Passwork as a secrets manager
Passwork goes beyond being an enterprise password manager — it's a complete secrets manager designed for infrastructure and CI/CD workflows. This section covers how to store, retrieve, and rotate secrets with passwork-cli, the HTTP API, and the Python SDK.
What are secrets
Secrets refer to any sensitive data that shouldn't be stored in plain text:
| Category | Examples |
|---|---|
| Passwords | Database credentials, system account passwords, local admin passwords |
| API keys and tokens | GitHub/GitLab tokens, cloud provider keys, OAuth tokens, personal access tokens |
| Cryptographic materials | Private keys, certificates, SSH keys |
| Configuration secrets | Connection strings (DSN), message broker credentials, integration tokens |
Architecture
Zero-Knowledge and client-side encryption
Passwork follows the Zero-Knowledge principle: the server never sees decrypted data. All encryption and decryption happens on the client side — whether in the browser, passwork-cli, or the SDK. Only ciphertext is stored in the database.
If the server were ever compromised, attackers would only obtain encrypted data with no means to read it.
Zero-Knowledge mode can be disabled in the on-premise version
API-first approach
Passwork uses an API-first design: the web interface and all official clients interact through the same HTTP API available to external consumers. This provides:
- Complete feature parity — anything possible in the UI is also possible via API: creating vaults and folders, managing records, searching, configuring access rights, and viewing change history.
- Stable contract — the API is versioned and documented; interface updates don't break existing integrations.
- Programmatic access from any environment — scripts, CI/CD pipelines, microservices, and internal tools can interact with Passwork directly.
Common API use cases:
| Scenario | What the API does |
|---|---|
| CI/CD pipeline | Fetches secrets before deployment and injects them into environment variables |
| Password rotation | A script generates a new password, updates the target system, and stores it in Passwork |
| Audit and reporting | A service gathers access and modification data for compliance reports |
| Migration | Bulk import/export of records across environments |
Detailed API documentation: Passwork HTTP API.
Built-in automation tools
passwork-cli— command-line utility for DevOps and CI/CD: fetching secrets, injecting them into environment variables, and handling rotation.- Python SDK — library for advanced automation: migrations, integrity checks, and bulk operations.
Related documentation
- Passwork HTTP API: Overview
- CLI utility (
passwork-cli): CLI utility - Docker image with CLI: Docker container for CLI
- Python SDK: Python connector
- Integration examples: Examples