Your API keys.
Actually safe.

Every developer has a .env file story. The junior who committed it. The Slack message with the production database password. The API key that ended up in a screenshot during a demo. Plaintext secrets in plaintext files are an accident in slow motion.

Donk stores secrets in an AES-encrypted local vault. You add a key-value pair — OPENAI_API_KEY, STRIPE_SECRET_KEY, whatever — and it's encrypted at rest, never written to disk in plaintext. When a server starts, its assigned secrets are injected as environment variables into the process. Your code reads them the same way it reads any env var. Nothing changes in your application code.

The vault auto-redacts secrets from all log output. If your app accidentally logs a request that contains your API key, Donk replaces it with ***REDACTED*** in the debug console. You can't leak what you can't see.

• AES-encrypted vault — secrets never stored in plaintext on disk
• Auto-injected as environment variables on server start
• Auto-redacted from all debug console and log output
• Per-server secret assignment — each project gets only the keys it needs
• Import from existing .env files — migrate in one click
• CLI and REST API access — donk secrets list, donk secrets set
• Never in your git repo. Never in your logs. Never on your screen during a demo.