An Encrypted API Key Vault Built for Developers

PassCryp's API Key Vault is purpose-built for secrets developers actually deal with: AWS access keys, Stripe live keys, OpenAI tokens, GitHub PATs, database URLs. Each key is encrypted client-side, tagged by provider, and tracked for expiry.

Start your free vault Security model

Provider-aware storage

AWS, Stripe, OpenAI, GitHub, Vercel, Supabase presets with the right fields and metadata for each.

Expiry alerts

Set a rotation date — get an email and in-vault alert before a key expires, not after production breaks.

Per-environment grouping

Tag keys as dev, staging, or production. Filter the vault by environment in one click.

Reveal once, copy with auto-clear

Keys default to masked. Reveal copies to clipboard with a 30-second auto-clear so they don't linger.

Encrypted notes per key

Document scope, rotation policy, and owner inside the same encrypted item.

Audit history

Every reveal and copy is logged locally so you know which keys you've touched recently.

Why developers need an API key vault, not a password manager

Generic password managers were designed for website logins. API keys break their assumptions: they're long opaque tokens, they rotate on a schedule, they belong to environments not sites, and a single leaked key can drain an AWS account in hours.

PassCryp's API Key Vault adds the missing structure. Each entry has a provider (so the UI knows what fields matter), an environment tag, an expiry date, and an owner. The vault knows the difference between a Stripe sk_live_ and an sk_test_; it warns you before a token expires; it groups keys by project so handoffs are clean.

Underneath, the encryption is the same as the rest of PassCryp: AES-256-GCM with Argon2id, client-side, zero-knowledge. We see ciphertext only.

How to store an AWS, Stripe, or OpenAI key

Open the vault, click New API Key, and pick a provider. The form auto-shapes — AWS gets Access Key ID and Secret Access Key fields; Stripe gets a single secret with live/test detection; OpenAI gets an org ID and key.

Set an expiry date or leave it open. Tag the environment. Add a note describing scope. Click Save — the key encrypts client-side and uploads as a ciphertext blob. From any other device, unlock the vault and the key is there, ready to reveal.

When the expiry date is 7 days away, you get an in-vault badge and an optional email. After the date passes, the key is marked stale and surfaced at the top of the vault until you rotate it.

Stop leaking keys in .env files

Every dev has done it: a .env file checked in by accident, an API key pasted in Slack, a secret hard-coded in a notebook. PassCryp gives you one place these belong, with an extension that surfaces the right key on the right domain so you don't fall back to copy-pasting.

Combined with the included pre-commit hook in the docs, you can detect committed keys, rotate them in PassCryp, and update your deployment environment without ever putting plaintext in your terminal history.

Frequently asked questions

How is this different from a password manager?

Provider-aware fields, expiry alerts, environment tags, and per-project grouping built specifically for API keys — not generic login items.

Which providers are supported?

Presets for AWS, Stripe, OpenAI, Anthropic, GitHub, GitLab, Vercel, Netlify, Supabase, Twilio, SendGrid, plus generic API keys.

Can my team share API keys?

Yes — Premium teams share API keys via shared vaults with per-member key wrapping. Revoke a teammate and the vault key rotates instantly.

Does PassCryp ever see my keys?

No. Keys encrypt client-side with AES-256-GCM. We store ciphertext only.

Can I export keys for CI?

Yes — encrypted JSON export, plus a CLI in beta that lets you `passcryp env > .env` locally without syncing plaintext.

What happens when a key expires?

In-vault badge 7 days out and an optional email. After expiry, the key is flagged stale until rotated.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault