Passwork as a secrets manager

Passwork goes beyond being an enterprise password manager — it's a complete secrets manager designed for infrastructure and CI/CD workflows. This section covers how to store, retrieve, and rotate secrets with passwork-cli, the HTTP API, and the Python SDK.

What are secrets

Secrets refer to any sensitive data that shouldn't be stored in plain text:

Category	Examples
Passwords	Database credentials, system account passwords, local admin passwords
API keys and tokens	GitHub/GitLab tokens, cloud provider keys, OAuth tokens, personal access tokens
Cryptographic materials	Private keys, certificates, SSH keys
Configuration secrets	Connection strings (DSN), message broker credentials, integration tokens

Architecture

Zero-Knowledge and client-side encryption

Passwork follows the Zero-Knowledge principle: the server never sees decrypted data. All encryption and decryption happens on the client side — whether in the browser, passwork-cli, or the SDK. Only ciphertext is stored in the database.

If the server were ever compromised, attackers would only obtain encrypted data with no means to read it.

tip

Zero-Knowledge mode can be disabled in the on-premise version

API-first approach

Passwork uses an API-first design: the web interface and all official clients interact through the same HTTP API available to external consumers. This provides:

• Complete feature parity — anything possible in the UI is also possible via API: creating vaults and folders, managing records, searching, configuring access rights, and viewing change history.
• Stable contract — the API is versioned and documented; interface updates don't break existing integrations.
• Programmatic access from any environment — scripts, CI/CD pipelines, microservices, and internal tools can interact with Passwork directly.

Common API use cases:

Scenario	What the API does
CI/CD pipeline	Fetches secrets before deployment and injects them into environment variables
Password rotation	A script generates a new password, updates the target system, and stores it in Passwork
Audit and reporting	A service gathers access and modification data for compliance reports
Migration	Bulk import/export of records across environments

Detailed API documentation: Passwork HTTP API.

Built-in automation tools

• passwork-cli — command-line utility for DevOps and CI/CD: fetching secrets, injecting them into environment variables, and handling rotation.
• Python SDK — library for advanced automation: migrations, integrity checks, and bulk operations.

Related documentation

• Passwork HTTP API: Overview
• CLI utility (passwork-cli): CLI utility
• Docker image with CLI: Docker container for CLI
• Python SDK: Python connector
• Integration examples: Examples

LLM version