Infisical
API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.
Password Pusher
Credentials sitting forever in email threads and chat scrollback - Password Pusher solves that everyday security failure. Instead of pasting a password into Slack, you push it - a password, note, file, URL, or QR code - and share a unique one-time link that expires after a set number of views, a time limit, or both. Content is encrypted at rest with AES-GCM under a configurable master key, optionally guarded by a passphrase, and permanently deleted from the database the moment it expires; a retrieval-step option keeps URL-scanning bots from consuming views. Full audit logs record when each link was created and viewed (and by whom, with logins), and TOTP two-factor authentication can be required instance-wide. The delivery page is deliberately unbranded - no logos or confusing links for recipients - and the interface ships in 31 languages with light and dark themes. Automation runs through a JSON API (v2), an official CLI for pushing and expiring secrets from the terminal, a Chrome extension, and a catalog of third-party integrations. Apache-2.0 licensed Ruby on Rails, deployable via Docker, Kubernetes, or Helm, with SQLite or PostgreSQL storage - the sysadmin staple for sending credentials that clean up after themselves.