# Capy

> Capy is a developer-first secrets manager with a git-like CLI. Store, share, rotate, and revoke secrets securely for humans and AI agents — no Vaults, KMS, or IAM roles required.

Capy treats secrets like git treats code: branches, commits, push/pull, and revocation. Built for engineering teams that want strong security without the operational overhead of HashiCorp Vault or cloud KMS.

## Core products

- [Keep](https://www.capy.sc/keep): Zero-trust HSM-backed secrets storage with audit logs and fine-grained access control.

## Key pages

- [Home](https://www.capy.sc/): Product overview and CLI demo.
- [Pricing](https://www.capy.sc/pricing): Free for individuals and small teams.
- [About](https://www.capy.sc/about): The team and philosophy behind Capy.
- [Blog](https://www.capy.sc/blog): Articles on secrets management and developer security.
- [Comparisons](https://www.capy.sc/vs): How Capy compares to other secrets management tools.
- [GitHub](https://github.com/capysc/capy-cli): Open-source CLI.

## Comparisons

- [Doppler vs Capy](https://www.capy.sc/vs/doppler): Secrets management compared.
- [Infisical vs Capy](https://www.capy.sc/vs/infisical): Open-source secrets compared.
- [1Password CLI vs Capy](https://www.capy.sc/vs/1password): Developer-first secrets vs. op://.
- [dotenvx vs Capy](https://www.capy.sc/vs/dotenvx): Encrypted .env files compared.
- [AWS Secrets Manager vs Capy](https://www.capy.sc/vs/aws-secrets-manager): Which to pick.
- [SOPS vs Capy](https://www.capy.sc/vs/sops): Encrypted config files compared.

## Articles

- [Secrets Management Tools in 2026: An S–F Tier List](https://www.capy.sc/blog/best-secrets-management-tools-for-developers-2026): Ranked by developer experience.

## What Capy does

- Stores secrets encrypted end-to-end (HSM-backed).
- Replaces `.env` files with a per-developer encrypted personalized `.env`.
- Uses a `.keep` file (committed to source control) to track secret IDs without exposing values.
- Authenticates via OAuth (Google, GitHub, work email, SSO/SAML).
- Supports git-like primitives: `capy checkout`, `capy push`, `capy pull`, `capy invite`, `capy kick`, `capy deploy`.
- Issues temporary, revocable decrypt keys per session.
- Targets developers, AI agents, CI/CD pipelines, and infrastructure teams.

## What Capy is not

- Not a password manager for end users (use 1Password / Bitwarden).
- Not a self-hosted enterprise vault (use HashiCorp Vault if that's the requirement).
- Not a single-cloud KMS wrapper.

## Pricing summary

- Free for individuals and small teams.
- Includes Keep, HSM-backed encrypted storage, access controls, CI/CD integration.
- See [pricing page](https://www.capy.sc/pricing) for tiers.

## Legal

- [Privacy policy](https://www.capy.sc/privacy)
- [Terms of service](https://www.capy.sc/terms)
- Operated by Incentv Technologies Inc.