AES-256-GCM · Zero network access
Open source — audit the vault

Your secrets. Encrypted.
Where you need them.

PushKey stores your API keys encrypted, tracks rotation health, and automatically writes .env files into every linked project. No copy-paste. No leaks. No forgotten rotations.

Download FreeSee how it works
No cloud, no tracking
Auto-rotation alerts
Direct .env injection
pushkey-cli — vault
OPENAI_API_KEY
Last rotated 12d ago
STRIPE_SECRET
Last rotated 67d ago
OANDA_TOKEN
Last rotated 94d ago
AES-256-GCM Encryption
Argon2id Key Derivation
Zero Network Access
Git History Scanner
Auto-clear Clipboard
Open Source Core
BUILT FOR AI BUILDERS & DEVELOPERS

Managing too many API keys across too many projects? PushKey is a local-first API key vault that stores secrets encrypted on your machine, tracks rotation health, detects providers automatically, and writes the right .env files into the right projects. No copy-paste. No secrets in plain text.

OpenAIAnthropicStripeSupabaseTwilioVercelRailwayAWSGitHubOANDAReplicatePineconeResendCloudflareNotion+ 20 more
HOW IT WORKS

Set up in under 2 minutes

Three steps. No cloud config, no YAML, no complexity.

01

Add your keys

Paste your API key with a name like OPENAI_API_KEY. PushKey auto-detects the provider, sets the rotation schedule, and encrypts it with AES-256-GCM.

$ pushkey add STRIPE_SECRET_KEY sk_live_...
✓ Provider: Stripe
✓ Rotation: 180 days
✓ Encrypted and stored
02

Link your projects

Point to your project folders. Assign which keys each project needs. PushKey knows exactly which secrets go where.

$ pushkey link ./my-app STRIPE_SECRET_KEY
✓ Project registered
✓ .env template created
✓ Added to .gitignore
03

Auto-sync on rotation

When you rotate a key, PushKey saves the old value, timestamps the rotation, and pushes the new .env to every linked project instantly.

$ pushkey rotate STRIPE_SECRET_KEY
✓ Old value backed up
✓ 3 projects updated
✓ Sync complete in 0.2s
FEATURES

Everything your team needs to keep secrets safe

Not a password manager. Not a cloud secrets service. PushKey is a local-first vault built for engineers who care about security.

AES-256-GCM Vault

Strong local encryption with AES-256-GCM and Argon2id key derivation. 200,000 iterations. Your keys never leave your machine.

Direct .env Injection

When you rotate or add a key, Pushkey writes the updated .env file into every linked project folder — instantly.

Rotation Health Tracking

Green / yellow / red status dots. See at a glance which keys are fresh, aging, or overdue for rotation.

Provider Dashboard Links

One click opens the exact page to generate a new key for 25+ providers: OpenAI, Stripe, AWS, Vercel, and more.

Git History Scanner

Scans your commit history for accidentally committed secrets. Flags exposed keys before they become a breach.

CI/CD Sync

Push secrets to GitHub Actions, Vercel environment variables, and Railway directly from the vault — no copy-paste in CI.

Team RBAC

Share vaults with your team. Role-based access control — admins set policies, devs get read-only access to their keys.

TOTP MFA

Two-factor authentication on vault unlock. Works with any TOTP app (Authy, Google Authenticator, 1Password).

Clipboard Auto-clear

Copied keys automatically cleared from clipboard after 30 seconds. Revealed keys auto-hide after 10 seconds.

Open Source Core

The crypto layer and vault are MIT licensed. Audit every line that touches your keys — no trust required.

Hardware MFA (Enterprise)

YubiKey and hardware security key support for vaults that need the highest level of authentication assurance.

Encrypted Audit Log

Every vault access, key rotation, and team action is logged in an encrypted audit trail for compliance.

Full-featured CLI

pushkey-cli ships alongside the GUI — scriptable, pipeable, CI-ready. Add, rotate, inject, and export keys from any terminal or pipeline.

VS THE COMPETITION

Why developers choose PushKey

The only secrets manager that's local-first, provider-aware, and doesn't require a cloud account to start.

Feature
PushKeyYOU ARE HERE
Doppler1Password SecretsInfisicaldotenv vault
Security
AES-256-GCM encryption
Argon2id key derivation
Zero-knowledge cloud sync
Workflow
Works 100% offline
Auto-detects provider from key name
Auto-injects to .env files
Built-in rotation scheduling
Access
Native desktop GUI app
Full-featured CLI (scriptable, CI-ready)
GUI + CLI — both available
Free tier with full encryption
No SaaS dependency to get started
Fully supported Partial / paid tier only Not supported
SECURITY ARCHITECTURE

Built like a vault.
Not a spreadsheet.

Every decision in PushKey's architecture was made with one question: what happens if someone gets access to the file? The answer is: nothing. They still can't read your keys.

AES-256-GCM encryptionAuthenticated encryption — encrypted AND tamper-evident.
Argon2id KDF200,000 iterations. GPU brute-force is not economically viable.
Open source crypto layerThe vault is MIT licensed on GitHub. Read every line that touches your keys before you trust it. view on GitHub
chmod 600 vault filesVault files are owner-read-only. Other users on the same machine can't read them.
vault.enc
~/.pushkey/vault.enc · chmod 600
EncryptionAES-256-GCM
KDFArgon2id (200k iter)
SaltUnique per installation
NetworkNone — local only
BackupAuto before every write
Password storedNever
PRICING

Start free. Scale when you need it.

No credit card required to start. Upgrade when your team grows.

FREE
Personal use, side projects
$0/mo
Download Free
15 API keys
1 project folder
1 device
TOTP MFA
Local encryption
Most Popular
PRO
Power users & indie makers
$19/mo
Go Pro
Unlimited keys
Unlimited projects
3 devices
TOTP MFA
Local encryption
Cloud encrypted backup
Git history scanner
CI/CD sync (GitHub, Vercel, Railway)
TEAM
Dev teams that ship together
$39/mo
per 5 seats · $10/seat after
Start Team
Unlimited keys
Unlimited projects
5 devices per seat
TOTP MFA
Local + team encryption
Cloud encrypted backup
Git history scanner
CI/CD sync + Team RBAC
Limited
LIFETIME
Pay once, own forever
$149
one-time · limited to 500
Get Lifetime Deal
All Pro features, forever
All future Pro updates
Team LTD at $299 (5 seats)
Priority support
ENTERPRISE
Compliance-heavy teams
Custom
from $499/mo
Contact Sales
Unlimited keys & projects
Unlimited devices
TOTP + YubiKey MFA
All encryption modes
Cloud + on-prem backup
Git history scanner
CI/CD sync
RBAC + SSO (SAML/Okta/Azure AD)
Dedicated support + SLA
Custom audit log export
🔌
VAULT KEY USB — Coming soon

Off-grid hardware vault. Encrypted vault lives on the USB — unplug and keys vanish from memory. Includes Pro for 12 months.

Join Waitlist

All plans include local-first encryption. No keys are stored in our cloud — ever. Enterprise audit logs are end-to-end encrypted.

TRUSTED BY ENGINEERS

From the people who actually use it

We had a Stripe key committed to GitHub three years ago. It took a breach notice to catch it. PushKey's git scanner found two more in legacy repos in under 30 seconds.

MT
Marcus T.
Lead Backend Engineer · FinTech startup, 12-person team

The .env injection is the killer feature. I rotate my OpenAI key, and all five of my project folders update before I've even switched windows. This is what dev tooling should feel like.

PK
Priya K.
Indie Maker · Solo founder, 7 SaaS products

We're a 4-person team. PushKey Team means everyone has access to the shared keys they need without us keeping a Notion doc with secrets in it. That doc was a lawsuit waiting to happen.

JR
James R.
CTO · B2B SaaS, seed-stage

No cloud. No signup. No trust-me-bro. The vault file is on my machine, encrypted, and PushKey has never sent a single packet I didn't initiate. I audited the source.

AV
Aleksei V.
Security Engineer · Open source contributor
FAQ

Questions we get a lot

FREE TO START · NO CREDIT CARD REQUIRED

Stop storing secrets in Slack.
Start using PushKey.

15 keys, 1 project, full encryption — free forever. Upgrade only when your team needs it.

Download PushKey Free🔑 Get Lifetime Deal — $149Talk to sales