FutsuBeta
Get early access
Sign inGet early access
5.0 · Secrets Vault

Plaintext never touches disk.

Ciphertext at rest under AES-256-GCM, scoped to a user or a whole workspace — plaintext exists only in memory, hydrated per run.

Lock your keysSee pricing
5.1 · Encrypted

AES at rest, hydrated at runtime.

The app runs on your machine, and secrets live as AES-GCM ciphertext in its local database. The master key comes from the environment — not from a file beside the data — and decryption happens in memory, only when a run needs a key. That holds offline too: no network call sits between you and your own secrets.

  • AES-256-GCM encryption at rest
  • Master key from the environment — never beside the data
  • Hydrated in-memory per run
Secrets● AES-256-GCM · master key never beside the data
ANTHROPIC_API_KEY••••••••••••••••
workspace
OPENAI_API_KEY••••••••••••••••
workspace
GITHUB_TOKEN••••••••••••••••
user
OPENROUTER_API_KEY••••••••••••••••
user
5.2 · Scoped

User and workspace scopes.

Keep personal tokens to yourself and share provider keys across a workspace. Scan a repo for leaked secrets and import them straight into the vault.

  • Per-user and per-workspace secrets
  • Scan code for live secrets
  • Import-from-code in one click
Workspace · default — shared with your team
ANTHROPIC_API_KEY••••••••workspace
OPENAI_API_KEY••••••••workspace
Only you
GITHUB_TOKEN••••••••user
$ futsu vault scan ./repo · 1 live secret in src/cli.ts → import as workspace key?
Use cases

What teams use Vault for.

JOB 01

Share provider keys across the team safely

Workspace-scoped secrets decrypt per run; plaintext never lands on disk.

JOB 02

Keep personal tokens out of workspace scope

User-scoped entries stay yours, even on shared canvases.

JOB 03

Catch live secrets before they ship

Scan the repo, find real keys, import them into ciphertext in one click.

Free in early accessBring your own keys — zero markupPlaintext never on diskNo credit card
Continue exploring

The rest of the system.

1.0

Canvas

Draw pipelines on a visual graph

Explore Canvas2.0

Runners

Claude, Codex & APIs, PTY-streamed

Explore Runners3.0

Agents & Skills

Filesystem-based, versioned with your repo

Explore Agents4.0

Obsidian bridge

Two-way JSON Canvas sync

Explore Obsidian

Secrets, handled the boring-safe way.

Ciphertext at rest, scoped to you — plaintext only in memory.

Lock your keysSee pricing