Encrypted secret management powered by Cloudflare Workers and D1. All secrets are encrypted at rest with AES-256-GCM. Authentication is handled through Cloudflare Access with two paths: interactive sessions using your IdP and hardware keys (passkeys, YubiKeys) for humans, and registered service tokens with named identities and scoped permissions for CI pipelines and other services. Every operation is audit-logged.