Secrets delivered automatically — never via disk or plaintext

Store, deliver, and rotate secrets via API or automation.

Zaita’s Secrets Management organizes credentials, API keys, and tokens into versioned Secret Lockers. Programmatically rotate secrets using your own automation or PAM tooling via our REST API, delivering them directly to your workloads without human involvement.

Start Free Trial Talk to Sales

30 days free · Full enterprise limits · No credit card required

The Problem

Credentials spread faster than you can track them

API keys in environment files, database passwords in config repos, tokens in CI/CD pipelines. Most organisations don't know where every secret lives — and even fewer rotate them consistently.

Without Secrets Management
  • Secrets hardcoded in repos, config files, and environment variables
  • Rotation is manual — forgotten or skipped when teams are busy
  • No inventory — credentials exist in unknown locations
  • Breached secrets stay active for months because no one knows to rotate them
  • No audit trail — no visibility into who accessed which secret, when
With Zaita Secrets Management
  • Secrets stored in named Lockers — versioned, encrypted, access-controlled
  • Rotate via REST API or portal — Zaita provides updated values to workloads automatically
  • Complete inventory — know every secret, every owner, every workload
  • Version history — previous secret values retained and accessible when needed
  • Full audit trail — every read, write, and rotation logged with user and timestamp

Secret Lockers

Named vaults for every secret type

A Secret Locker is a named, access-controlled container for a specific credential. Each Locker tracks version history and delivers its contents to the right workloads automatically.

Credentials & API Keys

Store database passwords, API keys, service account credentials, and any other sensitive string. Each Locker is encrypted at rest and access-controlled by role.

  • Database credentials — MySQL, PostgreSQL, SQL Server, Oracle
  • API keys — third-party services, internal APIs, webhooks
  • Service account passwords and access tokens

Rotation via API & Automation

Rotate secrets via the REST API or directly in the portal — Zaita provides the updated value to consuming workloads automatically. Integrates natively with Ansible, Terraform, and other automation tooling.

  • Rotate via REST API — integrates with Ansible, scripts, and CI/CD pipelines
  • Courier and Bridge automatically deliver the updated value after rotation
  • Version history retained — previous values accessible via API

Version History & Audit

Every version of every secret is retained for the configured history window. See who created each version, when it was rotated, and which workloads received each value.

  • Full version history with timestamps and author
  • Every read and delivery logged in the tamper-proof audit trail
  • Export audit logs to your SIEM for real-time monitoring

Delivery

Secrets reach every workload — without touching disk

Zaita delivers secrets to your workloads via the same agents used for certificate delivery — Bridges for on-premises push, and Couriers for cloud-native pull.

Bridge Delivery
On-premises push delivery agent

Bridges poll Zaita for secret updates and push them directly to on-premises servers. All communication is outbound — no firewall changes needed. Secrets are decrypted in Bridge memory and written to the configured target path.

  • Write secrets to file, environment variable, or Windows Credential Store
  • Trigger a post-delivery script (reload app, notify a service, etc.)
  • Outbound HTTPS only — works through corporate firewalls without changes
  • Self-updating with built-in high availability
Courier Delivery
Pull-based delivery CLI for cloud workloads

Couriers run on a cron schedule, authenticate using cloud-native identity (no stored passwords), and pull secrets from Zaita on demand. Ideal for cloud VMs, containers, and CI/CD pipelines.

  • Authenticates via Azure Workload Identity, AWS IAM, or SPIFFE — no stored credentials
  • Pulls only the secrets assigned to this workload's identity
  • Works in GitHub Actions, GitLab CI, and other CI/CD environments
  • Runs through a Bridge for air-gapped or private-network environments
Workload API
On-demand REST API for applications

Applications authenticate directly against Zaita's REST API and pull their assigned Lockers on demand — no agent required. Works from any runtime or language. Deploy a Bridge on-premises and Workloads can pull from it instead, with local caching that keeps secrets available if the SaaS connection drops.

  • Authenticate via Azure JWT, Azure Arc, OIDC/OAuth2, SPIFFE/SPIRE, PKI certificate, or client secret
  • Pull one Locker or all assigned Lockers in a single API call
  • Route through an on-premises Bridge for local caching and offline availability
  • Ideal for microservices, CI/CD pipelines, and any app that needs secrets at runtime

Access & Audit

Know who can access what — and who did

Fine-grained access controls ensure workloads only receive the secrets they're entitled to. Every access is logged in a tamper-proof audit trail.

Workload Identity Binding

Each Secret Locker is bound to specific machine identities. Couriers, Bridges, and Workload API clients authenticate with their identity — and receive only the secrets explicitly assigned to them. Nothing else.

  • Least-privilege by design — each workload sees only its own secrets
  • Cloud-native auth — Azure JWT, Azure Arc, OIDC/OAuth2, AWS IAM, SPIFFE/SPIRE
  • Traditional auth — PKI client certificate or client secret for environments without cloud identity

Role-Based Access

Separate secrets management from PKI administration. Teams can read and update the secrets they own without touching certificate infrastructure — or vice versa.

  • Separate roles for secrets owners, rotation operators, and auditors
  • SSO / SAML integration — users authenticate through your IdP

Tamper-Proof Audit Log

Every secret read, write, rotation, and delivery is captured in Zaita's immutable audit log. Feed directly into your SIEM for real-time monitoring and compliance reporting.

  • Who accessed which secret, when, and from which workload
  • SIEM integration via webhook, S3/Azure/GCS, syslog, or REST API

Use Cases

Secrets management for every team

DevOps & CI/CD

Inject secrets at pipeline startup via Courier, or have your pipeline call the Workload API directly — no hardcoded values in repos or config files.

Database Teams

Rotate database credentials on a schedule and deliver new passwords to every application automatically.

Cloud-Native Apps

Pull secrets on startup via Courier with cloud identity — no IAM credentials to manage or rotate manually.

On-Premises Servers

Push secrets to file system paths on Windows and Linux via Bridge — with configurable post-delivery hooks.

Stop managing secrets manually. Start automating them.

Start your 30-day free trial and create your first Secret Locker today — no credit card required.

Start Free Trial Contact Sales

30 days · Full enterprise limits · No credit card required