Skip to main content

Documentation Index

Fetch the complete documentation index at: https://capy.sc/docs/llms.txt

Use this file to discover all available pages before exploring further.

Capy is designed to make your secrets management much simpler. Our CLI works with a single command capy, but it’s also MUCH more powerful than that. Explore a bit more, and you’ll find that it basically behaves git, but for secrets. The way it links to your actual version control is through akeep.lock, which is a versioning manifest that lives in your repo and shows up in PR diffs.

Unlike other secrets managers, which have a seperate UI, capy treats secrets like the rest of your code, while keeping it secure, and gives you the most ergonomic method for managing and keeping track of them without needing to commit them to source control. Capy is not just a CLI! It’s also a ridiculously easy-to-use batteries included secrets manager that incorporates compliance features like audit logging, and the strongest zero-trust cryptography patterns. A subpoena, a breach, or a rogue employee on Capy’s side only gives ciphertext that is useless without your private key.

All of this works incredibly well under the hood. Five commands is all you need! 
brew install capysc/tap/capy    # or: npm i -g @capy/cli

capy                             # sync secrets (like git pull)
capy invite alice@example.com    # share with teammates
capy run -- python app.py        # run with decrypted secrets
capy deploy                      # ship to prod

Why teams pick Capy

  • The CLI you already know. capy checkout staging lines up with git checkout staging. capy push ships your branch’s secrets. capy kick reads as cleanly as git revert. No new mental model.
  • Branches that match git. Capy’s branch model pins to your git branch, and post-checkout/post-merge hooks keep .env in sync as you move around the tree.
  • PR-reviewable secret diffs without exposing values. keep.lock is the only thing committed — a small manifest with no keys or plaintext — so changes show up in code review the same way schema migrations do.
  • Zero-trust storage, not a feature flag. The service stores ciphertext. There is no mode where it doesn’t. See zero-trust.
  • Cryptographic revocation. capy kick doesn’t flip a database flag — it makes the kicked user’s local key material inert. Remaining members keep using their existing keys. See kicking.
  • Headless. No dashboard, no daemon, no SDK. Your code reads process.env. There is nothing to host, import, or stay logged into.

Get started

Pick your runtime and be up in under two minutes.

How it works

The cryptographic design behind Capy’s zero-trust model.

Compare

Capy vs. Doppler, Infisical, dotenvx, AWS Secrets Manager, SOPS.

License

What Capy’s AGPL-3.0 license means for your team.
Last modified on May 20, 2026