Common terminology that will be referenced throughout this documentation

Secrets Manager Structure

In order to organize and maintain access to Secrets, Keeper Secrets Manager uses structures called Applications and Clients.

Keeper Secrets Manager Structure

Read below about how each of these items function in Secrets Manager.


Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.

Any record or shared folder from the vault can be shared with an Application.


Keeper Secrets Manager Applications are assigned to specific secrets or shared folders. The application is a container of permissions, client devices, audit trail, and history. An application can only decrypt the records assigned.

An application can have up to 500 records shared with it. It is recommended to use least privilege, ensuring clients only have access to the records they need. The user of the Vault can have unlimited secrets.


A Client is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.

Each Client has a unique key to read and access the secrets.

Clients adhere to the following:

  • One Time Access Tokens used for initialization that expire after 24 hours

  • IP Address lock (optional)

  • Access expiration (optional)