Stop storing API keys in .env files, Notion pages and Slack messages. SealedKeys gives your team a zero-knowledge encrypted vault for API keys, access tokens and service credentials — with full audit trail and access control.
Any of these sound familiar? SealedKeys fixes all of them.
Everything you need to manage API keys securely across a team.
Separate field layout for key name, value, service, environment and notes. Keeps API keys organised without shoehorning them into password fields.
Every key encrypted in your browser before it leaves your device. The server receives only ciphertext — the API key value is never visible to us.
Every time an API key is viewed or copied, it is logged with timestamp, user and IP. Know exactly who accessed which key and when.
Grant read-only access to contractors and junior developers. Restrict write access to senior engineers and team leads.
Tag keys by environment (production, staging, development) and service. Filter and find the right key instantly without scrolling through a flat list.
When a developer leaves, revoke their access immediately. The audit log shows which keys they accessed — so you know exactly what to rotate.
Most password managers are designed for website logins — username, password, URL. API keys don't fit that model. They have different fields (service name, environment, expiry), different sharing patterns (often team-level not personal), and different rotation requirements.
SealedKeys is built for both. Personal logins work exactly as you'd expect, and API keys get a dedicated field layout with service tagging, environment labels and notes — without shoehorning them into a URL field.
Yes. SealedKeys is service-agnostic. You can store API keys for AWS, GitHub, Stripe, Twilio, OpenAI, or any other service. The API key type includes fields for the key name, value, associated service, environment and notes.
.env files live on individual developer machines, are often committed to Git by accident, and provide no audit trail or access control. SealedKeys stores keys encrypted in a central vault — accessible to authorised team members, with full logging of every access.
No. API keys are encrypted in your browser using AES-256-GCM before being sent to the server. The server stores only the encrypted ciphertext. The decryption key is derived from your master password and never transmitted.
Yes. Contractors can be given read-only access scoped to a specific organisation vault. They can view and copy keys but cannot edit or delete them. When their contract ends, remove their access — they retain nothing.
The free plan supports up to 25 vault items across all secret types. The Pro plan at £3.49/user/month supports unlimited items.
25 items free. No credit card. Encrypted in your browser from the first key you save.