Skip to main content

Prerequisites

  • Node.js 18+ (for TypeScript)
  • Python 3.9+ (for Python)
  • Go 1.21+ (for Go)
You only need one SDK installed. All three are feature-equivalent and produce interoperable vault files.

Installation

npm install -g @id-wispera/cli
Verify the installation: 
idw --version

Quick start

1

Initialize your vault

The vault is an AES-256-GCM encrypted file that stores all your credentials locally. Nothing leaves your machine.
idw init
You will be prompted to create a master passphrase. This passphrase:
  • Must be at least 8 characters
  • Is the only way to decrypt your credentials
  • Should be stored securely (consider a password manager)
  • Is never transmitted or stored in plaintext
The vault is created at ~/.id-wispera/vault.json. This file is encrypted at rest and safe to back up.
2

Scan for exposed credentials

ID Wispera ships with 30+ detection patterns that identify API keys, tokens, secrets, and other credentials across your codebase. Each detection includes a confidence score (0.0 to 1.0).Scan a project directory:
idw scan .
Scan your entire system:
idw scan --system
The scanner detects:
CategoryExamples
AI provider keysOpenAI (sk-proj-...), Anthropic (sk-ant-...), Google AI, Cohere
Cloud credentialsAWS access keys (AKIA...), GCP service accounts, Azure tokens
InfrastructureSSH private keys, Docker registry tokens, Kubernetes configs
Package registriesnpm tokens (npm_...), PyPI tokens, RubyGems keys
CommunicationTwilio, SendGrid, Slack, Discord webhook tokens
Generic secretsPrivate keys in PEM format, JWT tokens, high-entropy strings
3

Import detected credentials

Import the detected credentials into your vault. Each imported credential becomes a governed passport with full audit trail, lifecycle management, and access control.Import everything found in a directory:
idw import ./project --all --owner [email protected] -y
Import only high-confidence detections (recommended for noisy repos):
idw import ./project --min-confidence 0.9 --owner [email protected]
During import, the following metadata is preserved and attached to each passport:
  • Source file and line number where the credential was found
  • Confidence score from the detection engine
  • Pattern name that matched (e.g., “OpenAI Project Key”, “AWS Access Key ID”)
  • Tags derived from the detection (e.g., source:.env, detected:openai-key)
  • Notes with a human-readable description of where and how the credential was found
You now have a working vault with governed credentials.

What’s next

SDK usage

Use the SDK programmatically and explore the full command reference.

Passport model

Understand the passport/visa data model that powers credential governance.

Scan & import guide

Deep dive into detection patterns, confidence tuning, and bulk import workflows.

Security architecture

Learn about the encryption model, key derivation, and threat model.