@meowlabs/meowpass

Node.js SDK for MeowPass — E2E encrypted secret management. Same Argon2id + AES-256-GCM as the CLI, byte-compatible.

Install

npm install @meowlabs/meowpass

Quick Start

import { MeowPass } from "@meowlabs/meowpass";

const mp = new MeowPass({
  apiKey: process.env.MEOWPASS_API_KEY!,
  masterPassword: process.env.MEOWPASS_MASTER_PASSWORD!,
  keySalt: process.env.MEOWPASS_SALT!, // base64
});

// Get a decrypted secret
const stripeKey = await mp.get("vault-id", "STRIPE_KEY");

// Pull all secrets as key-value map
const secrets = await mp.pull("vault-id");
console.log(secrets.DATABASE_URL);

// Set a secret (encrypts client-side before upload)
await mp.set("vault-id", "NEW_KEY", "secret_value");

// List secret names (no values returned)
const keys = await mp.list("vault-id");

API

| Method | Returns | Description | |--------|---------|-------------| | get(vaultId, key) | string | Decrypt and return a secret | | set(vaultId, key, value) | { version } | Encrypt and store a secret | | delete(vaultId, key) | void | Delete a secret | | list(vaultId) | SecretInfo[] | List keys with versions | | pull(vaultId) | Record<string, string> | Pull all as key-value map | | listVaults() | { id, name }[] | List all vaults | | createVault(name) | { id, name } | Create a new vault | | whoami() | { email, name, tier } | Get current user |

Setup

1. Install the CLI and create an API key:

brew install meowrithm/tap/meowpass
meowpass login
meowpass apikey create my-sdk-key

2. Use the API key and your master password in the SDK config.

Security

• Master key derived client-side via Argon2id (time=3, mem=64MB, 4 threads)
• Secrets encrypted/decrypted with AES-256-GCM in your process
• API key authenticates but cannot decrypt — master password required
• Same crypto as the Go CLI — ciphertext is byte-compatible
• Zero-knowledge: the server never sees plaintext

Links

• Documentation
• Security Architecture
• GitHub
• Discord

License

MIT