Secrets management for humans and agents. One command.
Get Early Access
GitHub
You don't save your passwords in plaintext. Why do that with secrets?  Capy is the easiest way to manage your secrets securely, so you can keep shipping. No Vaults, KMSs, IAM roles, or copy-pasting secrets in Slack.
Seamless Authentication
OAuth, SAML or SSO based authentication grants your agents and collaborators temporary access to your secrets. Credentials self-destruct after a TTL.
.env
NODE_ENV=prod
MY_SECRET_ENV=exposed_key
DATABSE_STRING=db:gone@postgres:5432
3RD_PARTY_KEY=bye_rate_limits
...
Run$ capy
Capy Authentication
Capy logo
Google
GitHub
 Work Email
SSO/SAML
Temporary decrypt key (session or file based)
A7B3F9E2D4C8916F...
Personalized .env (encrypted)
NODE_ENV=capy:7A8E2:m_91Qx_k
MY_SECRET_ENV=capy:B3F9C:ex_45Hy_ey
DATABSE_STRING=capy:D6E1A:db_83Vw_432
3RD_PARTY_KEY=capy:C4B7F:bye_67Jt_its
...
.keep (committed to source control)
NODE_ENV=7A8E2
MY_SECRET_ENV=B3F9C
DATABSE_STRING=D6E1A
3RD_PARTY_KEY=C4B7F
...
Probably the only documentation you'll need
When we say one command, we mean it—capy is all you need to sync, push, and pull variables for a project. Other operations use familiar git primitives.
Getting Started
Run 
capy
$ capy
Found 1 new local variable(s):

VariableValue
ACCESS_TOKENa.........en1 (NEW)
Push all local variables to capy-keep? (y/N)
Managing Access
Run 
capy users
capy invite jon@mycompany.com
capy kick lars@mycompany.com
$ capy users
Found 1 user who has access to this project
(my-secure-project):

UserAdded
me@mycompany.com4 months ago
$ capy invite jon@mycompany.com
Invite jon@mycompany.com to 
"my-secure-project"? (y/N)
Syncing
1. Update your .env file 
-MY_SECRET_ENV=capy:Q94Zd4:Z04...4aFe
+MY_SECRET_ENV=myverysecuresecret123
2. Run
capy
$ capy
You have unsynced variables (1 found).

VariableLocalRemote
MY_SECRET_ENVmyv...123mys...234
? What would you like to do?
❯ Commit all local values
  Retrieve all pinned values
  Individually resolve
  Continue working
Branching
Run 
capy checkout -b staging

capy checkout development
capy checkout staging
$ capy checkout -b staging
? Make "staging" a protected branch? 
✓ Branch "staging" registered
✓ Synced 10 variable(s) for staging

Now on branch: staging

$ capy checkout development
You have uncommitted changes on "staging".
Run capy to commit before switching branches.

$ capy && capy push
$ capy checkout development
✓ Synced 12 variable(s) for development

Now on branch: development
Using
1. Install SDK 
npm install capy-sdk
2. Use
1import capy from 'capy-sdk'
2// decrypts on runtime
3capy.init(process.env)
4
5// use as normal
6fn(process.env.MY_SECRET_ENV)
Deploying
Run 
capy checkout production
capy deploy
$ capy deploy
? Where does this project deploy?
❯ Vercel
  GitHub Actions
  Render
  Railway
  Fly.io
  Heroku

✓ Deploy credentials generated (12 secrets)

Deploy page opened at http://localhost:54213
Set SECRETS_BLOB and PROJECT_KEY on Vercel,
then redeploy.
Pricing
Free
1-3 seats
  • Products
  • KeepKeep (CLI Only)
  • Features
  • AI Agent-compatible SecretOps
  • Access controls for team members and services
  • File-based secrets decryption
  • Zero-trust vault retrieval architecture
  • Secure high-availability HSM storage
  • Encrypted .env files
  • Automated code integration
  • Automated CI/CD integration
Get Early Access
Business
3+ seats
  • Products
  • KeepKeep
    GateGateSageSage
    Coming Soon
  • Features
  • All Free Features +
  • Fine-grained access control
  • Session-based secrets decryption
  • Real-time secrets access revocation
  • Personalized and encrypted .env files
  • SOC2 and HIPAA compliant
  • Observability tools
  • SAML/SSO Authentication
Coming Soon