Your secrets,
hardware-protected.

A native macOS secrets manager with Secure Enclave encryption, a GPU-rendered terminal, and built-in leak prevention.

Get Early Access
hatch — Terminal
$ hatch get production/api-key
🔓 Unlocked via Touch ID
sk-proj-****************************a4Qx
$ echo $DATABASE_URL
⚠ vault:redacted — secret not exposed to shell history

Built for developers who care about security

Secure Enclave encryption

Hardware-bound keys that never leave your Mac. Secrets are encrypted at rest with AES-256-GCM, unlocked only via biometrics.

Integrated terminal

GPU-rendered terminal with Metal 4. Built-in leak prevention automatically redacts secrets from output and shell history.

CloudKit sync

End-to-end encrypted sync across all your devices via iCloud. Zero-knowledge architecture — Apple never sees your data.

CI/CD ready

Headless CLI for automated pipelines. Inject secrets into builds without exposing them in config files or environment dumps.

Secrets injected, never exposed

Hatch injects environment variables directly into your process. No .env files on disk. No plaintext in shell history.

hatch — Environment Injection
$ hatch run --project myapp
🔐 Injecting 6 secrets into environment…
  DATABASE_URL       ✓ injected
  API_KEY            ✓ injected
  STRIPE_SECRET      ✓ injected
  AWS_ACCESS_KEY     ✓ injected
  SIGNING_CERT       ✓ injected
  JWT_PRIVATE_KEY    ✓ injected
$ npm start
✓ Server running on port 3000

Zero-knowledge. Zero dependencies.

Hatch uses Apple's Secure Enclave and CryptoKit directly — no third-party crypto libraries, no wrappers, no supply chain risk. Your encryption keys are hardware-bound and never leave the secure element. The app is fully sandboxed and notarized.

Secure Enclave AES-256-GCM Zero third-party deps App Sandbox Notarized

Get early access

Hatch is coming to macOS Tahoe. Join the waitlist to be first in line.