Config & Secrets Management

Your configs deserve
 

ConfigPig is the managed registry that gives your team versioned config files, format conversion (JSON, YAML, TOML, INI, .env), zero-knowledge secrets management, and a REST API + MCP server — so your configs and secrets stop living in random files scattered across your codebase.

Start Free See How It Works

Free for configs. $9/mo for secrets.

Works with every MCP client and REST API

Claude Cursor Windsurf Any MCP Client REST API

Your configs are flying blind — and your secrets are exposed

When a config breaks in production, you find out from angry users — not from your tools. And the API keys inside those configs? They're sitting in plaintext in .env files, Slack messages, and claude_desktop_config.json.

Configs buried in code

Scattered across files, repos, and environments. Nobody knows what's live in production.

No version history

One bad edit and the old config is gone. No diffs, no rollback, no audit trail.

Secrets in plaintext

API keys pasted into .env files and shared over Slack. One leaked token and your whole stack is compromised.

your_app.py — before ConfigPig 
# Which version is this? Who changed it?
# Is this the same in staging?
# Nobody knows.

DB_CONFIG = {
    "host": "db.internal.prod",
    "port": 5432,
    "password": "sk-prod-8f3a...yikes",
    "api_key": "sk-ant-api03-...",
}

# Hardcoded. Plaintext secrets. No audit trail.
# One leaked key and you're done.
conn = connect(**DB_CONFIG)

How it works

From blank canvas to production-ready configs and secrets in four steps.

1

Create

Write your config in JSON, YAML, TOML, INI, or .env. Add encrypted secrets for API keys and credentials.

2

Test

Compare versions side-by-side with unified diffs. Validate format before saving. Secrets stay encrypted.

3

Deploy

Assign labels like production or staging to any version. Secrets are injected at runtime — never stored in plaintext.

4

Integrate

Fetch configs and secrets via REST API or MCP. Your AI tools get the credentials they need — securely.

Everything your configs (and secrets) need

From a simple dashboard to encrypted secrets, a full REST API, and an MCP server.

Immutable Versioning

Every save creates a new version. Compare diffs, rollback instantly, and see exactly who changed what and when.

Flexible Labels

Point labels like production and staging at any version. Create custom labels for any workflow. One config, many pointers.

Format Conversion

Store as YAML, fetch as JSON. Automatic conversion between JSON, YAML, TOML, INI, and .env formats.

Full REST API

Complete CRUD API with Swagger docs, team-scoped API keys, and fetch-with-conversion. One endpoint, always the right format.

MCP Server

Your AI tools manage configs directly. Claude, Cursor, Windsurf — any MCP client connects instantly. No plugins needed.

Secrets Management

Zero-knowledge encrypted secrets for your API keys, tokens, and credentials. The server can't read them — only your team can.

Claude Desktop — MCP 
You: Create a database config in YAML format.
     Store the password as an encrypted secret.
     Deploy to staging.

Claude: I'll set that up for you.

  • create_config    slug: "database-config"  ✓
  • store_secret     DB_PASSWORD (encrypted)  ✓
  • create_version   v1 with YAML + secret ref✓
  • promote_version  v1 → staging            ✓

Done. "database-config" is live on staging.
The DB password is encrypted — I never saw
the plaintext.

Your AI tools manage your configs and secrets

Most config tools give you a dashboard and maybe an API. ConfigPig ships a full MCP server — so Claude, Cursor, and Windsurf can create configs, store encrypted secrets, and deploy to any environment without leaving your editor.

Configs, secrets, and deployments via MCP

Config CRUD, encrypted secret storage, version management, label promotion, and format conversion.

Zero-knowledge secret injection

Secrets are decrypted client-side and injected at runtime. The server never sees plaintext.

Works with your tools today

Claude Desktop, Claude Code, Cursor, Windsurf — any MCP-compatible client connects instantly.

Zero-knowledge secrets. Not "trust us" — can't even if we wanted to.

Most secrets managers encrypt on the server. That means they hold the key. If they get breached, your secrets get breached. ConfigPig encrypts on your machine before anything leaves it. The server stores ciphertext it literally cannot decrypt — not if the database leaks, not if a rogue employee has root access, not under court order.

This is the same architecture behind 1Password and Bitwarden. Proven. Auditable. And now available for $9/mo instead of $500/mo.

See Pricing
How zero-knowledge works 
# 1. Your master key never leaves your machine
master_key = argon2id(password, salt)

# 2. Secrets are encrypted locally
ciphertext = aes_256_gcm(master_key, "sk-ant-api03-...")

# 3. Only ciphertext is uploaded
configpig.store_secret("ANTHROPIC_KEY", ciphertext)

# 4. At runtime, decrypted client-side
plaintext = aes_256_gcm_decrypt(master_key, ciphertext)
inject_env("ANTHROPIC_API_KEY", plaintext)

# The server NEVER sees the plaintext.
# Not won't — cannot.
AES-256-GCM
Argon2id key derivation
libsodium / NaCl
Full audit log

"Can't I just use Git / a database table / Vault?"

You could. Here's why teams don't.

Git isn't a config registry

And it definitely isn't a vault.

Git versions files. Configs need runtime fetching, label-based promotion, and format conversion. And secrets committed to git are secrets leaked forever.

Versions, deploys, converts, serves — with zero-knowledge secrets built in.

A database table isn't a product

2–4 weeks of engineering, minimum.

You'd build versioning, rollback, label promotion, format conversion, an API, access controls — and then zero-knowledge encryption on top. That's a product, not a table.

Sign up, create a config, store a secret, call the API. Done in 5 minutes.

HashiCorp Vault is overkill

Enterprise pricing for a 5-person team.

Vault, AWS Secrets Manager, Doppler — all built for enterprises. You don't need a $500/mo infrastructure product to stop pasting API keys into .env files.

$9/mo. Unlimited secrets. Zero-knowledge encryption. Done.

Simple, honest pricing

Free configs forever. Add secrets when you need them.

Forever Free

Config Only

$0

Config management shouldn't have a price tag. Every feature, for every user, forever.

  • Unlimited configs
  • Unlimited versions
  • Unlimited labels
  • Unlimited API calls
  • Unlimited team members
  • All 5 config formats
  • REST API + MCP server
  • Format conversion + export
Get Started Free
Configs + Secrets

With Secrets

$9 /month

Zero-knowledge encrypted secrets for API keys, tokens, and credentials. The server literally cannot read them.

  • Everything in Config Only, plus:
  • Unlimited secrets
  • Zero-knowledge encryption
  • Secret versioning + audit log
  • MCP secret injection
  • Secret references in configs
  • Environment-scoped access
  • Team secret sharing
Monthly
Annual Save 17%
Start Free, Add Secrets Later

Frequently asked questions

How does versioning work?

Every time you save a config, a new immutable version is created automatically. You can compare any two versions with a unified diff, rollback to any previous version in one click, and see exactly who changed what and when. Versions are never overwritten.

What are labels?

Labels are flexible pointers like latest, staging, and production that point to a specific config version — so you can test v5 under staging while v3 is still live under production. Custom labels are fully supported.

How does the MCP server work?

ConfigPig exposes a full MCP server that any compatible client (Claude Desktop, Claude Code, Cursor, Windsurf) can connect to. Your AI tools gain the ability to create, version, deploy, convert, and manage configs directly — no context-switching needed. Authentication uses OAuth 2.1 + PKCE.

What config formats are supported?

JSON, YAML, TOML, INI, and .env. Store in any format and fetch in any other — ConfigPig converts automatically. All formats are validated on save.

How does format conversion work?

All conversion goes through an intermediate dict: parse source → dict → serialize to target format. Nested configs are flattened for .env (e.g., db.hostDB_HOST). INI uses sections for top-level keys.

What are ConfigPig Secrets?

Secrets are zero-knowledge encrypted values for API keys, tokens, database credentials, and anything else you don't want in plain text. They're encrypted on your machine before they ever leave it — the ConfigPig server stores ciphertext it literally cannot decrypt. You can reference secrets inside your configs, inject them into MCP servers at runtime, and manage them with the same versioning and audit log you already use for configs.

Is ConfigPig really free?

Config management is 100% free with no limits. Unlimited configs, unlimited versions, unlimited API calls, unlimited team members, all five formats, the full REST API, MCP server, and format conversion. No credit card required, no trial, no catch. Add encrypted secrets for $9/month.

Stop scattering configs. Stop leaking secrets.

Free for configs. $9/mo to add encrypted secrets. Your team will wonder how they shipped products without this.

Get Started Free