Python SDK for dotMage — a self-hosted, end-to-end encrypted .env secret manager
Project description
dotmage
Python SDK for dotMage — a self-hosted,
end-to-end encrypted .env secret manager.
The dotMage server is a zero-knowledge blob store: it only ever holds opaque encrypted blobs and wrapped keys, and never sees your master password, plaintext secrets, or the account key. This SDK therefore does two things:
- Transport — a typed client over the dotMage REST API (
/api/v1). - Client-side cryptography — key derivation, key wrapping/unwrapping, blob
encryption/decryption, sealed-key team invitations, and key rotation — everything the
reference
dmageCLI does, so secrets are encrypted and decrypted locally.
Status: alpha, under active development. The cryptographic wire format aims for byte-compatibility with the reference
dmageclient; seedocs/crypto.mdand the interop notes before relying on it in production.
Install
pip install dotmage
Quickstart
from dotmage import DotMage
# Create a vault on a fresh server (first device).
dm, recovery_code = DotMage.init_vault(
"https://secrets.example.com",
bootstrap_secret="XXXXXXXXXXXX",
master_password="correct horse battery staple",
)
print("Store this recovery code somewhere safe (shown once):", recovery_code)
dm.create_app("work/api")
dm.create_env("work/api", "prod")
dm.push("work/api", "prod", {"DATABASE_URL": "postgres://...", "STRIPE_KEY": "sk_live_..."})
secrets = dm.pull("work/api", "prod") # -> dict[str, str], decrypted locally
Async mirror:
import asyncio
from dotmage import AsyncDotMage
async def main() -> None:
async with AsyncDotMage("https://secrets.example.com") as dm:
await dm.unlock("correct horse battery staple")
print(await dm.pull("work/api", "prod"))
asyncio.run(main())
Configuration
The SDK reads configuration from environment variables (prefix DOTMAGE_) via
pydantic-settings:
| Variable | Description |
|---|---|
DOTMAGE_SERVER_URL |
Base URL of the dotMage server |
DOTMAGE_DEVICE_TOKEN |
Device token (dmage_dtok_...) |
DOTMAGE_REFRESH_TOKEN |
Refresh token (dmage_rtok_...) |
DOTMAGE_MASTER_PASSWORD |
Master password (used to unlock; keep it in a secret store) |
Documentation
docs/getting-started.mddocs/security-model.md— what the server can and cannot seedocs/crypto.md— exact cryptographic contractdocs/api-reference.md— every method mapped to the HTTP API- Per-module docs under
docs/modules/ - Runnable examples under
examples/
Development
poetry install
./scripts/linters.sh # ruff + mypy
./scripts/tests.sh # pytest with a 95% coverage gate
Releasing
CI runs check-version → lint → test → build on every push to main and on pull requests.
Publishing to PyPI happens only on a version tag, once
PyPI trusted publishing is configured for this
repository (a GitHub environment named pypi):
# bump the version in pyproject.toml and update CHANGELOG.md, then:
git tag v0.1.0
git push origin v0.1.0
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dotmage-0.1.0.tar.gz.
File metadata
- Download URL: dotmage-0.1.0.tar.gz
- Upload date:
- Size: 28.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e7e36398fa2293febe0cfaef996d5e2c12072eb8a4467ab53f2ade13dd773968
|
|
| MD5 |
60b4376557961bdacb673ca4f0418132
|
|
| BLAKE2b-256 |
91fc8d4696eca7048f48be24100c1145d8bcd55e2a952fbe25c81ae82574df91
|
Provenance
The following attestation bundles were made for dotmage-0.1.0.tar.gz:
Publisher:
ci.yml on dotMage/dotmage-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotmage-0.1.0.tar.gz -
Subject digest:
e7e36398fa2293febe0cfaef996d5e2c12072eb8a4467ab53f2ade13dd773968 - Sigstore transparency entry: 2089131157
- Sigstore integration time:
-
Permalink:
dotMage/dotmage-python@6543988149082bfe5683fee483b0dc980b9c477f -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/dotMage
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@6543988149082bfe5683fee483b0dc980b9c477f -
Trigger Event:
push
-
Statement type:
File details
Details for the file dotmage-0.1.0-py3-none-any.whl.
File metadata
- Download URL: dotmage-0.1.0-py3-none-any.whl
- Upload date:
- Size: 40.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
acb5b8ef8d602c1b6a28fe78eb8d5377a114c39d555f0b3f8dac8d3b0892997b
|
|
| MD5 |
1d8b331305ea14ff6247ad05a25b961e
|
|
| BLAKE2b-256 |
311ca17bc1471fc5312ab34b96cab5aef1b43b390da6c3f751f3637322427cd1
|
Provenance
The following attestation bundles were made for dotmage-0.1.0-py3-none-any.whl:
Publisher:
ci.yml on dotMage/dotmage-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotmage-0.1.0-py3-none-any.whl -
Subject digest:
acb5b8ef8d602c1b6a28fe78eb8d5377a114c39d555f0b3f8dac8d3b0892997b - Sigstore transparency entry: 2089131674
- Sigstore integration time:
-
Permalink:
dotMage/dotmage-python@6543988149082bfe5683fee483b0dc980b9c477f -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/dotMage
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@6543988149082bfe5683fee483b0dc980b9c477f -
Trigger Event:
push
-
Statement type: