Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket

The vault that knows
which machine is asking.

Manage application secrets for every machine in your stack, with identity that goes all the way through every read.

The same machine identity SSH has used since the 90s, brought all the way through your secrets layer.
Start for Free

Secrets Management.

Store every credential your applications need in one encrypted vault. Give each machine only the secrets it actually uses, and plant a canary that locks the project the instant it's read.

Learn moreTry it now
Secrets //productionproj_ch9k82pkcl8 secrets
All Secrets
Search by name, ID, or note...
NameNoteIDFieldsVerMachinesPolicyUpdatedLast Read
db-passwordPostgres production credentialssk_p1q2··f5v32prod-strict2h ago2m ago
stripe-keyLive key · acct_3aB…sk_r3s4··g8v11prod-strict3d ago24m ago
redis-urlCache cluster · structuredsk_t5u6··h23 fieldsv22prod-strict1h ago2m ago
canary-prod-dbArmedDecoy · trips on readsk_v7w8··j9v13prod-strict1d ago2m ago
aws-access-keyS3 + SES · auto-rotatessk_a4b5··m72 fieldsv81prod-strict6h ago7h ago
ssh-bastionJump host private keysk_x9y0··k3v11No policy5d ago2h ago
github-app-pemDeploy bot · pkcs8sk_q2w3··e4v11prod-strict1w agoNever
Access // Policiesproj_ch9k82pkcl5 policies
Access Policies
Search by name, description, or ID...
NameConstraintsBoundUpdated
prod-strictProduction secrets, business hours, IP-lockedpol_a8f3e2d1
time-windowip(2)rate-capco-sign
125/7/2026
ci-pipelineCI workers, ephemeral access burstspol_4c91b27e
ip(1)ttl-timettl-reads
45/6/2026
dev-tempDeveloper machines, expires fastpol_d2e4f6a8
rate-capttl-reads
75/3/2026
canary-onlyTripwire — burns project on readpol_f9c3a14d
rotate-after
24/29/2026
openpol_e5b8c027
none04/22/2026

Access Policies.

Lock each secret behind the rules you choose: business hours, allowed networks, rate caps, and multi-party approval. Stack as many as you need into one policy and bind it to any secret in the project.

Learn moreTry it now

AI Agents.

Let AI agents manage your vault: rotate secrets, configure policies, audit reads. Reading the actual values stays off limits, because that capability was never built for agents.

Learn moreTry it now
New AI Agent
> name(optional)
Scopes(5 of 25)
Every capability is off by default. Tick the ones the agent actually needs.
Vault
machines.readList machines
machines.writeApprove / revoke / rename
aiagents.readList AI agents
aiagents.writeApprove / disable / revoke / rename
audit.readRead audit log
alerts.readView alert prefs
alerts.writeEdit alert prefs
ipallowlist.readView IP allowlist
ipallowlist.writeEdit IP allowlist
Project access(1 selected)
RestrictedSpecific projects only
UnrestrictedEvery project, including future ones
5 scopes, 1 project