Self-hosting
open-secret is one Go binary over a SQLite file. There's no external database, no message queue, and no cache to run. These pages cover building and running the server, the flags and environment variables you configure it with, enterprise SSO (IDP mode) and managed-extension policy for fleets, and the operator-side backup that is the last way to recover a user who has lost every device.
Build it, run it, and the full flag/env reference.
Server URL, CORS, the audit log + SIEM export, signups, and admin.
Run the deployment in IDP mode: OIDC onboarding, the Entra / Authentik / generic providers, and the key-custody model.
OS-delivered managed policy for the extension: pin the server URL, mandate operator backup, set the org name.
The optional operator backup key and what recovery is (and isn't) possible.