Simpli Logo
Simpli
Encrypted at rest · Multi-tenant

VaultA simpler credentials manager

Group secrets into environments, mint a scoped access key, and pull every value into any shell or CI runner with one CLI call. AES-256-GCM at rest, auditable, multi-tenant by default.

Get startedSee how it works

How Vault works

Four primitives, one round-trip. Group secrets into environments, mint an access key for that environment, then exchange the key for every secret in a single API call.

Environment

One per logical target — prod, staging, quinns-mac. Lives under your company.

Secret

A key/value pair. Value encrypted with AES-256-GCM before it ever hits the database.

Access Key

Scoped to one environment. Raw key shown once on creation; only the PBKDF2 hash is stored.

Exchange

One POST /vault/exchange/ call with the access key returns every secret in the environment, decrypted.

The exchange call
Authenticated with the environment's raw access key in the X-API-Key header.
$ curl -sS https://api.startsimpli.com/api/v1/vault/exchange/ \
    -H "X-API-Key: ${VAULT_ACCESS_KEY}" -X POST

{
  "environment": "prod",
  "secrets": {
    "DATABASE_URL": "postgres://…",
    "STRIPE_SECRET_KEY": "sk_live_…",
    "SENTRY_DSN": "https://…@sentry.io/…"
  }
}
simpli CLI

From install to secrets in 30 seconds

The simpli CLI is the command-line companion. Configure once with a vault URL and your access key; thereafter it's a single command per machine, per environment.

1
Install
npm i -g @startsimpli/cli

Or pnpm add -g / yarn global add.

2
Configure
simpli configure \
  --api-url https://api.startsimpli.com \
  --env prod \
  --key vk_live_…

Stored at ~/.config/simpli/config.json mode 0600.

3
Exchange
eval "$(simpli exchange creds \
  --env prod)"
echo $DATABASE_URL

Every secret is now in the shell. Use simpli run to scope to a subprocess instead.

Security model

Encrypted at rest, scoped by access key, audited by default, isolated per company.

AES-256-GCM at rest

Every secret value is encrypted with a server-managed VAULT_ENCRYPTION_KEY before it's persisted. The database only ever sees ciphertext. Reads decrypt on the fly inside the exchange path.

Hashed, scoped access keys

Each access key is scoped to a single environment. The raw key is returned once on creation; only its PBKDF2 hash is stored. Rotate or revoke any key without touching the underlying secrets.

Append-only audit trail

Every create, reveal, exchange, and revoke writes a SecretAudit row with actor, IP, and the access key in use. Nothing gets deleted from the trail — past actions stay visible even after secrets rotate.

Multi-tenant by default

Every environment, secret, key, and audit row is scoped to a company. You only ever see your own. Cross-company access returns a clean 404 — even with a valid access key from another tenant.

Built for the messy reality of multi-environment work

CI runners

One access key per pipeline. Rotate without touching workflow YAML or re-uploading every variable.

Developer laptops

No more passing .env files in DMs. Each laptop runs simpli exchange at the start of the day.

Multi-environment apps

Prod, staging, preview, and per-developer envs side by side. Switch with --env.

Start storing secrets, not .env files.

Sign up at vault.startsimpli.com — first environment + 10 secrets free, no credit card.

Open Vault