UI Coming Soon

Keep your secrets safe

Turn-key secrets storage, retrieval, and observability.

Overview

Secrets

Provenance

Users

Audit Log

Rotation

Settings

my-project / Provenance

Name

Value

Users

Env

DATABASE_URL

pg://***...e4f2

3 Users

production

alice@acme.co

bob@acme.co

github-action

API_KEY

sk-***...m9k2

5 Users

production

alice@acme.co

carol@acme.co

deploy-bot

dan@acme.co

eve@acme.co

AWS_SECRET_KEY

AKI***...p3r1

2 Users

development

bob@acme.co

ci-bot

STRIPE_SECRET

sk_***...v7x4

1 User

production

carol@acme.co

REDIS_URL

redis://***...8080

4 Users

local

alice@acme.co

bob@acme.co

dan@acme.co

deploy-bot

JWT_SECRET

ey***...9xQ2

2 Users

production

api-server

auth-svc

SMTP_PASSWORD

SG.***...kL7m

2 Users

production

mailer-svc

alice@acme.co

GH_TOKEN

ghp_***...Wn4r

1 User

development

ci-bot

Zero-trust secrets storage and retrieval. Dedicated security hardware.

Capy syncs your secrets as encrypted blobs on dedicated security (HSM) infrastructure. Only you and your applications can decrypt them. Even we can't.

You (Owner)

$ capy

Encrypt

master key

Encrpyted Secrets

HSM Storage

alice@acme.co

deploy-agent

prod-app

Decrypt

local key

ci key

prod key

SECRET=test_...v7x4

SECRET=sk_...a434

SECRET=sk_...f14e

Know where every secret came from and where it went

Trace the full lifecycle of every credential. See who created it, which services consume it, and when it was last rotated — all from a single view.

DATABASE_URL

pg://***...e4f2

Created by

alice@acme.co

Jan 15, 2025

Consumed by

api-server

● Active

Consumed by

bg-worker

● Active

Last Rotated

Mar 1, 2025

Automated

The right secrets, to the right people, at the right time

Fine-grained permissions let you control exactly who and what can access each secret. No more shared credentials, no more over-provisioned access.

Engineering

Frontend

5 secrets

✓ API_KEY

✓ STRIPE_KEY

Agents

8 secrets

✓ DATABASE_URL

✓ API_KEY

✓ REDIS_URL

DevOps

15 secrets

✓ AWS_SECRET

✓ DATABASE_URL

✓ REDIS_URL

Audit Logs

A complete, tamper-proof log of every secret access, modification, and rotation. Built for compliance, useful for debugging.

14:23:01alice@co.comaccessedDATABASE_URLprod

14:20:15bob@co.comrotatedAPI_KEYstaging

13:55:42systemauto-rotatedAWS_SECRETprod

13:30:00carol@co.comcreatedSTRIPE_KEYdev

12:15:33alice@co.comsyncedprod → staging

11:42:18dave@co.comaccessedREDIS_URLprod

11:20:05systemrevokedOLD_API_KEYprod

10:58:44bob@co.cominvitedcarol@co.com

14:23:01alice@co.comaccessedDATABASE_URLprod

14:20:15bob@co.comrotatedAPI_KEYstaging

13:55:42systemauto-rotatedAWS_SECRETprod

13:30:00carol@co.comcreatedSTRIPE_KEYdev

12:15:33alice@co.comsyncedprod → staging

11:42:18dave@co.comaccessedREDIS_URLprod

11:20:05systemrevokedOLD_API_KEYprod

10:58:44bob@co.cominvitedcarol@co.com

Git-style branching for your secrets

Every environment is a branch. capy checkout blocks on uncommitted or unpushed changes, then syncs the right secrets to your .env. Protected branches are invite-only, so production credentials never leak into a developer’s laptop by accident.

Keep your secrets safe

Zero-trust secrets storage and retrieval. Dedicated security hardware.

Know where every secret came from and where it went

The right secrets, to the right people, at the right time

Audit Logs

Git-style branching for your secrets

Ready to secure your secrets?