Goodboy for Mac

Browsers

No password to type here — Chrome already stored its encryption key in the macOS Keychain when the user first signed in. Click Connect in device settings and Goodboy asks the OS for permission to read that key. One Touch ID or macOS password prompt on first access; silent thereafter.

iCloud

In the Passwords app, choose File → Export All Passwords and select Goodboy. The system launches the app with an NSUserActivity of type ASCredentialExchangeActivity carrying a one-shot UUID token; Goodboy redeems it with ASCredentialImportManager. Apple mediates the exchange — no credential data touches the file system, no clipboard, no CSV.

KeePassXC

Enter the master password for the .kdbx database. Goodboy auto-detects which database to use from KeePassXC's recently-opened list. If the database uses a key file, provide the path.

ProtonPass

Install the CLI: brew install protonpass/tap/pass-cli. These are regular Proton credentials:

• Proton email + password (required).
• 2FA code (if enabled) — one-time, never saved.
• Mailbox password (rare) — two-password mode accounts only.

Bitwarden

Install the CLI: brew install bitwarden-cli. Then in device settings:

• Master password (required) — the same password used at vault.bitwarden.com.
• API Client ID + Secret — at vault.bitwarden.com → Settings → Security → Keys.
• Server URL (optional) — for .eu or self-hosted vaults.

1Password

1. Open 1Password → Settings → Developer.
2. Enable "Integrate with 1Password CLI".
3. Click Connect in Goodboy and approve the biometric prompt.

The 1Password desktop app must be running during the transfer — it brokers authentication, so Goodboy never sees the master password. The op CLI is a separate install: brew install 1password-cli.

For headless use (CLI, MCP), authenticate with a service account token instead — created at start.1password.com → Developer Tools → Service Accounts. The token (starts with ops_) is shown once.