# Credential & Secret Management β€” Feature Grid *Last updated: March 25, 2026* Target audience: AI agent era. Rows marked πŸ€– are agent-specific capabilities. --- ## Grid | Feature | 1Password | Bitwarden | Vaultwarden | OneCLI | HashiCorp Vault | Infisical | Doppler | Aembit | **Clavitor** | |---------|-----------|-----------|-------------|--------|-----------------|-----------|---------|--------|--------------| | **CREDENTIAL TYPES** | | API keys | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | | SSH keys | βœ… | βœ… | βœ… | ❌ | βœ… | ❌ | ❌ | ❌ | βœ… | | TOTP / 2FA codes | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | βœ… | | Secure notes | βœ… | βœ… | βœ… | ❌ | βœ… | ❌ | ❌ | ❌ | βœ… | | Passwords / logins | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | βœ… | | Credit cards / IDs | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | Dynamic secrets | ❌ | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | βœ… | πŸ—“οΈ | | **AGENT CAPABILITIES** πŸ€– | | Designed for AI agents | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | βœ… | βœ… | | MCP server (agent discovery) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | βœ… | | Per-agent identity tokens | ❌ | ❌ | ❌ | βœ… | βœ… | ❌ | ❌ | βœ… | βœ… | | Proxy mode (HTTP_PROXY) | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | βœ… | πŸ—“οΈ | | Agent info hiding (can use, can't read) | ❌ | ❌ | ❌ | ⚠️ | ⚠️ | ❌ | ❌ | βœ… | βœ… | | Intent-based policy (LLM) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ⚠️ | πŸ—“οΈ | | Workload identity (OIDC/SPIFFE) | ❌ | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | βœ… | πŸ—“οΈ | | **SECURITY** | | FIPS 140-3 | ⚠️ | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | βœ… | | HSM support | ❌ | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | πŸ—“οΈ | | End-to-end encrypted | βœ… | βœ… | βœ… | ⚠️ | ❌ | ⚠️ | ❌ | ❌ | βœ… | | Zero-knowledge architecture | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | βœ… | | Audit logging | βœ… | βœ… | ⚠️ | ❌ | βœ… | βœ… | βœ… | βœ… | βœ… | | Secret versioning | βœ… | βœ… | βœ… | ❌ | βœ… | βœ… | βœ… | ❌ | βœ… | | Secret rotation | ⚠️ | ❌ | ❌ | ❌ | βœ… | ⚠️ | ⚠️ | βœ… | πŸ—“οΈ | | **DEPLOYMENT** | | Self-hostable | ❌ | βœ… | βœ… | βœ… | βœ… | βœ… | ❌ | ❌ | βœ… | | Single binary | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | βœ… | | Docker required | N/A | ⚠️ | ⚠️ | βœ… | βœ… | βœ… | N/A | N/A | ❌ | | Open source | ❌ | βœ… | βœ… | βœ… | ⚠️ | βœ… | ❌ | ❌ | βœ… | | Multi-tenant | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | πŸ—“οΈ | | **HUMAN SURFACES** | | iOS app | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | Android app | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | macOS app | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | Windows app | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | Browser extension | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | Web dashboard | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | βœ… | πŸ—“οΈ | | CLI | βœ… | βœ… | βœ… | ⚠️ | βœ… | βœ… | βœ… | βœ… | βœ… | | **INTEGRATIONS** | | CI/CD native | ⚠️ | ⚠️ | ❌ | ❌ | βœ… | βœ… | βœ… | ⚠️ | πŸ—“οΈ | | Kubernetes operator | ❌ | ❌ | ❌ | ❌ | βœ… | βœ… | βœ… | βœ… | πŸ—“οΈ | | External vault backend | ❌ | ❌ | ❌ | βœ… | ❌ | ❌ | ❌ | ❌ | πŸ—“οΈ | | **DEPLOYMENT** | | Hosted (cloud) | βœ… | βœ… | ❌ | πŸ—“οΈ | βœ… | βœ… | βœ… | βœ… | βœ… (POPs) | | Self-hosted | ❌ | βœ… | βœ… | βœ… | βœ… | βœ… | ❌ | ❌ | βœ… | | **PRICING** | | Free tier | ❌ | βœ… | βœ… | βœ… | βœ… | βœ… | ⚠️ | ❌ | ❓ | | Price / year | ~$36/u | $10/u | Free | Free | Free–$$$$$ | Free–$96/u | $120+/u | Enterprise | **$12 flat** | --- ## Legend | Symbol | Meaning | |--------|---------| | βœ… | Supported | | ❌ | Not supported | | ⚠️ | Partial / limited | | πŸ—“οΈ | Clavitor roadmap | | N/A | Not applicable | --- ## Notes **1Password:** Best human UX in the market. No agent story. FIPS only via gov.1password.com (US gov offering). Strong browser extension and desktop apps. **Bitwarden:** Open source, E2E encrypted, strong community. No agent capabilities. Self-hosted via their official server. **Vaultwarden:** Unofficial Rust reimplementation of Bitwarden server. Single binary, lightweight. Ideal self-hosted alternative. No official support. **OneCLI:** Only product (besides Aembit/Clavitor) designed for AI agents. Proxy-only β€” no vault for humans. No SSH, TOTP, or notes. Audit logging is an open feature request. **HashiCorp Vault:** Enterprise gold standard. FIPS validated, HSM support, dynamic secrets, Kubernetes-native. Extremely complex to operate. BSL license (not truly open source since 2023). Overkill for most teams. **Infisical:** Open-source secret management for dev teams. Strong CI/CD integrations. No agent story. Good alternative to Doppler. **Doppler:** SaaS-only, developer-focused, great DX for injecting secrets into apps at runtime. No self-hosted. No agent capabilities. **Aembit:** Enterprise agent identity platform. Blended human+agent identity model. SPIFFE/OIDC workload identity. Expensive, enterprise sales motion. No human vault (credential storage) β€” purely identity/policy. **Clavitor:** Only product combining human vault (all credential types) + agent-native design + MCP server + single binary + FIPS + $12/yr pricing. Unique position: the vault that works for both humans and their agents.