Protools

Goodboy skips the CSV export entirely. It reads your local Chromium databases directly and securely — requesting macOS Safe Storage access, deriving the local browser key, and decrypting the database in memory. Your data never sits in an exposed intermediary file.

Sync-mode detection is fully automated. Whether Chrome stores your passwords in Login Data or Login Data For Account, Goodboy detects the active table across Chrome, Brave, Edge, Opera, Vivaldi, and Arc. Each discovered profile is treated as its own independent source.

Writing back is supported for Chrome. In the free tier, Chrome must be closed during the write; Pro adds a headless path that runs without interruption. Other Chromium browsers are read-only for now.

Goodboy integrates with Apple's Credential Exchange on macOS 26 — Apple's implementation of the FIDO Alliance's Credential Exchange Format (CXF). The operating system mediates the handoff; credential data never touches the file system.

The two-step handoff

When you choose File → Export All Passwords in the Passwords app and select Goodboy, two Apple APIs do the work:

1. OS hands off to the app. The system launches Goodboy with an NSUserActivity whose activityType is ASCredentialExchangeActivity, carrying a one-shot UUID token in userInfo.
2. App redeems the token. Goodboy calls ASCredentialImportManager.importCredentials(token:) and the system returns a typed ASExportedCredentialData payload directly to memory — passwords, passkeys, OTP seeds, notes.

No CSV. No clipboard. No intermediate file. Writing back into the Apple ecosystem uses the paired ASCredentialExportManager, making Goodboy a true two-way bridge for your iCloud Keychain.

App MCP only

The iCloud protool is available through Goodboy's in-app MCP server only. The standalone goodboy-mcp binary is process-isolated from macOS's credential exchange surface — the OS will not hand a credential-exchange activity to a headless stdio process — so iCloud lives inside the app. Every other protool (Chrome, KeePassXC, Bitwarden, 1Password, ProtonPass, JSON Export) works in both transports.

Passkey routing for KeePassXC

Moving passkeys out of Apple Passwords is notoriously difficult due to export limitations. Goodboy acts as a native macOS bridge, routing passkeys straight from Apple directly into your .kdbx database.

No complex conversions, no intermediate files — a direct, secure handoff into your existing KeePassXC setup.

KeePassXC has an open issue for CXF/CXP import (#11363). Goodboy fills that gap from the outside.

Goodboy uses the official keepassxc-cli to interact with your local .kdbx databases, with full support for passwords, OTP seeds, passkeys, and notes.

Setup is automatic: Goodboy detects your recently opened databases and surfaces them individually. Provide your master password (and key file, if applicable) on first use, and Goodboy handles the rest. It's the ideal landing zone for migrating data — especially passkeys — from proprietary ecosystems like Apple's into open-source local storage.