Encrypted local secrets → Deployment platforms.
cred stores encrypted secrets locally and safely pushes them to target platforms on demand.
- A hosted secrets manager
- A multi-user access control system
- A replacement for HashiCorp Vault or AWS Secrets Manager
- A runtime secret injector
- Solo developers managing secrets on a single machine
- Open-source maintainers who push secrets to deployment platforms
- Anyone who wants local-first secrets without running infrastructure
Homebrew:
brew tap edneedham/cred
brew install edneedham/cred/credShell:
curl -fsSL https://raw.githubusercontent.com/edneedham/cred/main/scripts/install.sh | sh -sCargo:
cargo install credPre-built binaries: GitHub Releases
# Initialize a project (auto-detects targets from git, fly.toml, etc.)
cred init
# Authenticate with a target (per-project, fine-grained token)
cred target set github
# Store a secret
cred secret set DATABASE_URL "postgres://..."
# Optional: scope a secret to a target (v0.14.0+)
cred secret set NEXT_PUBLIC_API_URL "https://..." --targets vercel
# Push to GitHub (no --repo needed, uses saved binding)
cred push githubSee the Getting Started guide for more.
- Encrypted vault — Secrets stored locally with ChaCha20-Poly1305
- Environments — Organize secrets by context (dev, staging, prod)
- Version history — Track changes, rollback to previous versions
- Sources — Generate credentials from APIs (Resend)
- Targets — Push secrets to deployment platforms (GitHub Actions, Vercel, Fly.io)
- OS keyring — Tokens stored in macOS Keychain, GNOME Keyring, or Windows Credential Manager
- Automation-ready —
--json,--dry-run,--non-interactiveflags
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your choice.