The browser extension

The extension is the everyday surface: it fills credentials into login forms, offers to save new ones, generates strong passwords, fills TOTP codes, and brokers passkeys. It's a Manifest V3 extension for Chrome and Edge, with a popup that's its own app and a content script that does the in-page work.

Chrome and Edge only

The extension relies on Chrome-specific MV3 APIs (offscreen, identity) that have no equivalent in Firefox's WebExtensions layer. Firefox is not yet supported.

Pair it with your account

The extension is a device, so you pair it like any other:

Install the extension

Load the built extension for your browser (or install from the store once published). The popup opens to a pairing screen.

Pair from the web app

With the web app open and unlocked on the same machine, approve the pairing. Keys are transferred locally and the extension registers itself as a new device, your existing device vouches for it. The server never sees a private key.

Set the extension's unlock password

The extension stores its keys wrapped under an unlock password, just like the web app, and locks on idle.

Autofill

Focus a login field on any site and a small dropdown appears, anchored to the field, listing the entries that match the current site. Pick one to fill the username and password (and a one-time code, if the entry has a TOTP secret and the page has a code field). Keyboard navigation works: arrow keys move the selection, Enter fills, Escape dismisses.

Multi-step logins (Google, Microsoft, Okta, Authentik…)

Many providers ask for the identifier on one screen and the password on the next, with no password field present on the first step. open-secret handles this: on the identifier step it offers your matching entries and fills just the username, then fills the password when that step's field appears.

Save prompt

After you sign in with a credential the extension doesn't recognize, a small drawer slides in offering to save it to your vault. Clicking Save writes a new entry (encrypted to all your devices) without opening a tab or navigating away.

The prompt is deliberately quiet about things that aren't new: it won't ask you to save a credential you just autofilled from the vault, and it won't re-prompt for one already stored.

The save-credential drawer offering to save a new login — The save prompt slides in after you sign in with a new credential.

Generate a password

On a registration or change-password field, use the extension's generate password action (context menu or the field affordance) to insert a strong random password and fill any matching "confirm password" field at the same time. Generated passwords are kept briefly so the save prompt can offer the new credential.

TOTP (two-factor codes)

If a login entry carries a TOTP secret, the extension fills the current 6-digit code into the one-time-code field, including providers that use per-digit box grids or single hidden inputs behind styled cells. Codes are computed on the device; the server is never involved.

Passkeys / WebAuthn

The extension can act as a passkey provider. When a site runs a WebAuthn ceremony, a confirmation prompt appears in the page; on approval the extension creates or asserts a credential stored in your vault. If the vault is locked, it prompts you to unlock first; if it has nothing matching, it steps aside and lets the browser's native picker handle the request.

Locked and signed-out states

If the vault is locked, the autofill dropdown shows a "Vault is locked" hint rather than a misleading "no logins" message, and clears the moment you unlock from the popup. A brand-new, signed-out install simply shows "no saved logins."

Working offline

The extension keeps a local cache so reads work without the server, and queues writes to replay on reconnect, see Working offline. The popup's status dot turns red within seconds of the server becoming unreachable.