>>>
Focused Tool · BSL 1.1 · Single Binary

Stop sharing API keys in Slack.

Encrypted vault for shared API credentials. Issue scoped tokens to team members, log every access, rotate keys without redeploying. AES-256-GCM at rest, offline-verifiable Pro license.

Install Fence Free Pro — $4.99/mo Docs GitHub
Quickstart

Running in under 60 seconds.

Install
curl -fsSL https://stockyard.dev/fence/install.sh | sh
Run
FENCE_ADMIN_KEY=secret \
FENCE_ENCRYPTION_KEY=$(openssl rand -hex 32) \
fence

  API:      http://localhost:8770/api
  Resolve:  http://localhost:8770/api/resolve/{key_name}
Store a key and issue a member token
# Create a vault and store a key
curl -s -X POST http://localhost:8770/api/vaults \
  -H 'Authorization: Bearer secret' -d '{"name":"production"}'

curl -s -X POST http://localhost:8770/api/vaults/{id}/keys \
  -H 'Authorization: Bearer secret' \
  -d '{"name":"openai","value":"sk-...","provider":"openai"}'

# Issue a token to a team member
curl -s -X POST http://localhost:8770/api/vaults/{id}/tokens \
  -d '{"member_id":"{mid}","name":"alice"}'
# → fence_... (save it — shown once)

# Member resolves the key at runtime
curl http://localhost:8770/api/resolve/openai \
  -H 'Authorization: Bearer fence_...'
See it
Fence terminal output showing key storage and token-based resolution
Fence dashboard showing vaults, encrypted keys, members, and access log

Fence stores credentials encrypted at rest. Team members resolve them at runtime with scoped tokens. The dashboard shows vault contents (names only — values never shown), members, and every access.

Use cases

Three things developers use this for.

Replace .env file sharing
Every dev has a copy of production keys in their .env. One compromised laptop exposes everything. Fence issues each dev a scoped token; keys stay encrypted on the server.
Rotate keys without app restarts
Rotate a key in Fence and every app that resolves it at runtime gets the new value immediately. No redeploys, no coordinating restarts across services.
Audit who accessed what
Compliance review asks which employees had access to the Stripe key last quarter. Fence has a complete log of every resolution: who, when, from where.
Why this exists

The moment you store keys in someone else's cloud, you have accepted their terms, their pricing changes, and their uptime. Fence puts that decision back in your hands.

How it works

Start Fence with a port and a data directory. It creates its SQLite database on first run. Create keys through the web interface or POST JSON to the API. Filter and search by keyword.

In practice

A consultant keeps Fence running on a home server. Client keys stay on local disk, simplifying privacy in every contract.

Pricing

Free to run. Pro when you need more.

Free
$0
forever, self-hosted
Best for: solo devs and small projects
  • 10 keys
  • 2 members
  • 2 projects / vaults
  • Key labeling and notes
  • AES-256-GCM encrypted local storage
  • Basic access log
  • Manual key add / remove
Get started →
Pro
$4.99
per month
Best for: teams with shared credentials
  • Unlimited keys
  • Unlimited members
  • Unlimited projects / vaults
  • Role-based access (admin / reader)
  • Full key usage audit trail
  • Expiration reminders
  • Tags and search across keys
  • Export / import key sets
  • Rotation reminders
  • Shared vault views across team
Scope

When Fence is the right tool.

Fence is for teams sharing API keys through .env files or chat — which is most teams. Free covers 10 keys, 2 members, and 2 vaults. Pro ($4.99/mo) removes those limits and adds RBAC, full audit trail, and key rotation reminders.

The broader picture

When you need the full LLM control plane.

Stockyard Platform
Fence is a standalone key vault from the Stockyard family. Stockyard's full platform includes API key management integrated with LLM request tracing, cost control, team collaboration, and 25+ more tools. If you're managing LLM provider credentials for a team, Stockyard handles the full workflow.
Learn about Stockyard →
After you upgrade

How Pro gets activated.

When your payment goes through, you'll receive an email at the address you used at checkout. The email contains your license key — a string that starts with stockyard_.

Set it as an environment variable before starting Fence:

FENCE_LICENSE_KEY=stockyard_your_key_here fence

  License:   Pro (your-email@example.com)
  Dashboard: http://localhost:8770/ui

That's it. Pro features unlock immediately on startup — no restart required after the first run, no account to log into, no phone-home check. The key is verified locally.

Didn't get the email?
Check your spam folder first. If it's not there after 5 minutes, email hello@stockyard.dev with your payment confirmation and we'll send the key manually.
FAQ
Are keys stored encrypted at rest?
Yes. AES-256-GCM encryption using a key derived from FENCE_ENCRYPTION_KEY. Set this to a 32-byte hex string generated with openssl rand -hex 32.
What happens when I revoke a token?
Revocation is instant. The next resolve request with that token returns 401. The underlying key is unaffected — other tokens still work.
Can I scope a token to a specific key?
Yes. Set key_id when issuing a token and that token can only resolve that specific key, not the whole vault.
What's the free tier member limit?
2 members on Free. The API returns an error when you try to add a third. Existing members and their tokens keep working. Upgrade to Pro to remove the limit.
What's the license?
BSL 1.1. Free for small teams (under 10 members). Commercial license for larger organizations. Contact hello@stockyard.dev.
Get started

Stop sharing API keys in Slack.

Encrypted storage. Instant revocation. Free to start.

Install Fence Free Upgrade to Pro

Part of Stockyard Complete — all 150 tools for $29/mo

Related
Comparisons
Fence vs Kong Gateway
Related tools
Mirage · Barrage · Strongbox · Relay · Scout · Tally