Skip to main content

Python SDK for dotMage — a self-hosted, end-to-end encrypted .env secret manager

Project description

dotmage

Python SDK for dotMage — a self-hosted, end-to-end encrypted .env secret manager.

The dotMage server is a zero-knowledge blob store: it only ever holds opaque encrypted blobs and wrapped keys, and never sees your master password, plaintext secrets, or the account key. This SDK therefore does two things:

  1. Transport — a typed client over the dotMage REST API (/api/v1).
  2. Client-side cryptography — key derivation, key wrapping/unwrapping, blob encryption/decryption, sealed-key team invitations, and key rotation — everything the reference dmage CLI does, so secrets are encrypted and decrypted locally.

Status: alpha, under active development. The cryptographic wire format aims for byte-compatibility with the reference dmage client; see docs/crypto.md and the interop notes before relying on it in production.

Install

pip install dotmage

Quickstart

from dotmage import DotMage

# Create a vault on a fresh server (first device).
dm, recovery_code = DotMage.init_vault(
    "https://secrets.example.com",
    bootstrap_secret="XXXXXXXXXXXX",
    master_password="correct horse battery staple",
)
print("Store this recovery code somewhere safe (shown once):", recovery_code)

dm.create_app("work/api")
dm.create_env("work/api", "prod")
dm.push("work/api", "prod", {"DATABASE_URL": "postgres://...", "STRIPE_KEY": "sk_live_..."})

secrets = dm.pull("work/api", "prod")   # -> dict[str, str], decrypted locally

Async mirror:

import asyncio
from dotmage import AsyncDotMage

async def main() -> None:
    async with AsyncDotMage("https://secrets.example.com") as dm:
        await dm.unlock("correct horse battery staple")
        print(await dm.pull("work/api", "prod"))

asyncio.run(main())

Configuration

The SDK reads configuration from environment variables (prefix DOTMAGE_) via pydantic-settings:

Variable Description
DOTMAGE_SERVER_URL Base URL of the dotMage server
DOTMAGE_DEVICE_TOKEN Device token (dmage_dtok_...)
DOTMAGE_REFRESH_TOKEN Refresh token (dmage_rtok_...)
DOTMAGE_MASTER_PASSWORD Master password (used to unlock; keep it in a secret store)

Documentation

Development

poetry install
./scripts/linters.sh   # ruff + mypy
./scripts/tests.sh     # pytest with a 95% coverage gate

Releasing

CI runs check-version → lint → test → build on every push to main and on pull requests. Publishing to PyPI happens only on a version tag, once PyPI trusted publishing is configured for this repository (a GitHub environment named pypi):

# bump the version in pyproject.toml and update CHANGELOG.md, then:
git tag v0.1.0
git push origin v0.1.0

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dotmage-0.1.0.tar.gz (28.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dotmage-0.1.0-py3-none-any.whl (40.5 kB view details)

Uploaded Python 3

File details

Details for the file dotmage-0.1.0.tar.gz.

File metadata

  • Download URL: dotmage-0.1.0.tar.gz
  • Upload date:
  • Size: 28.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotmage-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e7e36398fa2293febe0cfaef996d5e2c12072eb8a4467ab53f2ade13dd773968
MD5 60b4376557961bdacb673ca4f0418132
BLAKE2b-256 91fc8d4696eca7048f48be24100c1145d8bcd55e2a952fbe25c81ae82574df91

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotmage-0.1.0.tar.gz:

Publisher: ci.yml on dotMage/dotmage-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotmage-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: dotmage-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 40.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotmage-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 acb5b8ef8d602c1b6a28fe78eb8d5377a114c39d555f0b3f8dac8d3b0892997b
MD5 1d8b331305ea14ff6247ad05a25b961e
BLAKE2b-256 311ca17bc1471fc5312ab34b96cab5aef1b43b390da6c3f751f3637322427cd1

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotmage-0.1.0-py3-none-any.whl:

Publisher: ci.yml on dotMage/dotmage-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page