Allows importing credentials and vault items from 1Password for centralized management and controlled delegation to AI agents.
Supports importing passwords and credentials from Apple sources for unified management within the Auth Box vault.
Allows migrating vault data from Bitwarden to facilitate policy-gated access for AI agents via the MCP protocol.
Provides the capability to import stored credentials from Dashlane for secure storage and management.
Supports importing credential data from Enpass, enabling unified management and AI agent integration.
Allows for the automatic import of API keys and credentials from .env files via a drag-and-drop interface.
Enables importing stored browser credentials from Firefox into the secure vault.
Enables importing passwords and credentials from Google accounts for centralized management and AI-agent access.
Supports importing vault items from LastPass, allowing for secure management and auditable delegation.
Provides tools for managing and performing health checks on OpenAI API keys, enabling secure access for AI assistants.
Allows importing credentials from Samsung Pass for management within the Auth Box ecosystem.
Supports management and validation of Stripe API keys, facilitating secure use in AI-driven workflows.
The password manager that works even if we disappear. 24 words = all your passwords. No email, no account, no server dependency.
Why Auth Box
Every password manager asks you to trust them. Auth Box asks you to trust math.
No Email Required -- Create a vault in 45 seconds. Just a seed phrase and a master password.
Survive Without Us -- Your vault is encrypted with keys derived from your seed phrase. Even if Auth Box ceases to exist, your passwords remain yours.
Passwords Without Storage -- Derive passwords deterministically from your seed + site name. Your vault can literally be empty.
AI Agent Gateway -- Give AI assistants controlled access to credentials via MCP protocol, with policy-gated, auditable delegation.
Import Everything -- Migrate from 13 sources: Apple, Google, Chrome, Edge, Firefox, 1Password, Bitwarden, LastPass, Dashlane, KeePass, Samsung Pass, NordPass, Enpass.
AI Infrastructure Hub -- Manage API keys for 70+ providers (OpenAI, Anthropic, AWS, Stripe...). Drag-drop .env files to auto-import. One-click health checks verify keys are valid.
Arweave Permanent Storage -- Archive your encrypted vault to Arweave for permanent, decentralized backup. Recovery works even without Auth Box servers.
The Unstoppable Promise
You trust your crypto to 24 words. Why not your passwords?Auth Box uses the same proven model as Bitcoin wallets:
seed phrase (24 words)
-> master key (PBKDF2-HMAC-SHA512)
-> vault encryption key
-> sync encryption key
-> per-agent delegation keys
-> deterministic passwords (no storage needed)If you have your seed phrase, you have everything. No server. No company. No dependency.
Screenshots
Quick Start
# Install dependencies
pnpm install
# Start development
make dev # Postgres + Redis + Web
make dev-api # Go API
make dev-full # Everything at onceWeb app: http://localhost:3010
Architecture
Client (holds all keys) Server (encrypted blobs only)
+-----------------------------+ +---------------------------+
| Web App Extension | E2E | Auth (SRP-6a) |
| (Next.js) (Chrome MV3) | ---> | Vault (encrypted CRUD) |
| | | Agents + Policies (JSONB) |
| @authbox/crypto (seed+HD) | | Audit (hash chain) |
| MCP Gateway (WebSocket) | | PostgreSQL + Redis |
+-----------------------------+ +---------------------------+Zero-knowledge: The server stores only encrypted blobs. It cannot decrypt anything.
Unstoppable Mode: The server is optional. Your vault works offline with keys derived from your seed phrase.
Monorepo Structure
packages/
crypto/ @authbox/crypto -- BIP-39 seed, HD keys, Argon2id, AES-256-GCM, SRP-6a
shared/ @authbox/shared -- Types, validation schemas
mcp-protocol/ @authbox/mcp-protocol -- AI gateway (MCP over WebSocket)
apps/
web/ @authbox/web -- Next.js 15, Vault Onyx design system
console/ auth-box-console -- Public portal + admin dashboard
extension/ auth-box-extension -- Chrome MV3 (popup + content + background)
services/
api/ auth-box-api -- Go API (chi v5, pgx v5, DDD layered)Encryption
Layer | Primitive | Purpose |
Seed | BIP-39 (24 words) | Sole recovery mechanism |
Master Key | PBKDF2-HMAC-SHA512 | Key derivation from seed |
Sub-keys | HD derivation (BIP-32 style) | vault / sync / agent / auth / derive |
Vault | AES-256-GCM | Encrypt all vault items |
Auth | SRP-6a | Mutual authentication (optional server) |
Passwords | Deterministic derivation | seed + site = password (no storage) |
Comparison
Feature | 1Password | Bitwarden | LessPass | Apple Keychain | Auth Box |
Self-sovereign (seed phrase) | No | No | No | No | Yes |
Works without server | No | Self-host only | Yes | Apple only | Yes |
Deterministic passwords | No | No | Yes | No | Yes |
Full vault + deterministic hybrid | No | No | No | No | Yes |
AI Agent gateway (MCP) | No | No | No | No | Yes |
Open source client | No | Yes | Yes | No | Yes (MIT) |
Import sources | Few | 8 | 0 | Apple only | 13 + .env auto-import |
AI API key management | No | No | No | No | 70+ providers |
Company disappears | Data at risk | Self-host option | OK (stateless) | Locked | 24 words = recovery |
Tests
Latest verified baseline (2026-03-23):
Go API: PASS 28 tests (SRP/TOTP, rate limiter, security middleware, audit chain)
Crypto: PASS 51 deterministic tests; 2 live Arweave probes opt-in
E2E: 65/65 Real SRP/TOTP login + vault/agent/audit/session CRUD + security
Build: PASS 7/7 turbo packages, 0 errorsSecurity audit: 12 findings fixed (TOTP bypass, timing attack, session scoping, CORS hardening...) Performance audit: 11 optimizations applied (composite indexes, cache limits, rate limiter refactor...)
Key Commands
Command | Description |
| Start infra + web dev server |
| Start Go API |
| Start everything |
| Build all packages |
| Run all tests |
| Run the Go API test suite |
| Run the crypto package test suite |
| Run E2E suite against a real API |
Contributing
See CONTRIBUTING.md for development setup and guidelines.
Auth Box is MIT licensed. PRs welcome.
License
MIT -- Use it, fork it, build on it.
Maurice | maurice_wen@proton.me