opaqueSecrets vault for AI agents

Secrets live on the server — never in .env files, never in LLM context. One Ed25519 keypair. Zero leaks.

Zero .env leaks

Secret values never touch your repository, your deployment config, or your LLM's context window. The only thing that persists outside the vault is a single Ed25519 private key per project.

Ed25519 authentication

Every request is signed with RFC 9421 HTTP Message Signatures. No bearer tokens in your app code — just a keypair. Rotate it without downtime using a 10-minute overlap window.

AES-256-GCM at rest

All secret values are encrypted in the database with AES-256-GCM. The master key lives in an environment variable, never in the database. LibSQL/SQLite locally, Turso for production edge.

Write-only dashboard

The built-in Vue 3 dashboard lets you manage projects and secrets without ever displaying values. No reveal button. No copy-to-clipboard. Write-only by design.

Full audit log

Every secret fetch is logged with a timestamp, IP address, project ID, and environment. Know exactly when and where your secrets were accessed.

Framework adapters

Drop-in adapters for Node.js, Next.js, and Nuxt. Or use the zero-dependency core SDK directly in any runtime with fetch and WebCrypto.

Install in 60 seconds

bash

# Install the CLI
npm install -g @florianjs/opaque-cli

# Point it at your vault
export OPAQUE_VAULT_URL="https://vault.example.com"
export OPAQUE_ADMIN_TOKEN="<your admin token>"

# Register your app — prints OPAQUE_PRIVATE_KEY
opaque register --project my-app

# Add a secret
opaque set --project my-app --env production DATABASE_URL=postgres://...

Then add three env vars to your app:

bash

OPAQUE_PRIVATE_KEY="<printed by opaque register>"
OPAQUE_VAULT_URL="https://vault.example.com"
OPAQUE_PROJECT="my-app"

That is all your app needs. At boot, the SDK signs a request, fetches all secrets, and injects them into process.env. Your application code reads from process.env as usual.

Self-hosted by design

opaque is not a SaaS product. You run the vault on your own infrastructure — a VPS, a Docker container, Fly.io, or anywhere Bun runs. Your secrets never leave your control.