KeyRunner started with two ideas. For individual developers, a local-first API client inside VS Code. For enterprises, a zero-trust execution model where secrets never leave the company's own infrastructure, and every request an individual runs is continuously authenticated and authorized, not just trusted after login.

It is still both of those. Build and run requests, import existing collections, generate types from responses, simulate APIs with mocks, and keep secrets under tighter control.

As teams adopt AI, that same zero-trust model now extends to agents. KeyRunner turns your tested API requests into governed tools that agents can call, without handing them raw credentials. The goal is simple. Ship agent workflows, not credential nightmares.

If you are moving from Postman, Bruno, Insomnia, or Thunder Client, KeyRunner preserves the workflow you already know and adds a stronger execution, secret-handling, and governance model on top.

Two ways teams use KeyRunner

For developers (free, local-first)

• A real API client. HTTP, REST, GraphQL, gRPC, and WebSocket requests inside VS Code. No signup required to start.
• Bring your existing work. Import from Postman, Bruno, Insomnia, Thunder Client, and OpenAPI or Apigee exports.
• Do more after "Send". Inspect response schemas, generate TypeScript types, chain requests into flows, and save reusable snippets.
• Mock and test locally. Build realistic API workflows without stitching together separate tools.
• Turn a request into an AI tool. Take a request you already trust, give it a name and typed inputs, and expose it as a tool your agents (Claude and others) can call.

For enterprises (zero-trust execution)

• Secrets never leave your infrastructure. Credentials stay in your own vault and are resolved and injected at runtime. They are never copied out, and never exposed to the caller or the agent.
• Continuous authentication and authorization. Every request, whether run by an individual or an agent, is checked against policy and RBAC before it executes, not just trusted after login. Logs tell you what happened; KeyRunner can stop what should not.
• One governed layer for every agent. Instead of each new agent rebuilding the same API actions, they share a single controlled runtime.
• Sensitive data redaction. Values such as SSNs, PHI, and card data can be redacted before responses reach a model.
• Runs in your infrastructure with immutable audit trails, and SOC 2 Type II, HIPAA, and GDPR alignment.

Capabilities at a glance

API client

• Local-first request execution
• Collections and environments
• GraphQL, gRPC, and WebSocket
• Postman / Bruno / Insomnia / Thunder Client migration
• OpenAPI / Apigee import
• Response schema inspection
• Type generation from responses
• Mock server workflows

Secrets and AI governance

• Secret scanning and masking
• Vault integrations
• Convert a request into an AI tool
• Policy and RBAC before agent calls
• Runtime credential injection (secrets isolated)
• Response redaction (PII / PHI)
• Agent audit trail

Core API client capabilities

Requests, collections, and environments

Build HTTP, REST, GraphQL, gRPC, and WebSocket workflows inside VS Code. Organize requests into collections and folders, switch environments cleanly, and reuse variables across URLs, headers, and payloads with {{variable}} syntax.

Import and migrate faster

Move existing work into KeyRunner instead of rebuilding it by hand, including collections from Postman, Bruno, Insomnia, Thunder Client, and OpenAPI or Apigee-based exports.

Local execution and secret-aware workflow

Requests run close to the developer environment instead of proxying through a third-party service. Sensitive values are masked in the interface, and secret-like values can be scanned before they spread through collections, screenshots, or shared docs.

Mocking, chaining, testing, and response tooling

KeyRunner is built for the workflow after "Send":

• Chain requests into repeatable flows
• Inspect response schemas
• Generate TypeScript types from live responses
• Build mock server workflows for local development
• Create reusable snippets from working requests

AI tools and agent governance

The same request you test as a developer can become a governed tool for an agent.

• Tools, not raw keys. Export an approved request as a named tool with typed, required inputs.
• Policies and roles. Group tools into policies, assign them to agents, and enforce RBAC before any call runs.
• Credential isolation. Secrets resolve from your vault at runtime and stay out of the agent's reach.
• Redaction. Strip sensitive fields from responses before they reach a model.
• Audit. See what ran, under which identity, and against which policy.

Works with Claude and other agents, and with any API you can describe with an OpenAPI spec. The free developer experience and the enterprise governed runtime share the same tools, so what you build locally is what runs under policy in production.

Secret stores and vault integrations

For teams that already use a vault, KeyRunner fits that model instead of fighting it. Credentials are resolved at runtime rather than copied into collections.

Product screens

Build, organize, and send API requests without leaving VS Code.

AI Tool Converter Turn an existing request into a named tool with required inputs and a governed execution path.	Response Schema Inspect structured response shapes directly from live API results.
Generate Types Create ready-to-use TypeScript definitions from your response payloads.	Vault Integrations Connect enterprise secret managers and resolve credentials at runtime.

Get started

Install from VS Code

1. Open Extensions (Ctrl+Shift+X / Cmd+Shift+X)
2. Search for KeyRunner
3. Click Install

Or from Quick Open (Ctrl+P / Cmd+P)

ext install KeyRunner.keyrunner

Open the KeyRunner panel, import an existing collection or create a new request, and start testing locally. When you are ready, export a request as a tool and put it behind policy for your agents.