Secrets manager that
understands your dependency graph.
Stores API keys. But also tells you who uses them, where, and what breaks if you revoke. Auto-matches NVD/GHSA incidents. Scans npm/Cargo deps for known secret-leak history. All on your laptop.
Choose your platform
Latest release: loading… · Free · AGPL-3.0 · Works offline
Day-one capabilities
Everything below is in the free tier. No account required. Open source AGPL-3.0.
Dependency graph
Visual map of Issuer → Credential → Usage → Project → Deployment → URL. Filter by env, search by usage, simulate revocations. The vault speaks the language of your codebase, not just key/value pairs.
Blast radius preview
"What breaks if I revoke this?" — answered before you click. Highlights every service, deployment, and URL that depends on the key. No production accidents.
Incident feed
NVD / GHSA / issuer RSS polled locally and matched to your vault. The relay server never sees what credentials you store. Zero-knowledge.
Supply-chain scan
OSV.dev queried for every npm / Cargo dep with secret-leak history. Lockfile-aware, semver-precise.
RAILGUARD
Auto-generates .cursorrules, CLAUDE.md, Copilot instructions
— AI editors can't exfiltrate keys.
Vault Charter recovery
Diceware 6 words + 4-digit verifier. Optional Shamir 2-of-3 split for inheritance. Forget passphrase, not vault.
CLI · MCP · VS Code · JetBrains
secretbank in your terminal. Native MCP server for Claude / Cursor /
Copilot Chat. VS Code & JetBrains plugins with hover, code-lens, blast-radius
graph.
$ secretbank list --json $ secretbank scan supply-chain --project . $ secretbank run --project <id> -- npm run deploy
Browser Extension — Chrome · Firefox · Edge
The first password manager that brings your dependency graph into the browser. Autofill that knows which site is which credential — and a few things 1Password can't do.
- Autofill that defends itself — closed Shadow DOM traversal, subdomain-safe matching, 3-layer DOM Clickjacking defense (2025 Marek Tóth disclosure).
- Inline dependency mini-graph — hover any credential to see which projects, deployments and URLs it touches. 1Password cannot do this.
- Supply-chain banner — visiting a site whose vendor was breached? NVD/GHSA match shows up in the page, not buried in a feed.
- Save dialog with blast-radius preview — see what else this credential change affects before you confirm rotation.
- MCP context push (opt-in) — Claude / Cursor / Copilot can ask the extension what site you were just on, with a 5-min cooldown per host.
Free during beta
Every feature unlocked for everyone while we polish the experience.
Open source AGPL-3.0. Includes every feature. No account required for local vault.
- Local vault & dependency graph (unlimited)
- Blast radius simulation
- Incident feed (NVD / GHSA)
- Kill Switch + audit log
- RAILGUARD AI editor protection
- Supply-chain scan (OSV.dev)
- CLI · MCP · VS Code · JetBrains plugins
- Vault Charter recovery (Diceware + Shamir 2-of-3)
- Multi-device E2EE sync (up to 5 devices)
Features we'll add after dogfooding and your feedback. Pricing decisions happen with the community when the beta ends.
- General password vault (1Password-style + autofill)
- Auto-rotation with provider hooks
- Auto-revoke (Stripe / GitHub / AWS API)
- Team / org / shared vault (RBAC + SSO)
- Browser extension (Chrome / Firefox / Safari)
- Mobile companion (iOS / Android)
📬 We'd love your feedback during the beta — bug reports, ideas, anything. Drop a note on GitHub Issues.
Existing vaults answer "where is the key?" — none answer "what happens when this key leaks?" or "is the npm package I'm about to install going to phone home with my .env?" That gap is where breaches start. We close it on your laptop, before the breach mail arrives.