A Password Manager Built for Developers

PassCryp treats API keys, SSH keys, and TOTP codes as first-class citizens — not bolt-on secure notes. Built by developers for developers, with a CLI, an open-source browser extension, and zero-knowledge AES-256-GCM encryption.

Start your free vault Security model

API keys, not secure notes

Provider-aware fields for AWS, Stripe, OpenAI, GitHub. Expiry alerts. Per-environment tags.

SSH key storage

Store private keys encrypted client-side. Copy public keys for paste into provider UIs.

TOTP built in

2FA codes generate inside the vault. No second app needed.

CLI in beta

`passcryp get aws-prod` returns the secret on stdout. No plaintext on disk.

Open-source browser extension

Audit every line that touches your master password. Chrome, Edge, Brave.

Zero lock-in

Encrypted JSON export anytime. Import from every major manager. Your data is yours.

Why generic password managers fail developers

1Password and Bitwarden treat API keys as text in a Secure Note. There's no provider awareness, no expiry tracking, no environment tagging. You end up storing the same kind of data in three different shapes — and rotating becomes manual archaeology.

PassCryp's data model knows the difference between a login, an API key, an SSH key, a credit card, and a secure note. Each type has the right fields, the right UI, and the right alerts. Provider presets cover AWS, Stripe, OpenAI, GitHub, Vercel, Supabase, and dozens more.

Workflow for a typical dev day

Morning standup: unlock the vault with your master password. The extension is active across every tab. Open the dashboard for a side project, copy the Stripe test key from the vault (auto-clear in 30s), and you're moving.

Pair-programming session: share the project vault with your collaborator. They unlock with their own master password; the per-vault key is wrapped to their public key. Revoke them when the session ends and the vault key rotates instantly.

End of week: open the expiry tab and see the 3 API keys rotating next week. Rotate upstream, update PassCryp, and CI picks up the new values automatically.

What the CLI looks like

`passcryp unlock` prompts for your master password and caches the vault key in shell session memory (never on disk). `passcryp get <name>` returns the secret on stdout — pipe it anywhere. `passcryp env --project myapp --env prod` exports project env vars to your shell without writing a file.

Auth is per-machine: each shell gets a session that expires on idle. No plaintext token sits in `~/.config` waiting to be copied. Same zero-knowledge model as the web vault, just with a TTY.

Frequently asked questions

Is this overkill for solo developers?

No. The free tier covers most solo workflows. Premium adds the API key vault for $2.99/month.

Does the CLI store plaintext?

Never. Vault keys live in shell session memory; secrets pipe to stdout. Nothing is written to disk.

Can I use Git pre-commit hooks?

Yes — the docs include a hook that scans staged files for known key formats and aborts the commit if found.

Does PassCryp work with my IDE?

The browser extension fills web IDEs (Replit, CodeSandbox, GitHub.dev). The CLI works with any terminal-driven IDE via shell env injection.

What about Vault, Doppler, Infisical?

Those are great for platform teams. PassCryp is the lighter-weight individual + small-team option, with the same zero-knowledge guarantees.

Is it open source?

The browser extension is. The core vault uses a documented zero-knowledge architecture published in the security whitepaper.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault