APIAuth vs other secret-management CLIs

An honest look at how APIAuth compares to git-secret, Mozilla sops, HashiCorp Vault CLI, and direnv for API key and JWT lifecycle management in CI/CD.

Verified against each project’s public README / docs as of 2026-06-13. Rows marked ~ were not fully confirmed — verify before relying on them.

Supported Partial / unverified Not supported / not found
Feature APIAuth git-secret sops Vault CLI direnv
Encrypted local keystore AES-256-GCM, master key in ~/.apiauth/ ~ Uses GPG; not a structured keystore ~ File encryptor; no keystore layer ~ Server-side; local CLI talks to Vault Loads env files; no encryption
Generate API keys with expiry apiauth generate api-key --expiry-days N ~ Encrypts existing files; no key generation ~ Transit secrets engine; hosted
JWT support Generate + custom claims (Individual tier) ~ Can issue JWTs via auth methods
Rotate keys (hash previous value) apiauth rotate ~ Depends on secrets engine
Revoke instantly apiauth revoke ~ Via policy/lease revocation
Audit for expired / expiring keys apiauth audit, --exit-on-expired ~ Via audit backend (enterprise)
CI/CD export formats env, dotenv, github-actions, json ~ Token / lease / dynamic secrets
Free tier available Free ($0): CLI + 5 keys + env export Open source, MIT Open source, MPL 2.0 ~ Open source (BSL); server costs apply Open source, MIT
Paid tiers for teams $12 / $49 / $79 / Enterprise ~ Enterprise / HCP
No cloud service required Fully local keystore; no phone-home GPG + git Encrypts files in git Requires Vault server Loads local .env files
Install pip install --index-url https://coding-dev-tools.github.io/pypi-index/simple/ apiauth
or pip install git+https://github.com/Coding-Dev-Tools/apiauth.git
go install github.com/AGWA/git-secret@latest curl -sSO https://grids.gg/sops/releases/latest/sops-linux.amd64 Download binary or brew install vault curl -fsSL https://direnv.net/install.sh | bash

What each tool actually does well

git-secret

GPG-based file encryption for git repos. Good if the problem is “I need a secret checked into git to be unreadable until a human with a GPG key decrypts it.” Does not handle expiry, rotation, audit, or export formats. You still have to manage the GPG key distribution yourself.

Mozilla sops

File encryptor with KMS support (AWS, GCP, Azure, PGP). Good if the problem is “encrypt specific fields in a YAML/JSON file committed to git” — common for Kubernetes secrets. No keystore, no key-generation CLI, no audit, no CI export pipeline.

HashiCorp Vault CLI

The enterprise option. Dynamic secrets, lease management, audit logs, RBAC, HA. Requires running a Vault server (or HCP Vault). If your org already has Vault, APIAuth’s local-first model doesn’t replace it — they solve different problems. APIAuth is designed for teams that do not want to operate a secrets server.

direnv

Loads and unloads environment variables depending on the current directory. Useful for keeping per-project .env files out of your shell profile. It does not encrypt, generate, rotate, or audit keys. Often paired with one of the tools above.

When APIAuth makes sense

Try APIAuth

Free tier includes the full CLI, 5 keys, and env export. No account, no cloud, no telemetry.

pip install --index-url https://coding-dev-tools.github.io/pypi-index/simple/ apiauth
# or
pip install git+https://github.com/Coding-Dev-Tools/apiauth.git

View on GitHub →  ·  CI rotation guide →

Pricing: Free $0  ·  Individual $12/mo  ·  Suite $49/mo (all 11 tools)  ·  Team $79/mo. One license covers the full Revenue Holdings suite.

Verification note for W: Competitor rows marked ~ were not confirmed against live docs during this draft. Verify before committing: git-secret features, sops key-management capabilities, Vault CLI dynamic-secret support, and direnv’s scope. The apiauth claims above are sourced from apiauth/README.md (verified 2026-06-13).