Store, deliver, and rotate secrets via API or automation.
Zaita's Secrets Management keeps credentials, API keys, and tokens organised in named Secret Lockers — versioned, rotated on schedule, and delivered to your workloads without human involvement.
30 days free · Full enterprise limits · No credit card required
The Problem
Credentials spread faster than you can track them
API keys in environment files, database passwords in config repos, tokens in CI/CD pipelines. Most organisations don't know where every secret lives — and even fewer rotate them consistently.
- Secrets hardcoded in repos, config files, and environment variables
- Rotation is manual — forgotten or skipped when teams are busy
- No inventory — credentials exist in unknown locations
- Breached secrets stay active for months because no one knows to rotate them
- No audit trail — no visibility into who accessed which secret, when
- Secrets stored in named Lockers — versioned, encrypted, access-controlled
- Rotate via REST API or portal — Courier delivers updated values to every workload automatically
- Complete inventory — know every secret, every owner, every workload
- Version history — previous secret values retained and accessible when needed
- Full audit trail — every read, write, and rotation logged with user and timestamp
Secret Lockers
Named vaults for every secret type
A Secret Locker is a named, access-controlled container for a specific credential. Each Locker tracks version history and delivers its contents to the right workloads automatically.
Credentials & API Keys
Store database passwords, API keys, service account credentials, and any other sensitive string. Each Locker is encrypted at rest and access-controlled by role.
- Database credentials — MySQL, PostgreSQL, SQL Server, Oracle
- API keys — third-party services, internal APIs, webhooks
- Service account passwords and access tokens
Rotation via API & Automation
Rotate secrets via the REST API or directly in the portal — then the Courier or Bridge delivers the updated value to every consuming workload automatically. Integrates natively with Ansible, Terraform, and other automation tooling.
- Rotate via REST API — integrates with Ansible, scripts, and CI/CD pipelines
- Courier and Bridge automatically deliver the updated value after rotation
- Version history retained — previous values accessible via API
Version History & Audit
Every version of every secret is retained for the configured history window. See who created each version, when it was rotated, and which workloads received each value.
- Full version history with timestamps and author
- Every read and delivery logged in the tamper-proof audit trail
- Export audit logs to your SIEM for real-time monitoring
Delivery
Secrets reach every workload — without touching disk
Zaita delivers secrets to your workloads via the same agents used for certificate delivery — Bridges for on-premises push, and Couriers for cloud-native pull.
Bridges poll Zaita for secret updates and push them directly to on-premises servers. All communication is outbound — no firewall changes needed. Secrets are decrypted in Bridge memory and written to the configured target path.
- Write secrets to file, environment variable, or Windows Credential Store
- Trigger a post-delivery script (reload app, notify a service, etc.)
- Outbound HTTPS only — works through corporate firewalls without changes
- Self-updating with built-in high availability
Couriers run on a cron schedule, authenticate using cloud-native identity (no stored passwords), and pull secrets from Zaita on demand. Ideal for cloud VMs, containers, and CI/CD pipelines.
- Authenticates via Azure Workload Identity, AWS IAM, or SPIFFE — no stored credentials
- Pulls only the secrets assigned to this workload's identity
- Works in GitHub Actions, GitLab CI, and other CI/CD environments
- Runs through a Bridge for air-gapped or private-network environments
Access & Audit
Know who can access what — and who did
Fine-grained access controls ensure workloads only receive the secrets they're entitled to. Every access is logged in a tamper-proof audit trail.
Workload Identity Binding
Each Secret Locker is bound to specific machine identities. A Courier authenticates with its cloud identity — and receives only the secrets explicitly assigned to it. Nothing else.
- Least-privilege by design — each workload sees only its own secrets
- Cloud-native auth — Azure, AWS, SPIFFE, no stored passwords
Role-Based Access
Separate secrets management from PKI administration. Teams can read and update the secrets they own without touching certificate infrastructure — or vice versa.
- Separate roles for secrets owners, rotation operators, and auditors
- SSO / SAML integration — users authenticate through your IdP
Tamper-Proof Audit Log
Every secret read, write, rotation, and delivery is captured in Zaita's immutable audit log. Feed directly into your SIEM for real-time monitoring and compliance reporting.
- Who accessed which secret, when, and from which workload
- SIEM integration via webhook, S3/Azure/GCS, syslog, or REST API
Use Cases
Secrets management for every team
DevOps & CI/CD
Inject secrets into pipelines via Courier — no hardcoded values in your repos or config files.
Database Teams
Rotate database credentials on a schedule and deliver new passwords to every application automatically.
Cloud-Native Apps
Pull secrets on startup via Courier with cloud identity — no IAM credentials to manage or rotate manually.
On-Premises Servers
Push secrets to file system paths on Windows and Linux via Bridge — with configurable post-delivery hooks.
Stop managing secrets manually. Start automating them.
Start your 30-day free trial and create your first Secret Locker today — no credit card required.
30 days · Full enterprise limits · No credit card required