SDKs
The fastest way to integrate with Sirr is through one of the official client libraries. Each SDK wraps the HTTP API so you can push anonymous secrets or set named org-scoped secrets with a single function call.
Official libraries
Node.js
The @sirrlock/node package is a zero-dependency TypeScript client built on native fetch. It ships ESM and CJS bundles so it works in Node.js, Deno, Bun, and edge runtimes.
Install
npm install @sirrlock/node
Usage
import { SirrClient } from '@sirrlock/node'
const sirr = new SirrClient({
server: process.env.SIRR_SERVER,
token: process.env.SIRR_TOKEN,
})
// Push a public dead drop (value only, no key)
const { id, url } = await sirr.push('s3cret!', {
ttl: 3600,
reads: 3,
})
console.log(url) // shareable URL
// Retrieve by ID — returns the value string, or null
const secret = await sirr.get(id)
console.log(secret) // "s3cret!"
Python
The sirr package provides both synchronous and asynchronous clients powered by httpx. Python 3.10+ is supported.
Install
pip install sirr
Sync usage
import os
from sirr import SirrClient
client = SirrClient(
server=os.environ["SIRR_SERVER"],
token=os.environ["SIRR_TOKEN"],
)
# Push a public dead drop (value only, no key)
result = client.push("s3cret!", ttl=3600, reads=3)
print(result.url) # shareable URL
# Retrieve by ID — returns the value string, or None if burned/expired
value = client.get(result.id)
print(value) # "s3cret!"
Async usage
from sirr import AsyncSirrClient
async with AsyncSirrClient(
server=os.environ["SIRR_SERVER"],
token=os.environ["SIRR_TOKEN"],
) as client:
result = await client.push("s3cret!", ttl=3600, reads=3)
value = await client.get(result.id)
.NET
Sirr.Client is an async-first .NET library built on HttpClient. Targets .NET 8+ and supports dependency injection via IHttpClientFactory.
Install
dotnet add package Sirr.Client
Usage
using Sirr;
var client = new SirrClient(new SirrOptions
{
Server = Environment.GetEnvironmentVariable("SIRR_SERVER"),
Token = Environment.GetEnvironmentVariable("SIRR_TOKEN"),
});
// Push a public dead drop (value only, no key)
var result = await client.PushAsync("s3cret!", new PushOptions
{
Ttl = 3600,
Reads = 3,
});
Console.WriteLine(result.Url); // shareable URL
// Retrieve by ID — returns the value string, or null
string? secret = await client.GetAsync(result.Id);
Console.WriteLine(secret); // "s3cret!"
Rust CLI
The sirr binary is the CLI client. You can use it to push and retrieve secrets directly from the command line without any additional tooling.
Install via Cargo
cargo install sirr
Or download a prebuilt binary from the GitHub releases page.
CLI usage
# Default server: https://sirr.sirrlock.com (zero-config)
export SIRR_TOKEN=your-master-key
# Push a public dead drop
sirr push "s3cret!" --ttl 1h --reads 3
# Set a named org secret
sirr set DB_URL="s3cret!" --org $SIRR_ORG --ttl 1h
# Get by ID (public) or key (org)
sirr get a3f8...7c2d
sirr get DB_URL --org $SIRR_ORG
# List org secrets (metadata only)
sirr list --org $SIRR_ORG
# Delete a secret
sirr delete DB_URL --org $SIRR_ORG
Multi-tenant (org-scoped)
All three SDKs support multi-tenant mode. Pass an org parameter to scope secrets, principals, and keys to a specific organization. The examples above use public dead drop mode (no org, value-only). The examples below show org-scoped mode with named keys using set and get.
Org-scoped mode requires a principal key (not the master key). Start the server with sirrd serve --init to bootstrap a default org and admin principal with temporary keys.
Constructor with org
import { SirrClient } from '@sirrlock/node'
const sirr = new SirrClient({
server: process.env.SIRR_SERVER,
token: process.env.SIRR_TOKEN,
org: process.env.SIRR_ORG, // org ID from auto-init or createOrg
})
Org-scoped set and get
// Set a named secret in org (rejects duplicates with SecretExistsError)
const { key, id } = await sirr.set('db/password', 's3cret!', { ttl: 3600, reads: 3 })
// Retrieve from org bucket by key — returns the value string, or null
const value = await sirr.get('db/password')
console.log(value) // "s3cret!"
/me endpoint
// Get the current principal's identity and permissions
const me = await sirr.me()
console.log(me.principal_id) // "admin"
console.log(me.org_id) // "default"
console.log(me.permissions) // ["read", "write", "admin", ...]
Admin methods
// Create a new organization (requires master key)
const org = await sirr.orgs.create({ name: 'acme-corp' })
// Create a principal in the org
const principal = await sirr.principals.create({
org: org.id,
name: 'deploy-bot',
role: 'writer',
})
// Create a key for the principal
const key = await sirr.principals.createKey({
org: org.id,
principal: principal.id,
name: 'ci-key',
})
console.log(key.token) // Save — shown only once
Audit, webhooks & keys
All three SDKs expose methods for the newer Sirr server features: audit logs, webhooks, and scoped API keys.
Audit logs
// Query audit log
const logs = await sirr.audit({ action: 'secret.read', limit: 50 })
// Query with time range
const recent = await sirr.audit({ since: Math.floor(Date.now() / 1000) - 86400 })
Webhooks
// Register a webhook
const wh = await sirr.webhooks.create({
url: 'https://example.com/hooks/sirr',
events: ['secret.created', 'secret.burned'],
})
// List and delete
const all = await sirr.webhooks.list()
await sirr.webhooks.delete(wh.id)
Scoped API keys
// Create a scoped key
const key = await sirr.keys.create({
name: 'CI pipeline',
permissions: ['read', 'write'],
prefix: 'ci/',
})
console.log(key.token) // Save — shown only once
// List and revoke
const keys = await sirr.keys.list()
await sirr.keys.delete(key.id)