Skip to main content

Prerequisites

  • Node.js 18+ (for TypeScript)
  • Python 3.9+ (for Python)
  • Go 1.21+ (for Go)
You only need one SDK installed. All three are feature-equivalent and produce interoperable vault files.

Installation

npm install -g @id-wispera/cli
Verify the installation: 
idw --version

Quick start

1

Initialize your vault

The vault is an AES-256-GCM encrypted file that stores all your credentials locally. Nothing leaves your machine.
idw init
You will be prompted to create a master passphrase. This passphrase:
  • Must be at least 8 characters
  • Is the only way to decrypt your credentials
  • Is never transmitted or stored in plaintext
After creating the vault, store the passphrase in your OS keychain so you don’t have to type it on every command:
idw auth login
The vault is created at ~/.id-wispera/vault.json. This file is encrypted at rest and safe to back up.
For CI environments, create a session token instead: idw auth token create --label "ci" --expires 24h. Session tokens are the recommended approach for headless environments — they encrypt the passphrase so no plaintext secrets are needed. See the Authentication guide for the full resolution chain.
2

Scan for exposed credentials

ID Wispera ships with 47 detection patterns that identify API keys, tokens, secrets, and other credentials across your codebase. Each detection includes a confidence score (0.0 to 1.0).Scan a project directory:
idw scan .
Scan your entire system:
idw scan --system
The scanner detects:
CategoryExamples
AI provider keysOpenAI (sk-proj-...), Anthropic (sk-ant-...), Google AI, Cohere
Cloud credentialsAWS access keys (AKIA...), GCP service accounts, Azure tokens
InfrastructureSSH private keys, Docker registry tokens, Kubernetes configs
Package registriesnpm tokens (npm_...), PyPI tokens, RubyGems keys
CommunicationTwilio, SendGrid, Slack, Discord webhook tokens
Generic secretsPrivate keys in PEM format, JWT tokens, high-entropy strings
3

Import detected credentials

Import the detected credentials into your vault. Each imported credential becomes a governed passport with full audit trail, lifecycle management, and access control.Import everything found in a directory:
idw import ./project --all --owner you@company.com -y
Import only high-confidence detections (recommended for noisy repos):
idw import ./project --min-confidence 0.9 --owner you@company.com
During import, the following metadata is preserved and attached to each passport:
  • Source file and line number where the credential was found
  • Confidence score from the detection engine
  • Pattern name that matched (e.g., “OpenAI Project Key”, “AWS Access Key ID”)
  • Tags derived from the detection (e.g., source:.env, detected:openai-key)
  • Notes with a human-readable description of where and how the credential was found
You now have a working vault with governed credentials.

What’s next

Credential injection

Use idw exec to inject vault credentials into subprocesses — no shell exports needed.

SDK usage

Use the SDK programmatically and explore the full command reference.

Passport model

Understand the passport/visa data model that powers credential governance.

Scan & import guide

Deep dive into detection patterns, confidence tuning, and bulk import workflows.

Security architecture

Learn about the encryption model, key derivation, and threat model.

Authentication

Configure vault authentication: keychain, session tokens, IDW_PASSPHRASE, or .env files.