Developers send requests. Wicket injects credentials. Secrets never touch the developer machine.
No spam. We'll only email about Wicket updates.
Point your request at stripe.wicket.local instead of api.stripe.com. Add your X-Wicket-Token header. That's it. Wicket resolves credentials at runtime and forwards upstream.
X-Wicket-Token — revoke one without rotating the API key| Wicket | Vault | Doppler / Infisical | Shared Keys | |
|---|---|---|---|---|
| Dev never sees credentials | ||||
| Per-developer audit | ||||
| Revoke one dev, keep the key | ||||
| Any HTTP client | ||||
| Centralized secret management | ||||
| Zero install for devs |
We'll notify you when we launch.
The agent is open source (MIT) and works standalone — no control plane required. The hosted control plane adds team management, audit UI, and automatic sync.
No. Wicket is the layer between your developers and your secrets manager. It works with Vault, AWS SSM, GCP Secret Manager, and others. You keep your existing secrets infrastructure — Wicket just makes sure developers never see the raw values.
Point the request URL at your Wicket endpoint (e.g. stripe.wicket.local instead of api.stripe.com) and include an X-Wicket-Token header. That's it. No SDK, no CLI, no config files.
Revoke their Wicket token. The underlying API keys stay untouched — no rotation, no downtime for the rest of the team.
Yes, MIT licensed. Always will be.
Yes. The agent runs standalone with a JSON config file. No account needed. The control plane adds team management, a variable editor, audit log UI, and automatic config sync — but it's optional.
The self-hosted agent resolves credentials inside your VPC. The hosted control plane never sees secret values — only variable names and SSM paths. Your credentials never leave your infrastructure.
We're in early development. Join the waitlist and we'll notify you as soon as we're ready.
No spam. We'll only email about Wicket updates.