The secret that
Ephemeral secret manager for teams and AI agents. Every secret has a TTL, a read limit, or both. Self-host with Sirr or use our managed API at api.secretdrop.app.
Try it free
No account needed — generate a secret in seconds.
Security & compliance built in
Built for teams who take secrets seriously
Ephemeral by Default
Every secret expires. Set a TTL, a read count, or both. No stale secrets lingering in your vault.
Burn After Read
One-time secrets that self-destruct after the first read. Perfect for sharing credentials.
AI Agents, Zero Memory
Tell Claude your secret. It uses it once. The vault burns it. Claude is instructed not to remember it. Secrets that live just long enough — nothing more.
Every Language
Official SDKs for Node.js, Python, and .NET. CLI for automation. REST API and MCP protocol for everything else.
Self-Host or Cloud
Run Sirr on your own infra, or use api.secretdrop.app as a managed proxy with your license key. Same API, your choice.
Encryption at Rest
Two-tier encryption architecture: AES-256-GCM server-side encryption with optional client-side encryption. Master key never stored alongside data.
Who it's for
Built for teams who need control
Whether you're sharing API keys across a CI pipeline or rotating database credentials in production, Sirr fits your workflow.
DevOps & SRE
Inject secrets into CI/CD pipelines, rotate credentials automatically, and eliminate shared spreadsheets. SDKs for every language, CLI for automation.
Security Teams
Audit every access, enforce expiration policies, and prove compliance. Two-tier encryption and self-hosted deployment keep data under your control.
Platform Engineering
Give every team a self-service way to share secrets without ticketing systems. Role-based access, organization scoping, and MCP for AI-assisted workflows.
Encryption at rest, by default
Every secret is encrypted before it touches disk. Two layers of protection ensure your data stays safe — even if the database file is exfiltrated.
Server-Side Encryption
All secrets are encrypted with AES-256-GCM before being written to the embedded database. The master key is held only in memory and loaded from a secure key file at startup — never from an environment variable, never baked into the image.
Client-Side Encryption
For high-sensitivity secrets, encrypt data before it leaves your machine. The server stores an opaque blob it cannot decrypt — only you hold the key. Layer this on top of server-side encryption for defense in depth.
Secure Key Management
Master key delivered via mounted key file or Docker Secrets — never exposed in environment variables or process listings. Supports key rotation with zero downtime and versioned encryption records.
Enterprise ready
Enterprise-grade by design
The features regulated industries and security-conscious organizations require — without the enterprise sales cycle.
SSO / SAML
Connect your identity provider. Enforce MFA and session policies from your existing IdP.
Audit Logging
Immutable audit trail for every secret read, write, and expiration event. Export to your SIEM.
Data Sovereignty
Self-host on your infrastructure in any region. Secrets never leave your network. Your data, your jurisdiction.
99.9% SLA
Contractual uptime guarantees with dedicated support and priority incident response for Business and Enterprise plans.
Used in production by
“Sirr handles our ephemeral secrets so we can focus on shipping our API. Deploy once, forget about it.”
jsondb.cloud
Cloud JSON Storage Platform
“We needed a secret manager our AI agents could use natively via MCP. Sirr was the only tool that fit.”
AskEmilia
AI Assistant Platform
“Self-hosted, zero dependencies, and the audit trail our team needed. Checked every box on our compliance review.”
Billy.lv
Digital Services
Runs on world-class infrastructure
Open source
Open source, production hardened
Sirr is a single Rust binary. No runtime dependencies, no JVM, no garbage collector pauses. Inspect every line of code before you deploy.
Rust
Memory-safe, no GC
<5MB
Single binary, no deps
0
External services needed
BSL
Business Source License
Ships as a single Docker image. Starts in under 50ms. Runs on a $5 VPS or a 500-node cluster.
Ready to secure your team's secrets?
Get a tailored walkthrough for your compliance requirements, deployment model, and team size.