Market Standard · secrets

Encrypted secrets with AI-agent reference mode.

AES-256-GCM encrypted secrets with .env/Doppler import, a token-authed env-injection CLI, and an AI-agent reference endpoint that lets agents see keys without ever seeing values.

Agents see keys, not values. Toggle agentReference on any secret so AI agents can discover it exists without being able to read it.

AES-256
GCM at rest
ms-vault
env-injection CLI
Agents
reference-only
Env injection

$ ms-vault run --token $VAULT_TOKEN \

--project proj_abc \

-- npm start

{
  "DATABASE_URL": "postgres://…",
  "STRIPE_SECRET_KEY": "sk_live_…",
  "OPENAI_API_KEY": "sk-…"
}

200 OK · decrypted into child env

Cipher
AES-256-GCM
Agents
reference only
Mission

Secrets that agents can read about, but not read.

Standard Vault is an encrypted secrets manager designed for the AI-agent era. Store production secrets with AES-256-GCM, inject them into subprocess environments via a token-authed CLI shim, import from .env or Doppler JSON, and expose a reference endpoint that tells AI agents what keys exist without leaking values — so an agent can ask 'does this project have a STRIPE_SECRET_KEY?' without ever being able to exfiltrate it.

Capabilities

Built for the agent era.

01

AES-256-GCM at rest

Every secret value is encrypted with a per-tenant key derived from VAULT_MASTER_KEY. Versioned + hashed for rotation tracking.

02

Env-injection CLI

ms-vault run --project X --token Y -- npm start injects decrypted secrets into the child process env — never written to disk.

03

.env / Doppler import

Paste a .env file or Doppler JSON payload to bulk-import secrets. Comments become notes. Quotes stripped.

04

AI-agent reference mode

Per-secret flag exposes key + version (never value) at /api/projects/{id}/references — share with agents safely.

05

Per-project tokens

Mint short-lived or long-lived tokens scoped to a single project. Revoke any time. Last-used tracking.

06

Full audit log

Every create, rotate, delete, decrypt, and token mint is logged with actor + metadata.

How it works

Vault your first secret in 60 seconds.

  1. 01Create a project (name + environment).
  2. 02Add a secret or import an .env file.
  3. 03Mint an env-injection token.
  4. 04Run: ms-vault run --project X --token Y -- npm start
  5. 05Toggle agentReference on keys you want agents to know about.
Pricing

Free to start. Unlimited when you need it.

Start free. Upgrade when you outgrow limits or want to remove the powered-by badge.

Free
$0

1 project · 25 secrets · agent reference

Starter
$19/mo

Unlimited projects · tokens · audit log

Why Market Standard

Encrypted, audited, agent-safe.

Three focused products, one portfolio. Each app is built to spread your brand while solving one job extremely well.

Open Dashboard
AES-256-GCM encryption at rest
Token-authed env-injection CLI
AI-agent reference mode (keys only)
Full audit log of every action
Compare

How Market Standard compares

FeatureSpreadsheetsGeneric SaaSMarket Standard
Market Standard
Purpose-built for the workflowNoPartialYes
Free tier with no credit cardSometimesYes
Open schema (Postgres + Drizzle)NoNoYes
Viral powered-by badge on free tierNoNoYes
Cross-sells into the rest of the suiteNoNoYes
Self-hostable source-available codeNoNoYes
FAQ

Common questions

Everything you need to know before signing up.

Is there a free tier?
Yes. Every Market Standard app ships with a usable free tier so you can validate the workflow before paying. Upgrade when you outgrow limits or want to remove the powered-by badge.
Do I need to install anything?
No. Each app is a standalone web service. Sign in with email magic link, connect your integrations, and start using the dashboard immediately.
How does the powered-by badge work?
Free-tier artifacts (poll messages, embed widgets, short-link redirects) carry a small 'Powered by Market Standard' badge. Upgrading removes the badge and unlocks higher limits.
Can I use this with the rest of the Market Standard suite?
Yes. Every app cross-links to its siblings — Standard Polls surfaces Standard Standup, Standard Metrics deep-links to Standard Links, and so on. Sign in once with the same email.
Where is my data stored?
Postgres on Supabase, encrypted at rest. Each app exposes a privacy page detailing what is stored and for how long. You can export or delete your data at any time.
Standard Vault — AI-Agent-Safe Secrets Manager by Market Standard