Now with NHI management

Secrets management & non-human identities
for modern dev teams

Encrypt, sync, and inject secrets from the CLI. Manage machine tokens, AI agent credentials, and CI/CD pipelines — with lifecycle controls, conditional access, and full audit trails.

Start for free View CLI docs

Free for 3 projects · No credit card required

Terminal

Three commands. Zero .env files.

Get up and running in under a minute.

Step 1

Install

npm i -g @secr/cli

Step 2

Init

secr init

Step 3

Run

secr run -- npm start

Everything .env files aren't

Secrets management and non-human identity controls, built for how modern teams actually work.

Envelope encryption

AES-256-GCM with per-project keys, wrapped by your KMS. Secrets are encrypted at rest and in transit.

CLI-first workflow

Run secr run -- npm start to inject secrets directly into your process — no .env files touching disk.

Team collaboration

Role-based access control with environment-level permissions. Admins, developers, and viewers — each see only what they need.

Full audit trail

Every secret access, change, and rotation is logged. Immutable, append-only audit logs you can export.

Instant sync

Change a secret and every team member gets it immediately. No more "pull the latest .env" messages.

Environment management

Dev, staging, and production — each with their own secrets. Compare and promote between environments.

Enterprise authentication

SSO via SAML & OIDC, SCIM directory sync, social login, MFA, and passkey support — powered by WorkOS.

Secret scanning

Detect 20+ credential patterns in your codebase. Install a pre-commit hook with one command to block leaks before they reach git.

Machine tokens

Scoped CI/CD tokens with automatic expiry, environment hints, and lifecycle management. Revoke, disable, or rotate without redeploying.

AI agent identities

Give Claude Code, Cursor, and Copilot their own scoped credentials with secret allowlists and conditional access policies.

Secure every non-human identity

CI/CD pipelines, AI agents, and machine accounts are the fastest-growing attack surface. secr gives each one a managed identity with lifecycle controls.

Machine Tokens

Scoped tokens for CI/CD with environment hints, automatic expiry, and one-click revocation. No more shared service accounts.

AI Agent Identities

Scoped credentials for Claude Code, Cursor, and Copilot — with secret allowlists so agents only see what they need.

Governance & Compliance

Posture scoring, anomaly detection, and SOC 2-ready compliance reports. See which tokens are stale, over-privileged, or behaving anomalously.

Learn more about NHI management

Works with your stack

Plug into your existing deployment pipeline. SDKs for your language, plugins for your platform.

Vercel Netlify GitHub Actions Terraform Node.js SDK Python SDK Go SDK VS Code

View all integrations

Simple, honest pricing

Start free. Scale when you're ready. No surprises.

Free

$0forever

For solo developers and small side projects.

3 projects & 100 secrets
Version history & promote
Dev + Staging environments
7-day audit log

Get started

Popular

Pro

$6/user/mo

For growing teams shipping to production.

Unlimited projects & secrets
Rollback & webhooks
All environments + 5 custom
30-day audit log
CI/CD integrations
Machine tokens & agent identities

Start trial

Team

$14/user/mo

For teams that need advanced controls.

Everything in Pro
20 custom environments
90-day audit log
Git secret scanning
Priority support
Google & GitHub social login
NHI governance & compliance

Start trial

Enterprise

Custom

For organizations with strict compliance and identity requirements.

SSO via SAML & OIDC
SCIM directory provisioning
MFA & passkey enforcement
365-day audit retention
Dedicated infrastructure
SLA & onboarding

Compare plans in detail

	Free	Pro	Team	Enterprise
Limits
Projects	3	Unlimited	Unlimited	Unlimited
Secrets	100	Unlimited	Unlimited	Unlimited
Team members	1	Unlimited	Unlimited	Unlimited
Custom environments	0	5	20	Unlimited
Audit log retention	7 days	30 days	90 days	365 days
Features
Version history
Secret promotion
Secret rollback	—
Webhooks	—
Secret scanning	—	—
Secret sharing	—
CI/CD integrations	—
Machine tokens	—
Agent identities	—
NHI governance & compliance	—	—
Priority support	—	—
SSO (SAML & OIDC)	—	—	—
SCIM provisioning	—	—	—
Dedicated infrastructure	—	—	—

Frequently asked questions

Can I use secr for free?

Yes! The Free plan includes 3 projects, 100 secrets, version history, and a 7-day audit log. No credit card required.

How does per-seat pricing work?

You pay per team member with access to your organization. Billing is prorated — add or remove seats any time and only pay for what you use.

Can I switch plans later?

Absolutely. Upgrade or downgrade at any time from your dashboard. Upgrades take effect immediately; downgrades apply at the end of the billing cycle.

What payment methods do you accept?

We accept all major credit and debit cards via Stripe. Enterprise customers can pay by invoice.

Is there a free trial for paid plans?

Yes, Pro and Team plans include a 14-day free trial so you can explore all features before committing.

What happens if I exceed my plan limits?

You'll be prompted to upgrade when you hit a limit. Existing secrets and projects are never deleted — you simply can't create new ones until you upgrade or remove some.

Do you offer discounts for startups or open source?

Yes! We offer free Team plans for qualifying open-source projects and discounted pricing for early-stage startups. Contact us for details.

What are non-human identities (NHI)?

Non-human identities are machine tokens, AI agent credentials, and service accounts that access your secrets programmatically. secr manages their full lifecycle — creation, scoping, rotation, and revocation — so you always know what has access and why.

Do I need a paid plan for NHI management?

Machine tokens and agent identities are available on Pro and above. NHI governance features — posture scoring, compliance reports, and anomaly detection — require the Team plan or higher.

Built for security from day one

Envelope encryption. Immutable audit logs. Role-based access control. Read the full security architecture.

AES-256-GCM

Per-project keys wrapped by KMS. Secrets encrypted at rest and in transit.

SOC 2 mapped

Control mapping for CC6, CC7, CC8. Built with compliance audits in mind.

Zero disk

secr run injects secrets into the process. Nothing written to .env files.

Enterprise SSO

SAML & OIDC single sign-on, SCIM directory sync, MFA, and passkeys — so every login is governed by your identity provider.

GitHub npm PyPI|AES-256-GCMTLS 1.3SOC 2 mapped

Security docs Get Started Free

Secrets management & non-human identitiesfor modern dev teams