: "β¦"
database: mydb
# Oracle β TNS wire protocol with TTC O3LOG/O3AUTH injection
oracle:
- listen: "127.0.0.1:1522"
upstream: "real-oracle-host:1521"
user: appuser
password: "β¦"
service: ORCLPDB1
All five proxy types are optional β include only what you need. Multiple entries per section are supported.
Install
Requires Go 1.22+. No heavy dependencies.
git clone https://github.com/SHUKE-LABS/credential-gateway
cd credential-gateway
go build -o credential-gateway .
mkdir -p ~/.config/credential-gateway
cp config.example.yaml ~/.config/credential-gateway/config.yaml
$EDITOR ~/.config/credential-gateway/config.yaml
chmod 0600 ~/.config/credential-gateway/config.yaml
./credential-gateway
The gateway refuses to start if the config file is group- or world-readable. Credentials are never logged.