TamperMonkey Secrets Manager

PROJECT://OVERVIEW ACTIVE

TamperMonkey scripts are powerful -- but they have a secret problem. Literally. When your userscripts need API keys, tokens, or credentials, your options are bad: hardcode them in the script source, store them in GM_setValue (unencrypted), or use some hacky workaround.

The TamperMonkey Secrets Manager is a Tauri desktop app that solves this. It runs a local API server on your machine that TamperMonkey scripts can query to retrieve secrets. The secrets are stored encrypted on disk, never exposed in script source code, and never leave your machine.

This is a real problem I hit while building my collection of work productivity TamperMonkey scripts. I needed API tokens for internal tools and refused to paste them into script source that syncs to the cloud.

SPECS://TECHNICAL LOADED

STACK Tauri + Rust + TypeScript

BACKEND Local HTTP API (localhost)

STORAGE Encrypted on-disk vault

PLATFORM Windows, macOS, Linux

STATUS Active Development

SOURCE GitHub // RynAgain

TYPE Desktop App + Local API

LICENSE Open Source

ARCHITECTURE://FLOW DATA FLOW MAPPED

01

TamperMonkey Script

Your userscript calls GM_xmlhttpRequest to localhost on a designated port, requesting a secret by name.

↓

02

Local API Server

The Tauri app runs an HTTP server bound to 127.0.0.1 only. It validates the request origin and checks permissions.

↓

03

Encrypted Vault

Secrets are stored encrypted on disk. The Rust backend decrypts the requested secret in memory and returns it to the script.

↓

04

Script Receives Secret

The secret value arrives via the callback. It's used for the API call and never persisted in TamperMonkey storage.

SECURITY://FEATURES THREAT MITIGATIONS ENFORCED

LH

Localhost Only

The API server binds exclusively to 127.0.0.1. No remote access. Secrets never leave your machine over the network.

EN

Encrypted Storage

All secrets are encrypted at rest on disk. Not stored in plaintext JSON. Not in TamperMonkey's GM_setValue. Actually encrypted.

OR

Origin Validation

Requests are validated against allowed origins. Not every script on every page can query your vault -- only explicitly permitted ones.

UI

Desktop UI

Full Tauri GUI for managing secrets. Add, edit, delete, and organize your credentials without touching config files.

RS

Rust Backend

Cryptographic operations and server logic all in Rust. Memory-safe, no garbage collector, no runtime surprises.

TM

TamperMonkey Integration

Works with GM_xmlhttpRequest -- the standard way TamperMonkey scripts make HTTP requests. No browser extension required beyond TM itself.

USAGE://EXAMPLE TAMPERMONKEY SCRIPT DEMO

// Inside your TamperMonkey script:

GM_xmlhttpRequest({

method: "GET",

url: "http://127.0.0.1:9876/secret/MY_API_KEY",

onload: (res) => {

const secret = JSON.parse(res.responseText).value;

// Use secret for API call -- never stored in script

}

});

> [OK] Secret retrieved. Never touched disk. Never in source.

>

CONTEXT://WHY THE PROBLEM IDENTIFIED

If you write TamperMonkey scripts that interact with APIs, you've hit this wall. Your script needs a token. Where do you put it?

[BAD] Hardcode it in the script source -- syncs to TamperMonkey cloud backup, visible in plaintext

[BAD] Use GM_setValue -- stored unencrypted in browser profile data

[BAD] Prompt the user every time -- terrible UX, interrupts workflow

[OK] Query a local encrypted vault via localhost API -- secrets never in script source, encrypted at rest, controlled access