Secrets that expire. Not your patience.

Every secret has a TTL, a read limit, or both. Push from CLI, SDKs, or REST API. Self-host on your infra or use our managed cloud.

Every language. One API.

# Store a secret — burns after 1 read
sirr push DB_TOKEN --ttl 1h --reads 1

# Read it back
sirr get DB_TOKEN
# → postgres://admin:s3cret@db:5432

# Try again — it's gone
sirr get DB_TOKEN
# → error: secret not found (burned)

Official SDKs for Node.js, Python, and .NET. CLI for automation. REST API for everything else.

Self-host in 30 seconds

docker run -p 5839:5839 ghcr.io/sirrlock/sirrd:latest

Rust

Memory-safe, no GC

<5MB

Single binary, no deps

50ms

Cold start

BSL

Business Source License

Encryption at rest, by default

Server-Side Encryption

AES-256-GCM before it touches disk. Master key held in memory, loaded from a secure key file at startup.

Client-Side Encryption

Encrypt before it leaves your machine. The server stores an opaque blob it cannot decrypt.

Key Management

Master key via mounted file or Docker Secrets. Supports rotation with zero downtime.

Read the full security architecture →

Ready to try Sirr?

Get Started Free Read the Docs