seekrit
Docs/Language SDKs

Language SDKs

When a secret needs to live inside your application process — not injected by a launcher — use a language SDK. Each one authenticates with a service token, calls GET /v1/resolve, and decrypts locally: the API only ever returns ciphertext plus a data key wrapped to your token, exactly like every other seekrit client.

LanguagePackageRepo
Python 3.9+seekrit (PyPI)seekritdev/python-sdk
Go 1.24+github.com/seekritdev/go-sdkseekritdev/go-sdk
Node / Bun / Deno / browsers / Workers@seekrit/sdk (npm)seekritdev/js-sdk
Ruby 3.0+seekrit-sdk (RubyGems)seekritdev/ruby-sdk
note

The SDKs are read-only: resolve and decrypt with a service token. Creating, rotating, and granting access to secrets stays in the web dashboard and CLI, which use a human principal's passphrase-protected key. A service token binds to exactly one app environment (plus its composed group slices) — that scope is the SDK's blast radius. See Service tokens.

Python

pip install seekrit
import seekrit

client = seekrit.Client()            # token from $SEEKRIT_TOKEN
secrets = client.resolve()           # {"DATABASE_URL": "postgres://…", …}

db_url = client.get("DATABASE_URL")
seekrit.Client().into_env()          # or load everything into os.environ

Go

go get github.com/seekritdev/go-sdk@latest
import seekrit "github.com/seekritdev/go-sdk"

client, err := seekrit.New()                 // token from $SEEKRIT_TOKEN
secrets, err := client.Resolve(context.Background())
fmt.Println(secrets["DATABASE_URL"])

No external dependencies — just the standard library (crypto/ecdh, crypto/hkdf).

JavaScript / TypeScript

npm install @seekrit/sdk
import { Seekrit } from "@seekrit/sdk";

const client = new Seekrit();          // token from $SEEKRIT_TOKEN
const { DATABASE_URL } = await client.resolve();

Pure WebCrypto + global fetch, so it runs unchanged on Node 18+, Bun, Deno, browsers, and Cloudflare Workers. In a Worker there's no ambient env, so pass the token from your binding:

export default {
  async fetch(request, env) {
    const secrets = await new Seekrit({ token: env.SEEKRIT_TOKEN }).resolve();
    // ...
  },
};

Ruby

gem install seekrit-sdk

The gem is seekrit-sdk; the module is Seekrit.

require "seekrit/sdk"                 # or "seekrit" — both work

client = Seekrit::Client.new         # token from ENV["SEEKRIT_TOKEN"]
secrets = client.resolve             # { "DATABASE_URL" => "postgres://…", … }

Rails apps can load secrets into ENV on boot by opting in from an initializer:

config.seekrit.autoload = true

Common behavior

  • Fail-closed. A bad token, an unreachable API, or a layer that won't decrypt raises — the SDKs never return partial results.
  • Precedence. resolve returns the merged environment: composed groups first, then the app environment on top (later wins on a name collision).
  • Overrides. Pull a different environment slice of a composed group with the with / overrides option — the SDK equivalent of ?with=group:env. You can only pull a slice your token holds a key for.
  • Errors. A non-2xx response surfaces as a typed API error carrying the HTTP status and the API's error code (unauthorized, forbidden, not_found, …).

Every SDK reimplements the same decrypt path (ECDH P-256 → HKDF-SHA256 → AES-256-GCM, AAD-bound to environmentId/NAME) and is tested byte-for-byte against a shared fixture generated from the reference implementation, so they all recover identical plaintext. See the encryption model and the resolve endpoint.