HypeCreds · zero-knowledge credentials

A password manager whose server knows nothing.

HypeCreds is a zero-knowledge, end-to-end encrypted password manager — use our hosted service or run the server yourself. Every secret is encrypted on your device before it leaves; the server stores only opaque ciphertext. Whoever operates it, nobody but you can read your vault.

Request pilot access HypeCreds is currently in a private pilot. There is no public signup or download yet.

The desktop app

HypeCreds desktop app showing a vault with folders, tags, and a GitHub login open in the detail pane with username, hidden password, a live one-time password code, website, and notes.
Everything in one vault — logins with rolling one-time passwords, SSH keys, API credentials, cards, and secure notes, organized by folder and tag. Decrypted only on your machine.
HypeCreds lock screen asking for the master password to unlock the vault.
Walk away and it locks. Your master password is the only way back in — there is no admin reset, because no one else holds a key.

And a real CLI

Terminal recording of the hype CLI: creating a vault, adding a GitHub login with a generated password and TOTP secret, printing a rolling one-time password code, generating a passphrase, and listing vault items.
The hype CLI speaks the same encrypted vault format: create, add, generate, fetch one-time codes, and sync from any terminal or script — with a session agent so you unlock once, not per command.

How your secrets stay yours

  1. Your master password never leaves your device. It is stretched with Argon2id (64 MiB memory-hard by default) into a master key that exists only in client memory.
  2. The server authenticates a derivative, not the password. Login uses a one-way HKDF-derived auth hash, which the server hashes again before storing.
  3. Every item is sealed individually. Vault entries are encrypted client-side with XChaCha20-Poly1305 under a random vault key, itself wrapped by your master key — so a password change never re-encrypts your data.
  4. Sharing is public-key, end to end. Shared-collection keys are sealed to each member device with X25519 and signed with Ed25519. Administrators manage membership without ever holding a decryption key.

What's in the box

Hosted — or host it yourself

Use our managed cloud, or run the same single container plus PostgreSQL on your own infrastructure. Either way, the keys stay on your devices.

Desktop app, CLI & extension

An Electron desktop app, a hype command-line tool, and a browser extension with autofill — all speaking the same audited crypto core.

Team sharing

Organizations, collections, roles, and invitations — with cryptographic membership, key rotation on removal, and no admin backdoor.

Enterprise sign-in

OIDC single sign-on with PKCE for authentication. SSO signs you in; it never decrypts — vault keys stay client-side.

Everyday essentials

Password & passphrase generator, TOTP codes, breach checks via the HIBP k-anonymity API, trash & soft delete.

Bring your vault with you

Importers for Bitwarden, 1Password, LastPass, and Chrome; encrypted JSON export you can restore anywhere.

Honest by construction

The cryptography is boring on purpose: Argon2id, HKDF-SHA256, XChaCha20-Poly1305, X25519 and Ed25519 from audited open-source libraries, with fresh random nonces and context-bound authenticated data on every envelope. The server API accepts ciphertext and returns ciphertext. If our database leaked tomorrow, your secrets would remain sealed behind your master password's memory-hard key derivation.