CipherStash Stash

CipherStash Stash is a secrets management tool designed for TypeScript developers, providing a secure vault for storing and retrieving secrets, configuration values, and credentials. It is built on top of ZeroKMS, CipherStash's zero-trust key management service. Stash replaces plaintext environment variables and config files with a cryptographically isolated vault. Secrets are stored encrypted and decrypted locally within the application process using keys derived from a client key — plaintext never leaves the process and CipherStash never has access to decrypted secrets or encryption keys. Each secret access triggers a network call to fetch the encrypted value from the vault, which generates an immutable, cryptographically proven audit trail for every access event. The stash.getMany() method allows retrieving multiple secrets in a single network call. Applications authenticate to the vault using an API access key tied to a client key. Each app or service is assigned its own access key and client key, enabling per-service revocation and least-privilege access boundaries. Environment isolation is supported by configuring the Stash client with a named environment (e.g., production, staging, development), ensuring each process only accesses secrets belonging to its designated environment. Team access is managed through the Stash dashboard, where workspace members can be invited and assigned admin or member roles. Access keys can be revoked on a per-app or per-user basis. Stash is distributed as part of the @cipherstash/protect npm package and provides both a TypeScript SDK and a CLI. It supports Node.js, Bun, and Deno runtimes. A free tier is available with 10,000 operations per month at no cost.