Best secrets management tools for AI developersEight tools, scored on agent exposure.

The right secrets management tool for a team shipping a SaaS product is not the right tool for a developer running Claude Code, Cursor, or Codex CLI through a long coding session. Team buyers need centralized storage, rotation schedules, compliance dashboards, and approval workflows. A developer running an AI coding agent needs something different: a way for the agent to do its work without ever reading the actual credential. Every prompt the agent processes and every transcript it logs is a possible exfiltration surface, a class of failure that OWASP now tracks in its Top 10 for Agentic Applications. Most secrets managers were designed before that surface existed.

Short version: HashiCorp Vault and AWS Secrets Manager are right when you have a team, an ops function, and policy requirements. Doppler and 1Password serve teams that want SaaS convenience with solid developer tooling. Infisical and Bitwarden Secrets Manager give open-source control with self-hosting. .env files are not secrets management at all; they are the baseline this guide is about leaving. And one tool here is built for the case where an AI coding agent has to operate without seeing a credential value.

What makes a secrets manager good for AI developers

The standard criteria (centralized dashboard, SAML SSO, audit retention, automatic rotation) matter for enterprise compliance. For a developer whose day runs through an agent, three questions matter more.

Does the agent see the value? A tool that injects secrets as environment variables gives the agent full read access to every injected credential. A tool that brokers access without materializing the value in the agent's context is a different security model with a different threat surface.

Can you revoke a single session? Most tools revoke at the token or secret level, not the process level. If an agent already read a credential into context, revoking the token does nothing about the copy already sitting in the transcript.

Does it work without a network call? Cloud-dependent tools add a network dependency at the exact moment the agent needs a credential. Local-first tools do not have that failure mode.

These three define the scoring below. Each tool is rated on five axes drawn from its published documentation. No fabricated benchmarks: the scoring is qualitative and sourced from documented architecture.

The five-axis agent exposure profile

Tool	Agent context exposure	Injection model	Offline	Session revocation	Solo-dev friction
HashiCorp Vault	Implementation-dependent	SDK/API to env or template	No (server required)	Per-token	High
AWS Secrets Manager	Full	SDK fetch to app code	No (AWS API)	IAM change / rotation	Medium
Doppler	Full	doppler run -- wrapper	No (cloud)	Per-service-token	Low to medium
1Password	Full	op run -- wrapper	Partial (Connect cache)	Per-service-account	Medium
Infisical	Full	CLI run wrapper	Self-hosted only	Per-token	Low to medium
Bitwarden Secrets Manager	Full	SDK fetch / CLI	Self-hosted Enterprise	Per-machine-account	Low
.env / direnv	Full (all env vars)	Shell inheritance	Yes	Restart + edit file	None
Local broker	None (value-free)	Process-tree exec injection	Yes (local vault)	Per-grant, 24h ceiling	Low

1. HashiCorp Vault

Vault is the category-defining platform. It stores secrets in an encrypted backend, controls access through pluggable auth methods (AppRole, Kubernetes, AWS IAM, and others), generates dynamic credentials on demand, automates PKI, and writes a tamper-evident audit log. It is the reference most other tools get measured against.

Pricing. Community Edition is free and self-hosted. HCP Vault Dedicated is the managed cloud offering, priced through sales.

Best for. Engineering teams with platform or ops capacity who need a programmable secrets platform: database credential rotation, PKI automation, multi-tenancy. The correct answer for organizations running Kubernetes at scale where a security team owns credential policy.

Honest limitation. You run and operate a server: initialize it, unseal it, configure auth backends, and manage its lifecycle. A dev-mode Vault starts in minutes; a correct production config takes days. No free hosted tier.

Agent verdict. Vault can serve agents through the Vault Agent sidecar (rendering secrets into files or env vars via templates) or direct SDK calls. Either way the agent reads materialized values unless you build a brokering layer on top. Vault has no concept of an agent context window. The right call if your organization already runs Vault, not the right first tool for protecting a Claude Code session.

2. AWS Secrets Manager

A managed AWS service that stores secrets encrypted with KMS, controls access through IAM, and automates rotation for RDS, Redshift, and third-party targets. SSM Parameter Store overlaps: it has a free standard tier for basic strings, while Secrets Manager adds rotation, cross-account sharing, and versioning.

Pricing. $0.40 per secret per month plus $0.05 per 10,000 API calls (aws.amazon.com/secrets-manager/pricing/, June 2026). SSM standard-tier parameters have no storage charge; advanced-tier parameters cost $0.05 per parameter per month.

Best for. Applications running inside AWS that want credentials managed in the same cloud. Lambda, ECS, and EC2 workloads get native SDK access with IAM as the access layer.

Honest limitation. Requires AWS connectivity at all times. IAM changes propagate with a delay, which matters for fast revocation. Cost grows with the number of distinct secrets. The SDK fetches the plaintext into your application, and nothing in the architecture stops that value from landing in a log, a subprocess, or an agent's context.

Agent verdict. Right for deployed workloads inside AWS. For controlling what an interactive coding session can read, it offers nothing beyond "give the process an IAM role." The agent fetches the value and has it. Correct tool, wrong use case.

3. Doppler

A cloud SaaS manager that organizes credentials by project and environment, with a web dashboard, a CLI that injects secrets via doppler run -- <command>, broad CI/CD integrations, and activity logs with rollback. Doppler's own site reports 76,000+ organizations and 75 billion secrets read per month (doppler.com, June 2026).

Pricing. Free tier: up to 3 users, 3-day log retention, 10 projects. Team tier: $21 per user per month, with 90-day logs, SAML SSO, and automatic rotation. Enterprise is custom (doppler.com/pricing, June 2026).

Best for. Teams that want a centralized store across environments without building infrastructure. The CLI is fast, integrations are broad, and the dashboard is approachable next to operating Vault. The free tier works for modest solo needs, though 3-day retention is a real gap.

Honest limitation. Fully cloud-dependent: no network, no secrets. The doppler run -- wrapper exports all configured secrets as env vars to the wrapped process, so every subprocess in that tree (including an agent) sees the full set. No per-process scoping.

Agent verdict. Strong for team secrets in CI/CD and deployed workloads. For interactive coding sessions, the env-var model means the agent reads everything injected for that environment. A reduced-scope service token helps, but the tool was not designed for this. Workable with discipline.

4. 1Password

Developer-focused secrets management built on 1Password's vault infrastructure. Teams and Business subscribers create service accounts with access to specific vaults, then use the CLI (op run -- <command>) to inject secrets at exec time, or SDKs to fetch them in code. The 1Password Connect server can run locally to cache secrets for high availability and partial offline use.

Pricing. Business: $7.99 per user per month billed annually. Teams Starter Pack: $19.95 per month for 10 members. Both include developer CLI and SDK access (1password.com/teams/pricing/, June 2026).

Best for. Teams already paying for 1Password that want to extend that trust boundary to machine secrets and CI/CD service accounts without a second vendor. The CLI is mature, the brand's security track record is strong, and Connect provides a local caching layer.

Honest limitation. Developer tooling requires a paid tier, which is heavy for one developer managing a handful of keys. The op run -- model materializes secrets as env vars at exec time, so agent exposure is full: the agent inherits every injected value.

Agent verdict. A natural extension if your team is already on 1Password and needs machine identities. For workflows where you want the agent to operate without reading values, the env-var model offers no protection specific to that constraint.

5. Infisical

An open-source platform with centralized storage, RBAC, dynamic secrets, rotation, and a CLI that injects secrets into wrapped commands. Available as managed cloud or fully self-hosted. It integrates with Docker, Kubernetes, Terraform, and GitHub Actions, and its current positioning explicitly targets AI agent credential management.

Pricing. Free cloud tier: up to 5 identities, 3 projects, 3 environments, 10 integrations. Self-hosting the Community Edition is free. Pro is $18 per identity per month; Enterprise is custom (infisical.com/pricing, June 2026).

Best for. Teams that want Doppler-level ergonomics with self-hosting as a hard requirement: data residency, air-gapped environments, or open-source auditability at the platform level. The strongest open-source option in this tier for teams that cannot route credentials through third-party SaaS.

Honest limitation. Self-hosting means running the database, maintaining the platform, and handling backups and upgrades. The managed cloud removes that but reintroduces cloud dependency. Like Doppler, the CLI exports secrets as env vars, so agent exposure is full.

Agent verdict. Right for teams needing self-hosted open-source secrets at Doppler ergonomics. The "supports AI agents" positioning means managing the credentials agents use, not preventing agents from reading them in context. Both problems are real; Infisical addresses the first.

6. Bitwarden Secrets Manager

A distinct product from the Bitwarden password manager, for infrastructure and machine secrets. End-to-end encrypted storage for API keys, database credentials, SSH keys, and certificates, organized into projects with machine accounts scoped to specific secrets. Reachable through the CLI, SDKs, Kubernetes operators, and GitHub Actions.

Pricing. Free tier: 3 machine accounts, 3 projects, 2 users. Teams: $6 per user per month. Enterprise: $12 per user per month with self-hosting, SSO, and SCIM (bitwarden.com/products/secrets-manager, June 2026).

Best for. Small teams and solo developers who want a managed platform below Doppler or 1Password pricing. The security track record is strong, the server is open-source and auditable, and the free tier covers many solo cases without a credit card.

Honest limitation. Secrets Manager is intentionally separate from the password manager, with no unified interface and access only through the web app and CLI. Like every tool here except the broker, the injection model materializes values in the application, so agent exposure is full. Self-hosting needs the Enterprise plan.

Agent verdict. The best price-to-quality ratio in the managed open-source tier. It handles credential storage and machine identity well at low cost. The same limit applies: the agent receives the materialized value. Pair with process-level controls if tighter scoping is needed.

7. .env files and direnv

The near-universal default: a file of KEY=VALUE pairs loaded into the shell via direnv, dotenv, or a manual source .env, then inherited by every child process for the session.

Pricing. Free.

Best for. Throwaway local prototypes with placeholder values. That is the complete list.

Honest limitation. Env files get committed. They show up in shell history. Credentials propagate to every subprocess whether it needs them or not. When an agent runs in a shell with a loaded .env, it inherits every value: database passwords, API keys, deploy tokens. No audit trail, no revocation path, no record of which process read what. This is not a security model.

Agent verdict. If your agent has a loaded .env, it has your credentials in context. How agents interact with a broker documents the failure mode. Moving off env files is the starting point; the rest of this guide is what to move to.

8. A local broker (hasp)

A local-first CLI and MCP secret broker built for AI coding agent workflows. It stores credentials in a local encrypted vault, then brokers access at exec time through run (executes a command with secrets injected into the subprocess), inject (materializes values when the operator explicitly requires it), an MCP tool surface for Claude Code and other MCP-compatible agents, and direct application binding.

The architecture is built around one constraint: the agent never sees the plaintext value. It references a handle (like @OPENAI_API_KEY) and requests that work happen. Only the child process spawned for that task gets the value at exec time, scoped to that process tree, where it cannot be replayed from a different process.

Properties not replicated elsewhere in this roundup:

• Value-free delivery. The agent's context window never receives a credential value. Handles, not values, are what it knows.
• Process-tree scoping. A grant is bound to the process tree the broker launched. A leaked grant cannot be used from another process.
• Hard 24-hour ceiling. No policy can extend it, so one bad session stops being a permanent exposure.
• Real-time redaction. Every encoded form of a managed value is masked in streaming output, with marker tokens that keep tracebacks pasteable.
• Append-only audit log. Local, HMAC-chained, tamper-evident.
• Repo guardrails. Pre-commit and pre-push hooks block managed secrets from reaching commits or pushes.

Pricing. Free. Source-available under the Fair Core License (not OSI-certified open source). Single binary, no hosted control plane, no SaaS subscription, no network dependency for credential access (gethasp.com/docs/overview, June 2026).

Best for. Solo developers and small teams whose primary workflow runs through an AI coding agent across first-class profiles. The right answer when repo-local credential hygiene is the goal, offline operation is required, and you want zero cloud dependency for credential access. The threat model is not "what if the secrets database leaks" but "what does the agent see right now."

Honest limitation. No hosted control plane in v1 means no centralized dashboard, no multi-user approval workflows, no SAML, no cross-region replication. For teams that need those, Vault, Doppler, or self-hosted Infisical are the right answers. hasp is not competing on those axes.

Agent verdict. The only tool here where agent context exposure is None by architecture. A compromised transcript, a logged prompt, or an exported state file does not contain your credentials, because the value was never there. Get started if local-first, offline, and process-level scoping are your requirements. Not the choice if you need a multi-user dashboard or enterprise policy features.

Which tool to pick

HashiCorp Vault when you have platform engineering capacity and need database credential rotation, dynamic secrets at scale, or a programmable API other infrastructure calls.

AWS Secrets Manager when your workloads run inside AWS and you want credentials managed in the same account with IAM as the access layer. Add SSM Parameter Store for simple config values that do not need rotation.

Doppler when you are a team of 3 to 15 who want a clean SaaS dashboard, fast CI/CD integrations, and no infrastructure. The free tier handles modest solo needs.

1Password when your team already pays for it and wants machine secrets and CI/CD service accounts without a second vendor.

Infisical when you need Doppler-level ergonomics with self-hosting as a non-negotiable: data residency, air-gapped networks, or open-source auditability.

Bitwarden Secrets Manager when you want a managed open-source platform at the lowest per-seat cost in this tier.

.env files for throwaway prototypes with placeholder values. Nothing else.

A local broker when your workflow runs primarily through an AI coding agent and your core concern is what the agent can see.

What this means for your stack

Notice that seven of the eight tools share one row in the matrix: agent context exposure is Full. That is not a knock on any of them. Vault, AWS, Doppler, 1Password, Infisical, and Bitwarden are good at the problem they were built for, which is storing and delivering credentials to applications and pipelines. Delivering to an application means materializing the value where the application runs, and when an AI coding agent shares that environment, "where the application runs" includes the agent's context.

So the selection collapses to one question. If your secrets only ever reach deployed services and CI jobs, pick from the seven by team size, cloud, and budget. If an AI coding agent reads from the same environment, the env-var model is the wrong shape regardless of how good the dashboard is, and the only row in the matrix that reads None is the broker. For the agent-specific tools not covered here, the eight-way comparison lays out the narrower field. The move that changes your exposure is leaving ambient environment variables behind. Everything above is which destination fits.