GitHub, but for secrets
Secure secrets management infrastructure for solos, teams, and AI. 10-second setup.
Schedule a Demo
GitHub
You don't save your passwords in plaintext. Why do that with secrets?  Capy is a developer-first way to manage your secrets securely, so you can keep shipping. With minimal DevOps, you can stop copying and pasting secrets in Slack.
Identity Management
OAuth based authentication grants your agents and collaborators temporary access to locally encrypted secrets, making them revocable at any time.
.env
NODE_ENV=prod
MY_SECRET_ENV=exposed_key
DATABSE_STRING=db:gone@postgres:5432
3RD_PARTY_KEY=bye_rate_limits
Run$ capy
Capy Authentication
Capy logo
Google
GitHub
 Work Email
SSO/SAML
Temporary decrypt key (session or file based)
A7B3F9E2D4C8916F...
Personalized .env (encrypted)
NODE_ENV=capy:7A8E2:m_91Qx_k
MY_SECRET_ENV=capy:B3F9C:ex_45Hy_ey
DATABSE_STRING=capy:D6E1A:db_83Vw_432
3RD_PARTY_KEY=capy:C4B7F:bye_67Jt_its
.keep (committed to source control)
NODE_ENV=7A8E2
MY_SECRET_ENV=B3F9C
DATABSE_STRING=D6E1A
3RD_PARTY_KEY=C4B7F
All the docs you'll need
When we say one command, we mean it—capy is all you need to sync, push, and pull variables for a project. Other operations use familiar git primitives.
Getting Started
Run 
capy
$ capy
Found 1 new local variable(s):

VariableValue
ACCESS_TOKENa.........en1 (NEW)
Push all local variables to capy-keep? (y/N)
Managing Access
Run 
capy users
capy invite jon@mycompany.com
capy kick lars@mycompany.com
$ capy users
Found 1 user who has access to this project
(my-secure-project):

UserAdded
me@mycompany.com4 months ago
$ capy invite jon@mycompany.com
Invite jon@mycompany.com to 
"my-secure-project"? (y/N)
Syncing
1. Update your .env file 
-MY_SECRET_ENV=capy:Q94Zd4:Z04...4aFe
+MY_SECRET_ENV=myverysecuresecret123
2. Run
capy
$ capy
You have unsynced variables (1 found).

VariableLocalRemote
MY_SECRET_ENVmyv...123mys...234
? What would you like to do?
❯ Commit all local values
  Retrieve all pinned values
  Individually resolve
  Continue working
Branching
Run 
capy checkout -b staging

capy checkout development
capy checkout staging
$ capy checkout -b staging
? Make "staging" a protected branch? 
✓ Branch "staging" registered
✓ Synced 10 variable(s) for staging

Now on branch: staging

$ capy checkout development
You have uncommitted changes on "staging".
Run capy to commit before switching branches.

$ capy && capy push
$ capy checkout development
✓ Synced 12 variable(s) for development

Now on branch: development
Using
Prefix any bootstrap command with 
capy run -- [runtime]
$ capy run -- npm start
✓ Decrypted 12 variable(s)

> my-app@1.0.0 start
> next dev

▲ Next.js 15.0
  - Local: http://localhost:3000

process.env.MY_SECRET_ENV is now available.
Deploying
Run 
capy checkout production
capy deploy
$ capy deploy
? Where does this project deploy?
❯ Vercel
  GitHub Actions
  Docker
  Kubernetes
  Fly.io
  Render
  (30+ platforms supported — type to filter)

✓ Deploy credentials generated (12 secrets)

Temporary deploy instructions opened at http://127.0.0.1:54213
Press Ctrl+C to close.
Pricing
Free
1-2 seats (+$10/mo per additional seat)
  • Products
  • KeepKeep (CLI Only)
  • Features
  • AI Agent-controllable SecretOps
  • Access controls for team members and services
  • File-based secrets decryption
  • Zero-trust vault retrieval architecture
  • Secure high-availability HSM storage
  • Encrypted .env files
  • Automated code integration
  • Automated CI/CD integration
Schedule a Demo
On-Premise
Per deployment pricing
  • Products
  • KeepKeep
  • Features
  • All Free Features +
  • Fine-grained access control
  • Session-based secrets decryption
  • Real-time secrets access revocation
  • Personalized and encrypted .env files
  • SOC2, ISO27001, and HIPAA compliant
  • Observability tools
  • SAML/SSO Authentication
Get Early Access