Command Palette
Search for a command to run...

Working offline

open-secret keeps working when the server is unreachable. You can still read and copy secrets, and writes are queued for replay. This page explains what works offline and how you can tell.

Reads from cache

Both the web app and the extension keep an encrypted local cache of your vault from the last successful sync. While offline:

  • the vault list and entry details render from the cache;
  • copying a password works, the cached per-entry ciphertext is decrypted and verified against your cached trusted-device set, exactly as it would be online;
  • autofill still offers and fills matching entries.

Verification offline uses the same signer set as online (including devices that signed a version before they were revoked), so a cached entry verifies identically whether or not the server is reachable.

Queued writes

Saving or editing while offline doesn't fail; the write is encrypted and queued locally, then replayed automatically when connectivity returns. The save prompt tells you when something was queued rather than synced, so "Saved" never misleads you into thinking the server has it yet.

The online indicator

A small status dot in the web app and the extension popup reflects server reachability, not just whether your browser thinks it's online:

  • the app pings the server every few seconds (a lightweight, unauthenticated config call);
  • if the server is down, behind a broken proxy, or returning errors, the dot turns red within seconds, not on the next scheduled sync;
  • when the server comes back, an out-of-cycle sync runs and the dot returns to its normal state.

Exporting offline

A vault export also works without the server. If the entry RPCs can't be reached, the export falls back to the same encrypted local cache the vault list reads, so a disconnected device can still produce a (cache-complete) export. Any entry whose detail was never cached on this device is skipped with a clear reason rather than failing the whole export.

The export still re-prompts for your unlock password first, and, for the encrypted full-vault format, asks you to confirm the encryption passphrase, since a typo there would produce a file you could never decrypt.