Secrets management
Secure machine authentication

Manage application secrets for every machine in your stack, with identity that goes all the way through every read.

The same machine identity SSH has used since the 90s, brought all the way through your secrets layer.

Secrets Management.

Store every credential your applications need in one encrypted vault. Give each machine only the secrets it actually uses, and plant a canary that locks the project the instant it's read.

Read the secrets management docs Try it now

Secrets //productionproj_ch9k82pkcl8 secrets

All Secrets

Search by name, ID, or note...

Name	Note	ID	Fields	Ver	Machines	Policy	Updated	Last Read
db-password	Postgres production credentials	sk_p1q2··f5	—	v3	2	prod-strict▾	2h ago	2m ago	▾
stripe-key	Live key · acct_3aB…	sk_r3s4··g8	—	v1	1	prod-strict▾	3d ago	24m ago	▾
redis-url	Cache cluster · structured	sk_t5u6··h2	3 fields	v2	2	prod-strict▾	1h ago	2m ago	▾
canary-prod-dbArmed	Decoy · trips on read	sk_v7w8··j9	—	v1	3	prod-strict▾	1d ago	2m ago	▾
aws-access-key	S3 + SES · auto-rotates	sk_a4b5··m7	2 fields	v8	1	prod-strict▾	6h ago	7h ago	▾
ssh-bastion	Jump host private key	sk_x9y0··k3	—	v1	1	No policy▾	5d ago	2h ago	▾
github-app-pem	Deploy bot · pkcs8	sk_q2w3··e4	—	v1	1	prod-strict▾	1w ago	Never	▾

Access // Policiesproj_ch9k82pkcl5 policies

Access Policies

Search by name, description, or ID...

Name	Constraints	Bound	Updated
prod-strictProduction secrets, business hours, IP-lockedpol_a8f3e2d1	time-windowip(2)rate-capco-sign	12	5/7/2026
ci-pipelineCI workers, ephemeral access burstspol_4c91b27e	ip(1)ttl-timettl-reads	4	5/6/2026
dev-tempDeveloper machines, expires fastpol_d2e4f6a8	rate-capttl-reads	7	5/3/2026
canary-onlyTripwire — burns project on readpol_f9c3a14d	rotate-after	2	4/29/2026
openpol_e5b8c027	none	0	4/22/2026

Access Policies.

Lock each secret behind the rules you choose: business hours, allowed networks, rate caps, and multi-party approval. Stack as many as you need into one policy and bind it to any secret in the project.

Read the access policy docs Try it now

AI Agents.

Let AI agents manage your vault: rotate secrets, configure policies, audit reads. Reading the actual values stays off limits, because that capability was never built for agents.

Read the AI agents docs Try it now

New AI Agent

> name(optional)release-bot

Scopes(5 of 25)

Every capability is off by default. Tick the ones the agent actually needs.

Vault

machines.readList machines

machines.writeApprove / revoke / rename

aiagents.readList AI agents

aiagents.writeApprove / disable / revoke / rename

audit.readRead audit log

alerts.readView alert prefs

alerts.writeEdit alert prefs

ipallowlist.readView IP allowlist

ipallowlist.writeEdit IP allowlist

Project access(1 selected)

RestrictedSpecific projects only

UnrestrictedEvery project, including future ones

5 scopes, 1 project

Secrets managementSecure machine authentication

Secrets Management.

Access Policies.

AI Agents.

Secrets management
Secure machine authentication