# Introduction

**seekrit** is an end-to-end encrypted, multi-tenant secrets manager built on Cloudflare
Workers. It stores your API keys, database URLs, and other secrets, and hands them to your
applications — in local development, Docker builds, CI, Kubernetes, and AI-agent sandboxes —
without the server ever seeing a plaintext value.

> **Note:** **Building with an AI agent?** Start with the [AI agents guide](/docs/guides/ai-agents), or point any agent at the machine-readable docs: [`/llms.txt`](/llms.txt) (index), [`/llms-full.txt`](/llms-full.txt) (everything in one file), or any page's URL with a `.md` suffix. Setup is one command: `claude mcp add seekrit -- seekrit mcp`.

## Zero-knowledge by design

The defining property of seekrit is that **encryption keys are generated and used entirely on
the client**. When you add a secret in the web dashboard or CLI, it is encrypted in your browser
or on your machine before it is uploaded. The API — a Cloudflare Worker backed by D1 — only ever
stores ciphertext. A full database dump reveals metadata (names, versions, timestamps) but no
secret values.

This is achieved with **envelope encryption**:

- Each **environment** has its own AES-256 data key (DEK).
- Secrets are encrypted with that DEK.
- The DEK is **wrapped** (encrypted) individually to each person or service token that should
  have access, using their public key.
- A user's private key is itself encrypted with a passphrase-derived key, so any device can
  fetch it and unlock it locally — the passphrase never leaves the client.

See [Encryption model](/docs/concepts/encryption) for the full picture.

## The pieces

seekrit is a small monorepo:

- **Web dashboard** — create orgs, applications, and environments, and manage secrets with
  client-side encryption. Sign in with Google or GitHub (via Stytch).
- **CLI** (`seekrit`) — link a project directory to an environment and inject decrypted secrets
  into any command, or export them as `dotenv`/`json`/`shell`.
- **API** — a Hono Worker on Cloudflare with D1 (database) and KV, exposing an org-scoped REST
  API and an append-only audit trail.

## Where to go next
