Vincent Chan — Designer, Engineer & Founder in Vancouver

vc.

I am a designer, engineer, and founder living in Vancouver, Canada. I was involved in 0-1 founding roles of several companies, including TetraScience, Webacy, and SpaceList.

Today I am focused on building Capy, a secrets management platform so painless to use, you forget secrets are even something you need to worry about.

Writing

I tested 7 secrets managers in 2026 and graded them by DX.
May 30, 2026
The biggest problem in security is lack of good Design
May 19, 2026
Why I'm building a SaaS company during the SaaSpocalypse.
March 24, 2026
vincent chan.I tested 7 secrets managers in 2026 and graded them by DX.
Back

I tested 7 secrets managers in 2026 and graded them by DX.

By

A couple of weeks ago I argued that poor DX is actually the reason why people leak secrets. To inform how I'm building Capy, I signed up for every modern secrets manager and graded each one's DX against a fixed rubric.

The rubric

This test is meant to assess one thing: developer experience. Every tool went through the same setup and the same checklist, scored on four criteria, each from S Tier (effortless) down to F Tier (the tool fights you). I neglected feature-set, since there are already plenty of feature comparisons out there, and every single one of these solutions is better than having nothing in place.

The reference stack

I modeled it on the typical stack a fast-moving team runs — especially one that doesn't yet have a secrets manager:

LayerChoice
Team5 developers
Servicesweb app + API + background worker
Hostinga PaaS like Fly.io or Railway
Datamanaged Postgres and Redis
Third-party keysStripe, OpenAI, Resend
CI/CDGitHub Actions
Local dev.env files
Environmentsdev, staging, prod

The checklist

Onboarding is more than the first command. To grade it, I ran every tool from install to offboarding:

  1. Install and authenticate.
  2. Import the existing .env and run locally.
  3. Share across five developers with access control.
  4. Wire up the three environments.
  5. Inject at deploy on the PaaS and in CI.
  6. Stand up the lifecycle: rotation, expiry, auditing, offboarding.

The four criteria

Onboarding carries the most weight, because a tool you never finish standing up protects nothing.

  1. Onboarding experience (40%). How fast you stand the tool up on the fixed stack, across two clocks: time to your first real secret, and time to fully set up (whole team shared, all three environments deployed, lifecycle in place). S is effectively a single command; A is under an hour; B a few hours; C about a day; D one to three days; F more than three.
  2. Daily friction (30%). Reading, writing, syncing, switching environments. Does the secure path disappear into commands you already run? And does it stay visible to the security team, or go dark on them?
  3. Access control & revocation (20%). The everyday experience of managing who can read what: adding a teammate, scoping what they get, cutting them off cleanly the day they leave.
  4. Environment & scope (10%). Keeping dev, staging, and prod apart without hand-maintaining a permission matrix.

The tools, one by one

The writeups below are highlights and lowlights I experienced while using each tool. The commentary is primarily done through UX and DX lens.

Doppler — A− Tier

Doppler was the one that made me nod. What struck me first was the breadth of connectors and how clean the CLI felt: everything bootstrapped from the terminal, no dashboard detour. doppler login, doppler setup, doppler run -- npm start, and the service had its secrets, no code touched. Twenty-plus integrations meant the same secrets flowed into GitHub Actions and the Fly deploy without copy-paste. One detail I appreciated: doppler run --mount hands secrets to the app through a Linux named pipe that gets wiped the moment the process exits, so they never touch disk. Team is $21/user/month, free up to three users, and service accounts don't count as seats — a quiet win for machine-heavy teams.1

The knock people raise is that access scopes by environment, not by individual secret,2 so you can't hide a single key inside a config someone can already reach. Honestly, that never mattered to me (it's partly why I modeled Capy's access the same way). For a team with tight need-to-know inside one environment it could bite, but most teams I'm comparing never feel it.

Infisical — A− Tier

I used Infisical's cloud, not its self-hosted offering. The onboarding pushed me through the UI first: sign up, click through creating a project, add secrets. Then, to get those secrets into the runtime, I had to set up the Infisical CLI separately. Compared to other CLI-first based solutions, it felt slightly more cumbersome. Once it's wired, infisical run -- npm run dev is the same clean zero-code injection everyone else offers, and the access controls are genuinely good: visual RBAC, time-boxed grants that expire on their own. Pro is $18/identity/month, the core is MIT-licensed, and it reaches well past secrets into PKI, SSH, and dynamic credentials.1

One myth worth killing: people still assume Infisical Cloud can't read your secrets, but it decrypts server-side. Infisical dropped default end-to-end encryption back in June 2023 because zero-knowledge made audit logs and access workflows impossible to ship.3 At the tier most teams use, the vendor can read your data, same as Doppler or AWS. The per-identity price also counts machines as users, which adds up fast in 2026.

AWS Secrets Manager — C− Tier

AWS is the one nobody chooses so much as inherits, and I was no exception. The friction lives in the SDK. There's no run wrapper, so getting a secret into an app means a boto3 call you write yourself: client setup, error handling, and a caching layer around what is ultimately one value — all after creating an IAM role and a resource policy. AWS's own guidance has you spreading the pieces across Secrets Manager, KMS, IAM, and Parameter Store, so "where do my secrets live" ends up with four answers. The upsides are real, though: every read lands in CloudTrail automatically,4 and the pricing is legible at $0.40/secret/month plus $0.05 per 10,000 calls — about $6/month for fifteen secrets.5

If your whole stack is already AWS, the real upside is cost: a few dollars a month, where the dedicated tools bill per seat. But the developer experience leaves a lot to be desired wherever you run it: SDK code in every service, IAM before the first secret. The honest reasons to reach for it are that it's already there and that it's cheap, not that it's good to use, and the cost of using it well is probably far higher than using a more turnkey product.

HashiCorp Vault — C− Tier

Vault is the one I have the most scar tissue from. A teammate of mine ran a Vault rollout at a previous company; getting it end to end — servers provisioned, deployed, secrets actually flowing into the stack — took over a month, a big chunk of it rewriting apps to pull secrets the Vault way. Enrolling users was its own slog. None of that is the product being bad; it's the product being a platform you operate, with audit devices that refuse to serve a request they can't log6 and genuine dynamic secrets that expire on their own. For a regulated team that has to answer an auditor, that rigor is the point.

For everyone else it's heavy in ways a feature list never shows. You hand-write a vault.hcl, run vault operator init (five unseal keys and a root token fall out), and unseal it — then re-enter three of those five keys by hand every time the server restarts. With no vault run, each service needs its own Agent sidecar just to read a secret.7 The licensing has shifted, too: BSL since 2023 (which spawned the Apache-licensed OpenBao fork now in production at GitLab), IBM ownership as of February 2025, and the managed SaaS reaching end-of-life on July 1, 2026 — leaving HCP Vault Dedicated at roughly $1,870/month for ten clients as the cheapest managed floor.8

Akeyless — C+ Tier

Akeyless is Vault's capability without Vault's operations. Most of the same toolkit — dynamic secrets, rotation, certificates, KMS, machine-identity governance — arrives as SaaS, and standing it up is closer to a few configuration screens than a cluster build. Reviewers on Gartner Peer Insights rate it noticeably easier to use than Vault (around 9.0 versus 7.6) and rate its support higher, and the recurring line is that they integrated the same things they would have with Vault, just faster.9 The architecture is genuinely distinctive: Distributed Fragments Cryptography splits the encryption key so Akeyless never holds a complete copy — a real zero-knowledge-style guarantee. The Gateway that brokers dynamic secrets and caching is a single Docker or Helm command to stand up.9

The catch is the one that lands it here: it's an enterprise platform. You define auth methods and access roles, and for dynamic or cached secrets you run that Gateway in your own environment. For a regulated or machine-heavy shop that wants Vault's power delivered as SaaS, that's a strong trade. For a five-person team on a PaaS, it's more than the job needs.

1Password — B− Tier

I've used 1Password as a password manager for years. It's lovely to get started with: op run -- npm start behind a Touch ID prompt, and the local .env environment targets were genuinely smooth once set up. Business is $7.99/user/month with the developer tools bundled in.1

The cracks show when you actually need it to support infrastructure. Pulling vault values into a .env was a lot of clickOps: there's no command that just imports your existing file, so it's op item create one secret at a time, or the desktop-app Environments importer (still in beta) that produces a stored Environment rather than vault items, with no headless or CI path.10 Push it toward machines and the password-manager bones show: service-account permissions are immutable, so changing scope means recreating the account, and reads cap at 10,000/hour on Business, with the API telling an over-eager service to come back in 59 minutes.10 There are no dynamic secrets and no built-in rotation. Built for people, and stretched the moment you point it at machines.

Capy — A Tier

This is what I'm building, and I'm happy with where it landed against the rest. The reaction I keep seeing on someone's first run is some version of "wait, that's it?" You run capy, it opens a browser to log in, encrypts the .env you already have, uploads ciphertext, and rewrites the file with references — and about ninety seconds later the app is reading real secrets through process.env with nothing in the code changed.11 Getting to production is one more command: capy deploy pushes those secrets into your infrastructure, either through native integrations or as plain environment variables for everything else. Secrets travel with the branch, so capy checkout staging lines up with git checkout staging, and a committed keep.lock shows a secret change in a pull request the way a schema migration would. The part I'm proudest of is offboarding: one capy kick makes a teammate's key material inert on the spot — an O(1) cryptographic revocation with no rotation scramble.

The model is genuinely zero-knowledge: Capy stores only ciphertext and can't read your secrets. That comes with one honest tradeoff — the team custodies its own passphrase at creation, and it's irrecoverable if lost. There's also no web dashboard, which for a developer-first team is a feature (everything stays in the terminal and in git, with no click-ops surface to drift) and a gap only if non-engineers need to manage secrets themselves, where Doppler's or Infisical's console earns its place. Finer-grained, per-secret access isn't there either, which matters at enterprise scale and rarely for a fast-moving team. All of which makes Capy the quickest, lightest way to a well-rounded setup that just works out of the box — and means I'd point you at Doppler or Infisical the moment you need a non-engineer dashboard, or Infisical specifically for more granular access.

Which one is easiest to set up?

For a fast-moving team, onboarding is the foremost question: which one is easiest to adopt, lightest to run, fastest to get a team onto. Same checklist, every tool:

ToolGet startedShare with the teamFull setupGrade
Capyone command, ~1 mincapy invite, one command, scriptable~20 minS
Doppler~5 min (login/setup/run)dashboard or CLI invite, env-scoped roles~30–45 minA
Infisical~10 min (sign up, install, init)dashboard invite + an RBAC role~1 hrA−
1Password~10–15 min (needs the desktop app)shared vault (people easy; machines need service accounts)half a day to a dayC
Akeyless~30–60 min (SaaS account + auth method)RBAC roles and auth methods in the console~1 day (more with a Gateway)C
AWS Secrets Manager~30–60 min (IAM role + first SDK call)IAM users/roles plus a policy per secret~2 daysD
HashiCorp Vault~half a day (install, init + unseal, agents)auth methods, policies, and tokens to hand out3 days-plusF

CLI-first tools share a secret in a command or two, while the heavier options make you write IAM policy or HCL first. For a fast-moving team, that gap is the difference between onboarding a solution in minutes or losing a day or a week to it.

Overall developer experience

Each grade is the weighted average of the four criteria: onboarding (40%), daily friction (30%), access control (20%), environment & scope (10%).

ToolOnboarding (40%)Daily friction (30%)Access control (20%)Env (10%)Grade
CapySA−AAA
DopplerAAA−AA−
InfisicalA−AAAA−
1PasswordCA+ (existing users)C+BB−
AkeylessCC+BBC+
AWS Secrets ManagerDC+C+BC−
HashiCorp VaultFCBAC−

Capy lands an A; Doppler and Infisical follow close behind at A−. Among the three it's a fit decision: Doppler for the broadest integrations and a dashboard non-engineers can use, Infisical for a mature open-source platform with a broad feature set, Capy for the quickest path to a setup that just works out of the box.

Which one for your team

Everything above grades one thing: developer experience. That focus is deliberate — poor DX is the main reason secrets management goes unadopted, and a tool a team never fully adopts secures nothing. But DX isn't the only reason to choose a tool, and each one here is genuinely the best answer to some question. Capy's claim is narrow: the best developer experience of the group. Here's the honest case for each, played to its real strength:

If your priority is…Reach forBecause
The best developer experience — the quickest setup that just worksCapyfastest path to shared, deployed, zero-knowledge secrets
The widest catalog of native integrations and a polished multi-user dashboardDoppleryears of ecosystem breadth; syncs into nearly everything
A mature open-source platform with a visual console and broad features (PKI, SSH, dynamic secrets)InfisicalMIT-licensed, large community, deepest open-source feature set
Staying entirely inside AWS with no new vendorAWS Secrets Managernative IAM and CloudTrail you already operate and trust
One tool for both team passwords and developer secrets1Passwordconsolidates human and machine secrets in software you already run
Vault-class capability and dynamic secrets, delivered as SaaSAkeylessthe Vault feature set without the Vault ops; split-key cryptography
Provable audit, dynamic secrets, and policy-as-code in a regulated orgHashiCorp Vault (or OpenBao)the deepest governance and capability in the category

Capy wins on developer experience. The others win on reach, openness, cloud-native fit, consolidation, and governance. For plenty of teams, the friction Capy removes is exactly the one that was blocking adoption.

What goes next?

Every tool here makes secrets easier to handle, but none of them addresses the whole problem. Every time we add more rules and controls, we also raise the onboarding cost — and that higher cost is exactly what drives failed adoption for more and more teams. It's counterproductive.

And the problem keeps growing. We're now at 29 million new secrets leaked every year,12 now joined by AI agents that write millions of commits a month and leak secrets at twice the human rate.13 More services, more identities, more secrets — and piling on more manual configuration is the wrong answer. What Capy is building next is aimed straight at that — more in the next post.

Footnotes

  1. Verified 2026 pricing — Doppler, Infisical, and 1Password pricing pages. 2 3

  2. Doppler Advanced Permissions docs (environment-level access only).

  3. Infisical Update, June 2023 (end-to-end encryption made optional); Infisical Security docs (server-side AES-256-GCM).

  4. AWS Secrets Manager monitoring, AWS docs (CloudTrail always-on; per-secret IAM).

  5. AWS Secrets Manager pricing, Amazon Web Services.

  6. Audit Devices, HashiCorp Vault docs (logging hard stop).

  7. Get Started with Vault, HashiCorp Developer; "Lessons Learned Using Vault", malgregator.com.

  8. HashiCorp Adopts Business Source License (2023); HCP Vault Secrets End-of-Life; OpenBao.

  9. Akeyless Distributed Fragments Cryptography docs; Gartner Peer Insights: Akeyless vs HashiCorp Vault. 2

  10. 1Password service-account rate limits and Service Accounts docs (immutable permissions; 429 at the hourly cap; no .env import). 2

  11. Capy docs and GitHub (npm and public metrics).

  12. The State of Secrets Sprawl 2026, GitGuardian; "CISA Exposes Secrets, Credentials in 'Private' Repo", Dark Reading, May 19, 2026 (GitGuardian discovery; 844MB public since Nov 13, 2025).

  13. The Real Problem Isn't That AI Can't Write Secure Code, GitGuardian / The Hacker News, 2026.