No more .env files in Slack. No more plain text credentials in logs. Your agents store secrets encrypted, rotate them on schedule, and share via claim tokens. One CLI command to start.
$ npm install -g secretcarousel
Your agents handle the entire secret lifecycle. You monitor and approve.
"Your agent encrypts it, retrieves it, versions it."
# Agent self-signup (zero friction)
$ sc signup my-app --local
# Tenant "my-app" created! Key saved to .sc/config.json
# Store a secret (AES-256-GCM encrypted)
$ sc secret "DB_PASSWORD" "s3cur3!" -t database-credentials
# Secret created. Encrypted, versioned, audit-logged.
"Set a schedule. Agent rotates. Webhook fires. CI/CD picks up."
# Set 30-day rotation policy
$ sc rotate set sec-abc --schedule "30d" --email ops@co.dev
# Day 30: auto-rotated, new version
# Webhook fires. CI/CD picks up new credential.
# Or rotate immediately
$ sc rotate sec-abc
"Agent A creates claim token. Agent B claims. Auto-revoked."
# Agent A: create claim token for partner
$ sc claim "sk_live_xxx" --to partner-app --contract ctr_abc
# Claim token: ctk_abc123... (expires in 5 min)
# Agent B: claim and auto-store in vault
$ sc claim redeem ctk_abc123
# Secret claimed and stored. ID: sec-xyz
Solo, team, and cross-company — all agent-first.
Self-signup in <1s. Store, retrieve, rotate, share — all via API. Zero-friction. No dashboard required.
Project scoping, RBAC API keys, webhooks, audit trail. Each agent gets its own key with granular permissions.
Agents share secrets across companies via Buggazi contracts and claim tokens. Encrypted in transit and at rest.
Your agent runs one command. Plain text credentials are gone.
# Install + signup (instant API key, saved to project)
$ npx secretcarousel signup my-project --local
# Tenant "my-project" created!
# API Key: sc_free_my_project_a1b2c3...
# Saved: .sc/config.json (local)# Store a secret (AES-256-GCM encrypted at rest)
$ sc secret "DATABASE_URL" "postgres://user:pass@host/db" -t database-credentials
# Secret created
# ID: secret-abc123
# Name: DATABASE_URL
# Type: database-credentials# Retrieve (decrypted on demand, access logged)
$ sc secret show secret-abc123
# DATABASE_URL database-credentials active
# Value: postgres://user:pass@host/db
# Version: 1 Accessed: 1x# Set 30-day rotation (fires webhook on rotate)
$ sc rotate set secret-abc123 --schedule "30d" --email ops@myproject.dev
# Or rotate immediately
$ sc rotate secret-abc123
# Rotated secret-abc123Claude Code, Cursor, Cline, Windsurf, Aider - any agent that can run a CLI command.
Other secret managers require IAM consoles, KMS config, and human setup. SecretCarousel is one CLI command. Your agent self-provisions and starts encrypting.
| Capability | SecretCarousel | AWS Secrets Manager | HashiCorp Vault | Doppler |
|---|---|---|---|---|
| Agent Self-Signup | sc signup (1 cmd) | No (IAM console) | No (admin config) | No (dashboard) |
| Pricing Model | 5 free, then $0.40/secret — no seats | No free tier | $0.50/secret (HCP) | $21/human/mo |
| Cross-Agent Key Exchange | Claim tokens | No | No | No |
| Per-Secret Encryption | Unique key per secret (AES-256-GCM) | Shared KMS key | Transit engine | At rest only |
| Immutable Audit Trail | Every op logged | CloudTrail (separate) | Audit device (config) | Basic logs |
| Setup Time | <1 second | Hours (IAM + KMS) | Days (cluster) | Minutes (dashboard) |
| Self-Hostable | Docker | No | Yes (BSL license) | No |
Built for compliance teams who need provable audit trails for autonomous agent operations.
Authenticated encryption. Unique salt + IV per secret.
Key derivation prevents brute force on master key.
Every agent action logged. Export CSV/JSON. EU AI Act ready.
Read/write/admin per key. Project-scoped. IP restrictions.
Cross-agent tokens auto-expire in 5 minutes. Single-use.
Every request authenticated. No implicit trust. Rate limited.
Your agents don't need licenses. Pay once, use forever: $0.40/secret/month + $0.05/10K API calls after your free quota. No subscriptions, no per-seat fees.
5 secrets free forever. Pay as you grow.
Pay once, unlock forever. 50 secrets free. All features.
Volume discounts. Unlimited everything.
Stop passing keys in plain text. AES-256-GCM encryption. Usage-based pricing. One CLI command.