Skip to content

Layerbase app

Secrets your server can never read

Store project secrets and environment variables encrypted at rest with age. The server never holds a decryption key: you fetch with curl and decrypt locally, gated by per-environment read tokens with IP allowlists.

End-to-end encryption with age

Secrets are encrypted before storage. The server can never decrypt what it holds, so a breach of the store never exposes a plaintext value.

Per-environment read tokens

Dev, staging, and prod each get their own read token, revocable independently. Rotate one environment without touching the others.

IP allowlists on tokens

Scope each token to the addresses that should ever present it, so a leaked token is useless from anywhere you did not authorize.

curl-first workflow

Fetch secrets in CI or on a server with one curl command and decrypt locally with your age key. No SDK to install, no daemon to run.

Quickstart

bash
# Fetch the encrypted bundle for one environment, decrypt locally.
curl -sf https://your-store.layerbase.app/v1/env/prod \
  -H "Authorization: Bearer $LAYERBASE_SECRET_TOKEN" \
  | age -d -i ~/.config/layerbase/age.key

Pricing

Run Secret Store standalone for a flat $3/mo, or get it included with the Pro and Custom plans at no extra charge. Flat pricing, no per-secret or per-seat meter.

Common questions

Can the server read my secrets?

No. Values are encrypted with age before they reach the store, and the decryption key never leaves your machine. The server holds only ciphertext, so it can never read what you store.

How do I use it in CI or on a server?

Fetch the encrypted bundle for an environment with a single curl call, authenticated by that environment read token, then decrypt locally with your age key. It slots into any CI runner or server without an SDK.

What category does this replace?

It covers the same job as Doppler, Infisical, and HashiCorp Vault: a central place for project secrets and environment variables with per-environment access. The distinction is the zero-knowledge model, where the server holds only age-encrypted ciphertext and decryption happens on your side.

Do I need the database plan?

Secret Store is included with the Pro and Custom plans, or you can run it standalone for a flat $3/mo. It comes with the managed database that backs it, with no per-secret metering.

More:All Layerbase appsPlans and pricing