Everything you need to manage secrets securely
Built for developers who use Claude Code. From encryption to team management, every feature is designed to keep your secrets safe and accessible.
Core Security
Envelope Encryption
AES-256-GCM with per-secret encryption keys (DEK), each wrapped by Google Cloud KMS. Zero-knowledge architecture: we never see your values, even at rest.
MCP Access Rules
Tag-based policies enforced server-side before any secret is delivered. Block access entirely, require explicit confirmation, restrict by AI model, or get email notifications. Your rules, your control.
Zero-Knowledge AI Access
Your secrets are used by Claude Code without ever appearing in the AI conversation. Inject mode writes values to a temporary local file that the AI never reads, only the tool output references it.
Inject Mode
Secrets are written to a local temporary file and referenced by path. The AI agent never sees the actual value, it only knows where to find it. Zero exposure in the conversation.
Auto-Cleanup
Temporary files are overwritten with random data on each new access and cleaned up when the session ends. No secret residue left on disk.
Reveal Mode
When you need the AI to work directly with a value, reveal mode returns it in the conversation. Every reveal is audited as a conscious, deliberate action with a distinct badge in the audit log.
Clean Session Termination
Run the byebye command to immediately wipe all temporary files and end your session. All injected secrets are securely overwritten. Nothing lingers after you're done.
Developer Experience
Native MCP Integration
6 lines of config and Claude Code reads your secrets directly. No custom code, no wrappers. Just add the MCP server to your project and go.
TypeScript SDK
Full-featured SDK with automatic machine detection, session management, and MCP rule handling. Works in scripts, CI pipelines, and server-side code.
CLI Tools
Run npx securecode migrate to import your .env files in one command. Use securecode-run to wrap any command with injected secrets. Terminal-first workflow.
Import & Export
Drag-and-drop .env or CSV files with full metadata support. Bulk operations for large projects. Export anytime, your data is never locked in.
Zero-Config Runtime
Call loadEnv() to inject secrets into process.env, or use securecode-run to wrap any command. Your app reads secrets without a single code change.
Smart Security Tips
Real-time recommendations powered by the Tip Engine. Get alerts for expiring keys, detect hardcoded secrets, and follow best practices automatically.
Team & Access Control
Teams & Roles
Invite your team and assign granular roles (owner, admin, editor, viewer) and create fully custom roles with specific permission overrides.
Tag-Based Access
Scope what each team member can see using tags. Assign tag filters per member so they only access secrets relevant to their work.
Device Approval
New devices and MCP servers need explicit approval before accessing any secret. You decide which machines are trusted.
Full Audit Trail
Every access is logged: who, when, which AI model, from what IP. Per-plan retention from 7 days to 365 days. Know exactly what happens with your secrets.
Plan Enforcement & Flexibility
Graceful Downgrades
No data loss, ever. When you downgrade, excess teams are frozen as read-only, MCP rules are disabled, but every secret stays safe and accessible within your new limits.
Custom Plans & Overrides
Per-user extras for VIPs and beta testers. Fully custom plan configurations that go beyond the standard tiers when you need them.
Usage Controls
Hard limits on monthly accesses, API keys, and rate limiting per plan. Clear usage dashboards so you always know where you stand.
Automatic Upgrades
Instant feature unlock when you upgrade. Teams are unfrozen, MCP rules re-enabled, and full access is restored. No waiting, no manual steps.
Vault Visualizer
See your entire vault organized by any tag. Drag groups, zoom in, collapse sections. A bird's-eye view of everything you manage.
Group by Any Tag
Select a tag key and instantly see all your secrets organized into groups. Switch between project, environment, or any custom tag.
Drag, Zoom & Resize
Move groups around the canvas, zoom in to inspect details, and resize groups to show more or fewer secrets. Full spatial control.
Collapse & Expand
Collapse groups you don't need right now and expand the ones you're working on. Focus on what matters without losing the big picture.
Status at a Glance
Expired secrets are highlighted in red. Access counts show how frequently each secret is used. Spot issues before they become incidents.
Chrome Extension
Generate secure credentials from any browser tab and save them directly to your SecureCodeHQ vault. No context switching.
Built-in Generators
Passwords, API keys, JWT secrets, encryption keys, UUIDs. All generators available from the extension popup, ready to copy or save.
Save to Vault
One click to save any generated credential directly to your SecureCodeHQ vault with name, tags, and expiration. No manual copy-paste.
Site-Aware Context
The extension detects which site you're on and suggests relevant tags and configurations. Context without effort.
Developer Mode
Toggle dev mode to test against your development environment. Switch between production and development without changing settings.
Ready to secure your secrets?
Start free with 50 secrets. No credit card required.