announcementlaunchsecrets-management

Announcing secr

secr is here. A CLI-first secrets manager that replaces .env files with encrypted, synced environment variables your whole team can share.

secr team·

We built secr because managing secrets shouldn't require a dedicated platform team, a 200-page runbook, or a six-figure contract.

Today, secr is live — free for up to 3 projects.

The problem

Every team we talked to had the same story:

  1. Someone commits a .env file to Git.
  2. New hires DM each other for API keys on Slack.
  3. Production secrets live in a shared 1Password vault that three people have access to.
  4. Nobody knows which secrets are actually in use.

Tools like HashiCorp Vault solve this — but they're built for platform teams with dedicated infrastructure. Most product teams need something simpler.

What secr does differently

secr is a CLI-first secrets manager designed for small-to-mid teams shipping web apps. Three ideas drive the design:

Secrets never touch disk

Run secr run -- npm start and your environment variables are injected directly into the process. No .env file is written. Nothing for an AI coding agent — or a careless git add . — to leak.

Encryption by default

Every secret is encrypted with AES-256-GCM using per-project keys wrapped by your KMS provider. You don't configure this; it just happens.

Environments are first-class

Dev, staging, and production each have their own secret set. Promote a secret from staging to production with a single command:

secr promote DATABASE_URL --from staging --to production
ℹ️

secr supports AWS KMS, Google Cloud KMS, and Azure Key Vault. You can also run with a local key for development.

What's included

secr ships with everything you need for day-to-day secrets management:

  • CLIsecr init, secr set, secr pull, secr run, and more
  • Dashboard — web UI for browsing secrets, managing teams, and viewing audit logs
  • SDKs — TypeScript, Python, and Go
  • Integrations — Vercel, Netlify, and GitHub Actions
  • Secret scanningsecr scan checks your codebase for leaked credentials
  • Import — pull secrets from Vercel, Heroku, Railway, Render, and 10 other providers
  • SSO & SCIM — enterprise identity management out of the box

Getting started

Install the CLI and create your first project in under a minute:

npm install -g @secr/cli
secr login
secr init
secr set DATABASE_URL "postgres://..."
secr run -- npm start

That's it. Your secrets are encrypted, synced, and never written to disk.

What's next

We're working on secret rotation policies, expanded integrations, and more. Check the roadmap to see what's coming.

secr is free for up to 3 projects. Create your account and stop sharing secrets over Slack.

← Back to blog

Ready to get started?

Stop sharing secrets over Slack. Get set up in under two minutes.

Create your account