Skip to content
AI Coding GuildAI Coding Guild
Sign InGet Started Free
Back to the Archives
Security First — Part 5 of 30

Secrets Managers Compared: Doppler vs Infisical vs 1Password

Tom Hundley
Written by claude-sonnet-4 · Edited by claude-sonnet-4
secrets-managementdopplerinfisical1passwordapi-keysenvironment-variablessecurityvibe-codingdeveloper-toolsci-cd

Security First — Part 5 of 30

The 3 AM Text Nobody Wants

Imagine this: It's 3 AM. You get a text from your cloud provider. "Unusual activity detected. $4,200 in compute charges in the last 6 hours."

You built a side project last month with Cursor. The AI wrote most of the code. You shipped it, it worked, you were proud. What you didn't notice was that your OpenAI API key was sitting right there in config.py, committed to a public GitHub repo.

Bots scan GitHub constantly — they spotted your key within minutes of your push. By morning, someone was mining crypto on your dime.

This is not hypothetical. This is Tuesday for a lot of vibe coders in 2025.

According to a March 2026 GitGuardian report, over 29 million secrets were leaked on GitHub in 2025 — a 34% increase year-over-year. And here's the kicker: commits generated with AI tools like Claude Code leaked secrets at roughly 3.2% — double the baseline rate. AI-assisted code is making the problem worse, not better. Leaks tied to AI services (OpenAI keys, Anthropic keys, etc.) spiked 81% year-over-year.

The fix is not to stop using AI. The fix is to stop treating secrets like regular code.

Enter: secrets managers.

What Is a Secrets Manager?

A secrets manager is a service that stores your API keys, database passwords, tokens, and other sensitive credentials in a secure vault — and then injects them into your app at runtime, so they never have to live in your codebase.

Instead of this (please never do this):

# config.py — THE WRONG WAY
OPENAI_API_KEY = "sk-proj-abc123yourrealkeyhere"
DATABASE_URL = "postgresql://admin:supersecret@prod-db.example.com/myapp"

You do this:

# config.py — the right way
import os

OPENAI_API_KEY = os.environ["OPENAI_API_KEY"]
DATABASE_URL = os.environ["DATABASE_URL"]

The secrets manager handles getting those environment variables into your running process — securely, audited, and without touching your Git history.

Three tools dominate this space for indie developers and small teams in 2026: Doppler, Infisical, and 1Password Secrets Automation. Each takes a different philosophy, and the right one for you depends on where you are right now.

The Contenders

Doppler — The Managed Workhorse

Doppler is a fully cloud-hosted secrets platform. There's no server to run, no infrastructure to maintain. You store your secrets in Doppler, and it injects them into your app via its CLI, SDKs, or native integrations.

What makes Doppler great for vibe coders:

The developer experience is genuinely polished. You install the CLI, authenticate once, and then prefix any command with doppler run -- to inject your secrets:

# Install the CLI
brew install dopplerhq/cli/doppler

# Authenticate
doppler login

# Run your app with secrets injected
doppler run -- python app.py

# Or in a Node project
doppler run -- npm start

That's it. Your code reads os.environ or process.env like normal. Doppler handles the rest.

Doppler's flat-rate pricing means you pay per developer, not per secret or API call. The Developer plan is free for up to 3 users — perfect for solo projects and small teams. After that it's $8/month per additional user. The Team plan starts at $21/user/month and adds SAML SSO, role-based access controls, automatic secret rotation, and 90 days of audit logs. (Doppler pricing)

The catch: Doppler is entirely closed-source and fully managed. You can't self-host it. For most indie builders, this is fine. For teams with strict compliance requirements that demand on-premises data, it's a non-starter.

Doppler also injects secrets exclusively as environment variables — there's no SDK to fetch individual secrets by name at runtime. That's philosophically simple, but it can feel limiting in complex apps.

Infisical — The Open-Source Challenger

Infisical is the open-source answer to Doppler. Its core is MIT-licensed, you can self-host it on your own infrastructure, and the developer experience rivals the paid competition. It's been winning developer hearts fast in 2025-2026 as teams look for alternatives after HashiCorp's controversial Business Source License shift for Vault.

What makes Infisical different:

You get a choice: use their cloud (similar to Doppler), or run it yourself on a VPS, Kubernetes cluster, or Docker Compose. This is huge for developers who need data residency control, or who just prefer not to depend on a third-party SaaS for their secrets.

The CLI workflow is nearly identical to Doppler:

# Install
brew install infisical

# Login
infisical login

# Run with secrets injected
infisical run -- python app.py

But Infisical also offers proper SDKs, so you can fetch secrets programmatically if you need to:

import { InfisicalClient } from "@infisical/sdk";

const client = new InfisicalClient({
  clientId: process.env.INFISICAL_CLIENT_ID!,
  clientSecret: process.env.INFISICAL_CLIENT_SECRET!,
});

const secret = await client.getSecret({
  environment: "production",
  projectId: "your-project-id",
  secretName: "DATABASE_URL",
});

console.log(secret.secretValue);

Infisical's free tier is genuinely generous for individuals and early teams. Paid plans (Pro and Enterprise) add advanced RBAC, secret rotation, compliance features, and cross-region replication. (Infisical pricing)

The catch: Infisical's SOC 2 Type II certification was still in progress as of late 2024, though the cloud-hosted option is maturing fast. If you self-host, HIPAA and GDPR compliance are your own responsibility to configure. And self-hosting, while powerful, does mean you own the infrastructure burden. For a solo vibe coder who just wants things to work, that overhead can be real.

1Password Secrets Automation — The Familiar Face

If you're already using 1Password to manage your personal and team passwords, you might not need to add another tool to your stack. 1Password's Secrets Automation feature extends the password manager you already know into a developer secrets platform.

What makes 1Password different:

It combines human credentials (your passwords, credit cards, secure notes) and machine credentials (API keys, tokens, database strings) in one place. For small teams that don't want to manage two separate vaults, this consolidation has real value.

The 1Password CLI works like this:

# Install the 1Password CLI (op)
brew install 1password-cli

# Sign in
op signin

# Inject secrets into a process
op run --env-file=.env.tpl -- python app.py

Your .env.tpl template file references secrets by vault path, like this:

# .env.tpl
OPENAI_API_KEY=op://MyVault/OpenAI/api_key
DATABASE_URL=op://MyVault/Postgres/connection_string

When op run executes, it substitutes those references with the real values — which never touch disk or your repo.

You can also load secrets directly in Python:

import subprocess
import json

# Read a specific secret via the 1Password CLI
result = subprocess.run(
    ["op", "read", "op://MyVault/OpenAI/api_key"],
    capture_output=True, text=True
)
api_key = result.stdout.strip()

Pricing: 1Password's core password manager starts at $2.99/month for individuals and $7.99/user/month for Business. Secrets Automation is an add-on for Business customers, priced separately based on automation capacity. There's no long-term free tier for Secrets Automation. (1Password pricing)

The catch: If you're not already a 1Password customer, the cost-per-feature calculation doesn't always pencil out compared to Doppler or Infisical. The developer tooling is also less mature than dedicated secrets platforms — it feels like a password manager that learned to do secrets automation, rather than a secrets platform from the ground up.

Head-to-Head: Picking Your Tool

Dimension Doppler Infisical 1Password SA
Free tier Yes (3 users) Yes (generous) No
Self-hosted No Yes (MIT license) No
Open source No Core is MIT No
SDK support Env vars only Full SDK + env vars CLI + vault references
Secret rotation Fully automated Automated (cloud); manual config if self-hosted Limited
SOC 2 / HIPAA Yes (built-in) In progress (cloud) Yes
Best for Teams wanting zero ops Self-hosters & OSS fans Existing 1Password users
Paid starts at $8/user/mo Per plan (usage limits) $7.99/user/mo (Business)

The Real-World Recommendation

Here's how I'd break it down for the AI Coding Guild community:

You're a solo builder, just getting started: Start with Infisical's free cloud tier. It's generous, the CLI is excellent, and you're not locked into a paid tier. If you ever want to self-host, the option is there.

You're on a team of 2–10 shipping fast: Go with Doppler. The zero-ops model means nobody has to play infrastructure babysitter. Flat-rate pricing is predictable as you scale. The integrations with Vercel, Railway, GitHub Actions, AWS, and Kubernetes are plug-and-play.

You're a team already deep in 1Password: Add Secrets Automation to your existing plan. The consolidation is worth it — one less vendor, one less bill, one less place to audit.

You need full data control or are in a regulated industry: Self-host Infisical. The MIT license, open codebase, and self-hosted option give you complete sovereignty over your secrets infrastructure.

Getting Started in 10 Minutes: Doppler Quickstart

Here's a complete working example for a Python project. You can replicate this pattern with Infisical or 1Password using their respective CLIs.

Step 1: Sign up and create a project

Go to doppler.com and create a free account. Create a project called my-app and add your secrets (e.g., OPENAI_API_KEY, DATABASE_URL) in the dashboard.

Step 2: Install and authenticate the CLI

# macOS
brew install dopplerhq/cli/doppler

# Linux
(curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sudo sh

# Authenticate
doppler login

Step 3: Link your project directory

cd my-app/
doppler setup
# Select your project and environment (dev/staging/production)

Step 4: Update your code to read from environment variables

# app.py
import os
from openai import OpenAI

# Secrets are injected by Doppler at runtime — never hardcoded
client = OpenAI(api_key=os.environ["OPENAI_API_KEY"])

def ask(question: str) -> str:
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[{"role": "user", "content": question}]
    )
    return response.choices[0].message.content

if __name__ == "__main__":
    print(ask("What's a good first vibe coding project?"))

Step 5: Run your app with secrets injected

doppler run -- python app.py

Your API key never touches app.py, your .env file, or your Git history. If your key is compromised, you rotate it in the Doppler dashboard and every environment updates automatically.

Bonus: Add a .env.example file for teammates (and your future self)

# .env.example — commit this, NOT a .env with real values
OPENAI_API_KEY=
DATABASE_URL=
APP_SECRET_KEY=

And make absolutely sure your .gitignore has:

# .gitignore
.env
.env.local
.env.production
*.env

Why This Matters More Than Ever in 2026

The GitGuardian data from March 2026 isn't an abstraction. 29 million secrets leaked in 2025 — and AI-assisted coding is directly accelerating that number. When you ask an AI to scaffold a project, it often produces working, runnable code that uses placeholder secrets in obvious spots. The instinct is to swap in your real key and ship. Don't.

The OWASP Non-Human Identities Top 10 for 2025 lists Secret Leakage as NHI2 — the second most critical security risk for modern applications. Exploitability: Easy. Detectability: Hard. Impact: Severe.

A secrets manager is not a nice-to-have. It is the minimum viable security setup for any project that talks to an external API or database.

Action Checklist

Before you ship your next project, run through this list:

  • Audit your repo for hardcoded secrets. Run git log --all --full-history -- "*.env" "*.json" "*.py" "*.ts" and look for anything that looks like a key or password.
  • Add a .gitignore that blocks .env files before making your first commit.
  • Choose a secrets manager (Doppler, Infisical, or 1Password SA) and move all credentials out of your code.
  • Set up environment-specific configs (dev, staging, production) — don't use the same keys everywhere.
  • Enable secret rotation if your manager supports it — especially for database credentials.
  • Add secret scanning to your CI/CD pipeline. GitHub's built-in secret scanning is free and catches a lot.
  • Never paste real credentials into an AI chat window. Claude, ChatGPT, Cursor — none of them need your actual keys to help you write code.
  • Rotate any keys you suspect may have been exposed. It takes 60 seconds and costs nothing. Waiting costs thousands.

Ask The Guild

This week's community prompt:

What secrets manager are you using — or are you still riding the hardcoded-key wildfire? Drop a comment with: (1) your current setup, (2) the moment you realized you needed to level up your secrets hygiene, and (3) any tips for onboarding AI tools to a secrets manager workflow without breaking everything.

Bonus points if you have a story (we've all got one) about a leaked key and what you learned from it. The Guild is a judgment-free zone — the only bad story is the one you keep repeating.

Tom Hundley is a software architect with 25 years of experience. He spent a decade building financial infrastructure before dedicating the last several years to teaching non-developers how to build and ship safely with AI tools. This article is Part 5 of the 30-part Security First series.

Copy A Prompt Next

Start safely

If this article changed how you think about the problem, copy a prompt that turns that judgment into one safe, reviewable next step.

Matching public prompts

6

Keep the task scoped, copy the prompt, then inspect one reviewable diff before the agent continues.

Open the filtered prompt setOpen featured prompt page

Need the safest first move instead? Open the curated sample prompts before you browse the broader library.

SafetyStart Here — Build Safely With AI

Safe Beginner Loop

Use this before any implementation work when you want the agent to stay scoped, explain itself, and stop after one reviewable change.

Preview
"I want to work in a safe beginner loop.
Please do only this one task: [describe one tiny change].
Before making changes:
1. explain your plan in plain English
2. list the files you expect to change
View prompt pageRead the matching lesson
Security First

Turn this security lesson into a repeatable review habit

This article gives you the judgment call. The security paths give you the vocabulary, checklists, and repetition to catch the next issue before it reaches users.

Best Next Path

Security Essentials

Guild Member · $29/mo

Make the instincts in this article operational with concrete review checklists for secrets, auth boundaries, and common vulnerabilities.

28 lessonsIncluded with the full Guild Member library
Open Security EssentialsBrowse all learning paths

Need the free route first?

Start with Start Here — Build Safely With AI if you want the workflow and vocabulary before you dive into the deeper path above.

T

About Tom Hundley

Tom Hundley writes for builders who need stronger technical judgment around AI-assisted software work. The Guild turns production experience into public articles, copy-paste prompts, and structured learning paths that help non-software developers supervise AI agents more safely.

Do this next

Leave this article with one concrete move. Copy the matching prompt, or start with the path that teaches the safest next skill in sequence.

Start with Start Here — Build Safely With AIOpen the filtered prompt setOpen prompt page