April 14, 2026
Lock the keys, unleash the takes
Show HN: Kontext CLI – Credential broker for AI coding agents in Go
New tool locks down AI keys — fans cheer, skeptics cry copycat, Rust folks sigh
TLDR: Kontext CLI debuts as a way to give AI coding tools temporary, disposable access keys while logging what they do. The crowd split fast: praise for “contextual authorization,” side‑eye over similarities to OneCLI and Tailscale Aperture, and the inevitable “should’ve been Rust” jokes—security meets déjà vu.
Kontext CLI stormed onto the scene promising a simple fix for a messy problem: stop pasting long-lived API keys into project files and let your AI coding helper use short‑lived, disposable keys that vanish when you’re done. It’s an open-source command-line app in Go that logs every tool call and currently launches Claude Code with credentials injected at runtime. Translation: safer keys, cleaner conscience.
But the comments? Pure theater. One camp is clapping for contextual authorization, with sarahroehm raving that it evaluates the agent’s “reasoning trace” and only hands over access if the user intended it. That’s like giving your AI a hall pass only when it proves it’s really going to the library. Meanwhile, comparison cops showed up fast: amjd asked how this stacks up to OneCLI, and traceroute66 went spicier, calling it “awfully similar” to Tailscale Aperture. Cue the reinventing-the-wheel debate.
Then came the comic relief: airstrike dropped the classic dev meme, “I was just about to build this… in Rust,” while others asked if they can plug it into their own agents right now. The vibe: part “Finally, guardrails!” and part “Seen this movie before.” Whether it’s fresh or familiar, the community definitely cares about temporary keys, audit trails, and not leaking secrets—and they’re not shy about saying it.
Key Points
- •Kontext CLI provides short-lived, scoped credentials to AI coding agents, injected at session start and expiring on session end.
- •Developers declare required credentials in a committed .env.kontext file, using placeholders resolved into tokens via RFC 8693.
- •Authentication uses OIDC with a refresh token stored in the system keyring; kontext logout clears the session token.
- •Governance telemetry streams agent hook events (PreToolUse, PostToolUse, UserPromptSubmit) to the Kontext dashboard for auditing.
- •Kontext CLI is a native Go binary with no Node/Python dependency; supports Claude Code now, with Cursor and Codex planned.