Secret-Zero is an Inbound Secret Collection Portal (ISCP): a secure B2B app that lets consulting clients deposit sensitive credentials (passwords, API tokens, keys) directly into your Infisical vault without email/Slack. Think of it as a digital safe deposit box where clients can securely deposit secrets that only your authorized team can access.
- Prevents “secret sprawl” and insecure credential sharing across communication tools.
- Reduces operational risk (leaks, misdelivery, screenshots, forwarding) and supports compliance-oriented workflows by making the deposit flow auditable and structured.
- Makes deposited secrets immediately usable in the secret manager (no manual copy/paste), with granular access control for internal teams.
- Doesn’t burden non-technical users with yet another password — authentication uses email magic links.
- Client-side encryption (payload is encrypted in the browser before it reaches the server runtime).
- Write-only vault in Infisical (the app can create secrets, but cannot read/list/update/delete them).
- Stytch B2B authentication to tie deposits to verified client organizations.
- Minimal logging (avoid request/body logging; never log secret values).
- No database to run or maintain — the app is stateless and relies on Stytch (auth) and Infisical (secret storage).
- Organizations in Stytch can be created via API as part of client onboarding flow, but can also be created directly in Stytch dashboard. This application does not contain a management dashboard.
- Product & architecture: docs/PRD.md
- Setup guides: docs/INFISICAL_SETUP.md, docs/STYTCH_SETUP.md, docs/VERCEL_DEPLOYMENT.md
- Testing & security procedures: docs/INFISICAL_TESTING.md, docs/STYTCH_TESTING.md, docs/SECURITY_TESTS.md
Requirements: Node.js 20+, pnpm.
- Configure integrations: docs/INFISICAL_SETUP.md and docs/STYTCH_SETUP.md.
- Create local environment file:
cp env.example .env.local
- Fill
.env.local(see docs/VERCEL_DEPLOYMENT.md for full context). At minimum you need:- Stytch B2B credentials
- Infisical machine identity credentials
- RSA key pair (server private key + public key)
- Install and run:
pnpm install
pnpm devpnpm dev
pnpm build
pnpm start
pnpm lint
pnpm test:infisical
pnpm test:stytch- Don’t commit secrets or private keys (this repo ignores
.env*and*.pem). - Before production deploy, run the checklist: docs/SECURITY_TESTS.md.
MIT License. See LICENSE.
Copyright (c) Grzegorz Zawłodzki — https://zawlodzki.pl