Best Password Managers for Developers — API Keys, SSH Keys, and Team Secrets
You have API keys for Claude, OpenAI, DeepSeek, OpenRouter, and a dozen other services. SSH keys for 5 servers. Database credentials. Deployment tokens. .env files scattered across projects.
If you’re storing these in plaintext files, Slack messages, or (worst) committed to git, you have a security problem. Here’s how to fix it.
What developers need
Regular password managers store website logins. Developer password managers need to handle:
- API keys — long strings that change per environment
- SSH keys — private keys that need to be accessible from terminal
- Environment variables —
.envfiles with dozens of key-value pairs - Team sharing — securely share secrets with teammates without Slack
- CLI access — retrieve secrets from scripts and CI/CD pipelines
- Audit trail — who accessed what, when
The comparison
| Feature | 1Password | Bitwarden | HashiCorp Vault |
|---|---|---|---|
| Price | $3/mo individual, $8/mo team | Free (self-host) or $1/mo | Free (self-host) |
| CLI tool | ✅ op | ✅ bw | ✅ vault |
| SSH agent | ✅ Built-in | ❌ | ❌ |
.env injection | ✅ op run | ❌ (manual) | ✅ |
| CI/CD integration | ✅ GitHub Actions, etc. | ✅ | ✅ |
| Team sharing | ✅ Vaults | ✅ Organizations | ✅ Policies |
| Self-hostable | ❌ | ✅ | ✅ |
| Audit log | ✅ | ✅ (paid) | ✅ |
| Best for | Individual devs & small teams | Budget-conscious, self-hosters | Enterprise, infrastructure |
1Password for developers
1Password has become the developer’s choice because of two killer features:
SSH agent integration
1Password can act as your SSH agent. Your SSH keys live in 1Password, and when you ssh user@server, 1Password provides the key via biometric auth:
# ~/.ssh/config
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"No more ~/.ssh/id_rsa files on disk. Keys are encrypted at rest and require biometric to use.
Secret injection with op run
Instead of .env files with plaintext secrets:
# Instead of: source .env && python app.py
# Use:
op run --env-file=.env.tpl -- python app.pyWhere .env.tpl references 1Password items:
ANTHROPIC_API_KEY=op://Development/Claude API/credential
OPENAI_API_KEY=op://Development/OpenAI/credential
DATABASE_URL=op://Development/Postgres/connection-stringSecrets are injected at runtime, never written to disk.
Bitwarden for budget teams
If you want free or cheap, Bitwarden is solid. Self-host with Vaultwarden for zero cost. The CLI works for basic secret retrieval:
bw get password "Claude API Key"The trade-off: no SSH agent, no .env injection, more manual workflow.
For AI developers specifically
You’re managing more API keys than most developers. A typical AI project has:
- LLM API key (Claude, GPT, DeepSeek)
- OpenRouter key (if using model routing)
- MCP server credentials
- Vector database credentials
- Hosting API tokens (Vercel, Railway)
- Monitoring keys (Helicone)
That’s 6-10 secrets per project. Multiply by environments (dev, staging, prod) and you’re managing 20-30 secrets. A password manager isn’t optional at this scale.
The minimum setup
If you do nothing else:
- Stop storing secrets in git — use
.envfiles in.gitignore - Use a password manager — even the free Bitwarden tier or NordPass
- Share secrets via the manager — not Slack, not email
- Rotate keys quarterly — set a calendar reminder
See our AI security checklist for the full security framework and MCP security guide for securing AI tool access.
Rotating API keys
API keys should be rotated regularly. Here’s a simple process:
- Generate new key in provider dashboard
- Update in password manager
- Deploy to staging with new key, verify it works
- Deploy to production
- Revoke old key
For teams, use 1Password’s op run to inject secrets at deploy time so rotation is a password manager update, not a code change.
Secrets in CI/CD
Never store secrets in your repository, even in encrypted form. Use your CI/CD platform’s secret management:
# GitHub Actions
- name: Deploy
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}
run: python deploy.pyFor Railway, Vercel, and other platforms, set secrets in the dashboard. They’re encrypted at rest and injected at runtime.
The cost of a breach
A leaked API key can cost you thousands in minutes. In 2025, researchers found that API keys committed to public GitHub repos were exploited within 30 seconds on average. Bots scan every public commit for patterns matching API keys.
Even if you immediately revoke a leaked key, the damage may already be done. Prevention is the only reliable strategy.
Related: AI Security Checklist · MCP Security Checklist · AI and GDPR · Best AI Coding Agents for Privacy · Best VPNs for Developers · Grammarly Vs Ai Coding Assistants