Skip to main content
Logo Landscape

Keyflare

Free, open-source secrets manager built entirely on Cloudflare. Single Worker + single D1 database + single master key. Zero trust storage. Self-hosted in one click. Think of it as a self-hosted Doppler or Infisical — but runs entirely on Cloudflare with zero infrastructure to manage. Get started now: 
npm install -g @keyflare/cli

Why Keyflare?

Free + Open Source

MIT licensed. No restrictions, no lock-in. Own your secrets infrastructure completely.

Self-Hosted

Deploy to your own Cloudflare account in seconds. All you need is a free Cloudflare account.

Simple Architecture + One-Click install

One Worker, one D1 database, one master key. No containers, no VMs, no Kubernetes.

Zero Trust Storage

Secret values and keys are AES-256-GCM encrypted at rest. Even with database access, data remains protected.

Core Concepts

Keyflare uses a simple mental model: Projects → Environments → Secrets. 
Project (my-api)
├── Environment (development)
│   ├── DATABASE_URL=postgres://...
│   └── API_KEY=sk_dev_...
├── Environment (staging)
│   ├── DATABASE_URL=postgres://...
│   └── API_KEY=sk_staging_...
└── Environment (production)
    ├── DATABASE_URL=postgres://...
    └── API_KEY=sk_live_...

Projects

A project is a namespace for secrets (e.g., my-api, frontend-app). Each project can have multiple environments.

Environments

Each project has environments (e.g., production, staging, development). New projects get two default environments (dev and prod) unless created with the --environmentless flag. Project and environment names are case-insensitive.

Secrets

Key-value pairs stored per environment. Both key names and values are encrypted in D1 using AES-256-GCM.

API Keys

Keyflare uses API keys for authentication. There are two types:
User KeySystem Key
Prefixkfl_user_*kfl_sys_*
AccessFull admin (all projects, keys, settings)Scoped to specific project:environment
Use forDevelopers, admins, backup keysCI/CD, deployment scripts, runtime services
User keys have full unrestricted access to everything — projects, environments, secrets, and API key management. System keys are scoped to specific (project, environment) pairs with either read or readwrite permission. They cannot create projects, environments, or other keys.

How It Works

  1. CLI (kfl) communicates with the Worker API over HTTPS
  2. Worker validates API keys, enforces scopes, encrypts/decrypts secrets
  3. D1 Database stores encrypted secret data and hashed API keys
  4. MASTER_KEY (Worker secret) is used for all encryption/decryption operations

Next Steps

Quick Start

Deploy Keyflare to your Cloudflare account in minutes.

Architecture

Understand how Keyflare works under the hood.