Secure secrets, zero config leaks

Store encrypted credentials. Inject them as environment variables at runtime. They are never logged, never exposed in traces.

How it works

Store, bind, use — that's it

Store a secret

Create a key-value pair encrypted with AES-256-GCM. Stored encrypted at rest.

Bind to a function

Link any secret to any function. It is injected automatically at invocation time — no extra code.

Use in your code

Access it via process.env.MY_SECRET (or os.environ in Python). Automatically redacted from logs and traces.

Features

Enterprise-grade secret management

AES-256-GCM encryption

Industry-standard encryption at rest. No plaintext ever written to disk.

AWS Secrets Manager

Use your existing AWS secrets without migrating them. Switch providers with one config change.

Full audit trail

Every read, write, and delete is logged with timestamp, actor, and IP address.

Auto-injection

Secrets become env vars at runtime — no SDK, no extra dependency, no code change needed.

Example

Bind a secret, use it in your function

bind-secret.js

// Bind secret to function via API
await api.functions.bindSecret({
  functionId: "ai-summarizer",
  secretKey: "OPENAI_API_KEY",
});

// Secret injected automatically at runtime
// No redeploy needed

ai-summarizer/index.js

export async function handler(event, context) {
  // Secret is available as env var — never logged
  const openai = new OpenAI({
    apiKey: process.env.OPENAI_API_KEY,
  });

  const completion = await openai.chat.completions.create({
    model: "gpt-4o-mini",
    messages: [{ role: "user", content: event.body.prompt }],
  });

  return {
    statusCode: 200,
    body: { result: completion.choices[0].message.content },
  };
}

Get started free

Deploy your first function in 60 seconds. No credit card required.