Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

lockzero

Package Overview
Dependencies
Maintainers
1
Versions
2
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

lockzero

LockZero SDK — pull secrets into your app at runtime without storing credentials

latest
Source
npmnpm
Version
0.1.1
Version published
Maintainers
1
Created
Source

lockzero — Node.js SDK

Pull secrets into your app at runtime without storing credentials.

npm install lockzero

Quickstart

import { LockZero } from "lockzero";

const kr = new LockZero({ apiKey: process.env.LOCKZERO_API_KEY! });

// Inject a whole namespace into process.env
await kr.inject("openai");
// process.env.OPENAI_API_KEY is now set, fresh from LockZero.

// Or fetch a single secret
const stripeKey = await kr.get("stripe.STRIPE_SECRET_KEY");

// Or fetch all in a namespace as an object (no env mutation)
const { OPENAI_API_KEY } = await kr.bundle("openai");

Why

  • Zero secrets in your repo or CI. Your code carries one LockZero API key; everything else is fetched at runtime.
  • Rotate without redeploying. When LockZero rotates a credential, the next kr.inject() returns the new value. Restart your worker and you're done.
  • Audit + revoke. Every fetch is logged. Revoke an SDK key in one click and the app stops working.

API

new LockZero(options)

type LockZeroOptions = {
  apiKey?:   string;          // lz_live_... from your workspace; defaults to LOCKZERO_API_KEY
  baseUrl?:  string;          // default: https://lockzero.io
  timeoutMs?: number;         // default: 10_000
  retries?: number;           // GET retry count for 429/5xx/network failures; default: 2
  retryDelayMs?: number;      // initial retry delay in ms; default: 250
};

Static secrets

MethodReturnsDescription
get(path)stringResolve one secret by dotted path, e.g. "openai.OPENAI_API_KEY".
bundle(ns)Record<string, string>All secrets in a namespace as { KEY: "value" }.
inject(ns)Record<string, string>Like bundle but also sets process.env[KEY] = value.
getMany(paths)Record<string, string>Resolve many in parallel; failures are omitted.
injectMany(namespaces)Record<string, string>Bundle and inject many namespaces.

Dynamic database credentials

const cred = await kr.dynamic("postgres/readonly", { ttl: 3600 });

const pool = new Pool({ connectionString: cred.connectionString });

Returns a fresh DB user that expires on its own. The password is shown once — store it in your pool immediately; LockZero doesn't keep it after this call.

Errors

import { LockZeroError } from "lockzero";

try {
  await kr.get("openai.OPENAI_API_KEY");
} catch (e) {
  if (e instanceof LockZeroError) {
    console.log(e.status);  // HTTP status
    console.log(e.body);    // raw response body
  }
}

Self-host

If you're running your own LockZero control plane, point the SDK at it:

const kr = new LockZero({
  apiKey:  process.env.LOCKZERO_API_KEY!,
  baseUrl: "https://lockzero.your-company.com",
});

License

MIT — see LICENSE.

Keywords

secrets
vault
credentials
api-keys
lockzero

FAQs

Package last updated on 10 May 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

US Government Forces Anthropic to Pull Claude Fable Days After Launch

Security News

US Government Forces Anthropic to Pull Claude Fable Days After Launch

Anthropic says the directive cited national security concerns over a narrow jailbreak, but offered no specific technical details.

By Sarah Gooding  -  Jun 13, 2026