AES-256-GCM encryption
All secret values are encrypted at rest. Values are never returned by list
or detail endpoints — only via explicit /reveal calls.
Kagi Documentation
Encrypted secret management for developers. Store, organize, and access API keys, .env files, and credentials — all encrypted with AES-256-GCM.
What is Kagi?
Section titled “What is Kagi?”Kagi is a self-hosted secret management system. It lets you store encrypted API keys, .env files, environment configs, and 2FA recovery tokens — organized by key type and project, accessible through a web UI or REST API.
Scoped access keys
Create API keys with fine-grained scopes. Grant only entries:read for
read-only automation, add entries:reveal for scripts that need values.
Structured key types
Two key types: simple (single env var) and group (multi-field map).
AI extraction
Describe your project in natural language and get a ready-to-paste .env
file. The AI sees only key names — never values.