Features How It Works Pricing Security Log In Quickstart
Your Agent's Vault

Agents store secrets.
Agents rotate credentials.
Agents share keys.

No more .env files in Slack. No more plain text credentials in logs. Your agents store secrets encrypted, rotate them on schedule, and share via claim tokens. One CLI command to start.

$ npm install -g secretcarousel

0 Secrets Stored
0 Tenants
0 API Calls
0 Secrets Shared
Platform Activity
The Problem

Your agents handle credentials all day. Every one of them is in plain text.

Today

  • Agent needs a DB password
  • It lands in .env, a log, or a Slack DM
  • No audit trail — who accessed what?
  • No rotation — credentials go stale
  • No encryption at rest
  • Sharing? Copy-paste in DMs
  • One leak exposes everything

With SecretCarousel

  • Agent self-provisions in <1 second
  • Stores encrypted (AES-256-GCM)
  • Every access audit-logged
  • Auto-rotation on schedule
  • Unique encryption key per secret
  • Claim tokens for cross-agent sharing
  • Encrypted, audited, autonomous
How It Works

Three Autonomous Loops

Your agents handle the entire secret lifecycle. You monitor and approve.

The Vault Loop

"Your agent encrypts it, retrieves it, versions it."

# Agent self-signup (zero friction) $ sc signup my-app --local # Tenant "my-app" created! Key saved to .sc/config.json # Store a secret (AES-256-GCM encrypted) $ sc secret "DB_PASSWORD" "s3cur3!" -t database-credentials # Secret created. Encrypted, versioned, audit-logged.

The Rotation Loop

"Set a schedule. Agent rotates. Webhook fires. CI/CD picks up."

# Set 30-day rotation policy $ sc rotate set sec-abc --schedule "30d" --email ops@co.dev # Day 30: auto-rotated, new version # Webhook fires. CI/CD picks up new credential. # Or rotate immediately $ sc rotate sec-abc

The Key Exchange Loop

"Agent A creates claim token. Agent B claims. Auto-revoked."

# Agent A: create claim token for partner $ sc claim "sk_live_xxx" --to partner-app --contract ctr_abc # Claim token: ctk_abc123... (expires in 5 min) # Agent B: claim and auto-store in vault $ sc claim redeem ctk_abc123 # Secret claimed and stored. ID: sec-xyz
Features

Three Modes. One API Key.

Solo, team, and cross-company — all agent-first.

Solo Agent

Self-signup in <1s. Store, retrieve, rotate, share — all via API. Zero-friction. No dashboard required.

  • AES-256-GCM encryption at rest
  • Secret versioning + rollback
  • Time-limited share links
  • Complete audit trail

Multi-Agent Team

Project scoping, RBAC API keys, webhooks, audit trail. Each agent gets its own key with granular permissions.

  • Project-scoped API keys
  • Read / Write / Admin permissions
  • Webhook notifications
  • Auto-rotation policies

Cross-Agent Collaboration

Agents share secrets across companies via Buggazi contracts and claim tokens. Encrypted in transit and at rest.

  • One-time claim tokens (5min TTL)
  • Buggazi bilateral contracts
  • Auto-revoke after claim
  • Contract validated at both ends
Quickstart

30 Seconds to Your First Secret

Your agent runs one command. Plain text credentials are gone.

# Install + signup (instant API key, saved to project) $ npx secretcarousel signup my-project --local # Tenant "my-project" created! # API Key: sc_free_my_project_a1b2c3... # Saved: .sc/config.json (local)
# Store a secret (AES-256-GCM encrypted at rest) $ sc secret "DATABASE_URL" "postgres://user:pass@host/db" -t database-credentials # Secret created # ID: secret-abc123 # Name: DATABASE_URL # Type: database-credentials
# Retrieve (decrypted on demand, access logged) $ sc secret show secret-abc123 # DATABASE_URL database-credentials active # Value: postgres://user:pass@host/db # Version: 1 Accessed: 1x
# Set 30-day rotation (fires webhook on rotate) $ sc rotate set secret-abc123 --schedule "30d" --email ops@myproject.dev # Or rotate immediately $ sc rotate secret-abc123 # Rotated secret-abc123

Claude Code, Cursor, Cline, Windsurf, Aider - any agent that can run a CLI command.

Comparison

AWS Is Infrastructure for Humans. This Is a Vault for Agents.

Other secret managers require IAM consoles, KMS config, and human setup. SecretCarousel is one CLI command. Your agent self-provisions and starts encrypting.

Capability SecretCarousel AWS Secrets Manager HashiCorp Vault Doppler
Agent Self-Signup sc signup (1 cmd) No (IAM console) No (admin config) No (dashboard)
Pricing Model 5 free, then $0.40/secret — no seats No free tier $0.50/secret (HCP) $21/human/mo
Cross-Agent Key Exchange Claim tokens No No No
Per-Secret Encryption Unique key per secret (AES-256-GCM) Shared KMS key Transit engine At rest only
Immutable Audit Trail Every op logged CloudTrail (separate) Audit device (config) Basic logs
Setup Time <1 second Hours (IAM + KMS) Days (cluster) Minutes (dashboard)
Self-Hostable Docker No Yes (BSL license) No
Security

Every Agent Action Logged. Every Secret Encrypted.

Built for compliance teams who need provable audit trails for autonomous agent operations.

AES-256-GCM

Authenticated encryption. Unique salt + IV per secret.

PBKDF2 (100K iterations)

Key derivation prevents brute force on master key.

Immutable Audit Trail

Every agent action logged. Export CSV/JSON. EU AI Act ready.

Scoped API Keys

Read/write/admin per key. Project-scoped. IP restrictions.

Claim Token TTL

Cross-agent tokens auto-expire in 5 minutes. Single-use.

Zero Trust

Every request authenticated. No implicit trust. Rate limited.

SOC 2 Ready
HIPAA Ready
PCI DSS Ready
GDPR Ready
EU AI Act Ready
Pricing

Priced for Agents, Not Seats.

Your agents don't need licenses. Pay once, use forever: $0.40/secret/month + $0.05/10K API calls after your free quota. No subscriptions, no per-seat fees.

Free
$1 one-time

5 secrets free forever. Pay as you grow.

  • 5 secrets free forever
  • 10K API calls free/month
  • Then $0.40/secret/month
  • Then $0.05/10K API calls
  • AES-256-GCM encryption
  • 7-day audit log
  • REST API + 9 SDKs
  • Rotation
  • Sharing
Get API Key ($1)
Enterprise
Custom

Volume discounts. Unlimited everything.

  • Volume pricing (negotiated)
  • Unlimited everything
  • SSO / SAML
  • Encrypted backups
  • On-premise deployment
  • Unlimited audit retention
  • Custom SLA
  • Dedicated support
  • Kubernetes + Terraform
Contact Sales
$1 keeps the platform spam-free. Compare: AWS charges $0.40/secret + $0.05/10K calls with no free tier. We include 5 secrets free forever.

Your agents store, rotate, and share secrets. You just watch.

Stop passing keys in plain text. AES-256-GCM encryption. Usage-based pricing. One CLI command.

Free tier forever
<1s agent signup
AES-256-GCM
EU AI Act ready