# The 17 ## Docs - [Changelog](https://theseventeen-2abbdf80.mintlify.app/changelog/overview.md): What's new in keychain-auth. Updated weekly. - [keychain-auth approve: authorize a pending binary](https://theseventeen-2abbdf80.mintlify.app/cli/approve.md): Approve a queued unregistered binary by its SHA-256 hash, adding it to config.json with zero-trust defaults so you can then configure its service permissions. - [keychain-auth register: register a trusted binary](https://theseventeen-2abbdf80.mintlify.app/cli/register.md): Register a binary's path and SHA-256 hash in config.json with zero permissions, establishing its identity before you grant it access to any keychain service. - [keychain-auth start: launch the security daemon](https://theseventeen-2abbdf80.mintlify.app/cli/start.md): Start the keychain-auth daemon to broker OS keychain access over a local socket with kernel-level process verification and per-connection policy enforcement. - [keychain-auth upgrade: update a binary's registered hash](https://theseventeen-2abbdf80.mintlify.app/cli/upgrade.md): Recompute and update the SHA-256 hash for an already-registered binary after it has been updated, preserving all of its existing service permissions. - [Go client example for keychain-auth integration](https://theseventeen-2abbdf80.mintlify.app/clients/go.md): Build a production-grade Go client using Unix sockets with SOCK_CLOEXEC, cross-platform Named Pipe support, batch writes, and prefix reads. - [Node.js client example for keychain-auth integration](https://theseventeen-2abbdf80.mintlify.app/clients/nodejs.md): Build a Node.js client using the net module for Unix socket and Named Pipe connections with async/await, buffered newline parsing, and Promise-based requests. - [Python client example for keychain-auth integration](https://theseventeen-2abbdf80.mintlify.app/clients/python.md): Build a Python client using Unix sockets on macOS/Linux with FD_CLOEXEC enforcement and Windows Named Pipes via pywin32 for cross-platform access. - [Audit log: monitoring keychain access with keychain-auth](https://theseventeen-2abbdf80.mintlify.app/concepts/audit-log.md): Every keychain operation is recorded in a structured JSON log. Learn where the log lives, what each field means, and what it never contains. - [How keychain-auth secures OS keychain access control](https://theseventeen-2abbdf80.mintlify.app/concepts/how-it-works.md): keychain-auth uses connection-bound authentication and kernel PID verification to broker every keychain request through a zero-trust security daemon. - [Zero-trust access control policies in keychain-auth](https://theseventeen-2abbdf80.mintlify.app/concepts/zero-trust.md): Every binary starts with zero permissions. Learn how to register binaries, configure service namespaces, and grant read, write, and search scopes. - [Install keychain-auth on macOS, Linux, and Windows](https://theseventeen-2abbdf80.mintlify.app/installation.md): Download and install the keychain-auth daemon binary, verify the installation, and start the daemon so your tools can connect to it. - [Integration best practices and production checklist](https://theseventeen-2abbdf80.mintlify.app/integration/best-practices.md): Production checklist covering socket security, install and upgrade hooks, graceful error handling, namespace isolation, and efficient bulk secret discovery. - [Hierarchical namespace schemes for multi-tenant secrets](https://theseventeen-2abbdf80.mintlify.app/integration/namespacing.md): How to organize secrets using service namespaces and hierarchical target prefixes to support projects, environments, and workspaces across platforms. - [Configure service namespace permissions for your tool](https://theseventeen-2abbdf80.mintlify.app/integration/permissions.md): How to grant read, write, and search permissions to a registered binary by editing its config.json entry with the correct service namespace scopes. - [Register your CLI tool with keychain-auth at install](https://theseventeen-2abbdf80.mintlify.app/integration/registration.md): Step-by-step guide to registering your binary at install time, granting it a zero-trust baseline, and keeping its hash current after upgrades. - [keychain-auth: Zero-Trust Keychain Access Control](https://theseventeen-2abbdf80.mintlify.app/introduction.md): keychain-auth is a security daemon that mediates keychain access using kernel-level process verification, cryptographic attestation, and per-binary policies. - [Using keychain-auth on Linux with GNOME Keyring](https://theseventeen-2abbdf80.mintlify.app/platforms/linux.md): Set up keychain-auth on Linux: SO_PEERCRED verification, /proc/pid/exe path resolution, GNOME Keyring via D-Bus, and automatic headless/WSL fallback. - [Using keychain-auth on macOS with Apple Keychain](https://theseventeen-2abbdf80.mintlify.app/platforms/macos.md): Set up keychain-auth on macOS: Unix socket in ~/Library, LOCAL_PEERPID kernel verification, SHA-256 binary attestation, and Apple Keychain Services backend. - [keychain-auth platform support: macOS, Linux, Windows](https://theseventeen-2abbdf80.mintlify.app/platforms/overview.md): keychain-auth runs on macOS, Linux, and Windows, using platform-native IPC and kernel-verified process identity on each OS to guard your keychain. - [Using keychain-auth on Windows with Credential Manager](https://theseventeen-2abbdf80.mintlify.app/platforms/windows.md): Set up keychain-auth on Windows: Named Pipe IPC, GetNamedPipeClientProcessId verification, DPAPI-backed Credential Manager, and non-inheritable handle rules. - [keychain-auth error codes: causes and client handling](https://theseventeen-2abbdf80.mintlify.app/protocol/error-codes.md): All reason codes in keychain-auth denied and error responses, what triggers each one, whether the connection closes, and how your client should respond. - [keychain-auth wire protocol: JSON over local socket](https://theseventeen-2abbdf80.mintlify.app/protocol/overview.md): keychain-auth uses newline-delimited JSON over a Unix socket or Windows Named Pipe. The connection itself is the authenticated session — no tokens required. - [REQUEST schema: actions, fields, and match modes](https://theseventeen-2abbdf80.mintlify.app/protocol/request.md): Full reference for the keychain-auth REQUEST envelope: all fields, supported actions, match modes, write alignment rules, and JSON examples. - [RESPONSE schema: status codes, results, and value rules](https://theseventeen-2abbdf80.mintlify.app/protocol/response.md): Full reference for the keychain-auth RESPONSE envelope: status codes, reason field, results array structure, and when secret values are returned. - [Quickstart: integrate keychain-auth in 5 minutes](https://theseventeen-2abbdf80.mintlify.app/quickstart.md): Start the daemon, register your binary, configure access permissions, send your first request over the socket, and verify the result in the audit log.