shush

shush is a secrets manager for apps. Like Doppler or Infisical, with first-class environments, shared secrets, audit, version history, and a runtime API.

What you get

• Environments — dev, staging, preview, prod as first-class citizens. Override values per env, or inherit from a parent.
• Shared secrets — an org-wide secret store that any project can reference. Rotate once, propagate everywhere.
• Audit — every mutation is recorded in an append-only audit_log.
• Version history — every secret value is versioned; you can roll back.
• Runtime API — services pull current values at boot via the @shushsecrets/inject SDK or CLI.
• 2FA everywhere — TOTP is mandatory on every account.

Stack

• Backend — Bun + Hono + Drizzle (Postgres) + better-auth (org + 2FA) + Redis + Resend
• Frontend — Vite + React 19 + react-router + TanStack Query + shadcn/ui
  • GSAP / Motion
• Encryption — AES-256-GCM envelope (master KEK wraps per-org DEK; values use org DEK)
• 2FA — TOTP, mandatory on every account
• Tenancy — multi-tenant via better-auth organization plugin

Where to go next

• Quickstart — install, log in, push your first secret.
• CLI reference — every shush subcommand and flag.
• SDK reference — the Node SDK (@shushsecrets/inject).
• REST API — HTTP endpoints grouped by resource.
• Self-host — run shush on your own infrastructure.