Secrets that expire. Not your patience.

Every secret has a TTL, a read limit, or both. Push from CLI, SDKs, or REST API. Self-host on your infra or use our managed cloud.

Every language. One API.

# Push a secret — burns after 1 read
sirr push "postgres://admin:s3cret@db:5432" --ttl 1h --reads 1
# → https://sirrlock.com/s/a1b2c3d4...

# Read it back by ID
sirr get a1b2c3d4
# → postgres://admin:s3cret@db:5432

# Try again — it's gone
sirr get a1b2c3d4
# → error: secret not found (burned)

Official SDKs for Node.js, Python, and .NET. CLI for automation. REST API for everything else.

Self-host in 30 seconds

docker run -p 5839:5839 ghcr.io/sirrlock/sirrd:latest

Rust

Memory-safe, no GC

<5MB

Single binary, no deps

50ms

Cold start

BSL

Business Source License

Encryption at rest, by default

Server-Side Encryption

AES-256-GCM before it touches disk. Master key held in memory, loaded from a secure key file at startup.

Client-Side Encryption

Encrypt before it leaves your machine. The server stores an opaque blob it cannot decrypt.

Key Management

Master key via mounted file or Docker Secrets. Supports rotation with zero downtime.

Read the full security architecture →

Ready to try Sirr?

Get Started Free Read the Docs