Picking free secrets management in 2026 is harder than “just use Doppler” or “just use 1Password” suggests
I compared three products that all solve “stop scattering secrets in .env files and CI variables” but organize the problem differently: Infisical, Doppler, and 1Password Secrets Automation. The quick answers in forum threads skip the part that actually matters: whether there is a true free tier, whether you can self-host the control plane, what governance you get before paying, and whether the product’s mental model matches how your team already works.
For the broadest free functionality with optional self-hosting, my pick is Infisical. The free plan includes the dashboard, API, CLI, SDKs, Kubernetes Operator, Agent, webhooks, integrations, secret scanning, and secret sharing on either Infisical Cloud or your own infra. The caps are real: up to 5 identities, 3 projects, 3 environments, and 10 integrations. RBAC, SSO, audit logs, versioning, and point-in-time recovery are paid.
For the smoothest managed SaaS developer experience when you do not need self-hosting, I would look at Doppler first. The Developer plan is free for 3 users and covers integrations, CLI, service tokens, API access, secret referencing, and config syncs with generous platform limits for a hosted free product. The tradeoff is thin log retention (3 days on Developer), no RBAC or service accounts on free, and no self-hosted control plane in the official docs I reviewed.
1Password Secrets Automation is not a free-tier contender in the same sense. 1Password states there is no free version, only a 14-day trial. It is still worth comparing because many teams already pay for 1Password and want to extend vaults into developer workflows. If that is you, the zero-knowledge architecture, service accounts, and Connect for private REST access can beat adopting a separate free platform.
One terminology warning before the tables: these vendors do not use the same words for the same things. Infisical talks about identities, projects, environments, and machine identities. Doppler uses workplaces, projects, environments, and configs. 1Password uses vaults, items, service accounts, Connect, and Environments (beta). Some rows below are directional, not perfect apples-to-apples.
I prioritized official docs, pricing pages, security pages, and GitHub repos from mid-June 2026. Where docs were thin, I say so instead of guessing.
You cannot compare these on “free” alone
Three deployment patterns explain most of the pricing, security, and ops tradeoffs.
flowchart LR
Dev[Developer workstation or CI job]
subgraph Hosted
D[Doppler SaaS]
I[Infisical Cloud]
P[1Password Vaults]
end
subgraph Private
IS[Self-hosted Infisical]
C[1Password Connect]
end
Dev -->|CLI / SDK / Agent| I
Dev -->|CLI / Service Token| D
Dev -->|Service Account / CLI| P
Dev -->|CLI / SDK / Agent| IS
Dev -->|Private REST API / CLI| C
I --> Syncs[Cloud / CI sync targets]
D --> Syncs
C --> K8s[Private infra or Kubernetes]
IS --> K8s | Pattern | Products | What you trade |
|---|---|---|
| Hosted SaaS control plane | Infisical Cloud, Doppler, 1Password | Convenience vs data residency and vendor dependency |
| Self-hosted or private edge | Self-hosted Infisical, 1Password Connect | Ops labor vs lower runtime API dependency |
| Open-core platform | Infisical | Community edition breadth vs enterprise-gated features in ee/ |
The questions I ask before picking one:
| Question | Why it matters |
|---|---|
| Hosted vs self-hosted | Changes auth, ops burden, rate limits, and compliance posture |
| Zero-knowledge requirement | Only 1Password explicitly documents zero-knowledge in reviewed security docs |
| Governance on free tier | RBAC, SSO, audit logs, and versioning are paid gates on Infisical and Doppler |
| K8s and GitOps fit | Operator maturity, static tokens vs OIDC, and whether GitOps tooling is actively maintained |
Free tiers at a glance
| Option | True free plan | Entry pricing | Seats on free/entry | Projects / environments | Integrations | API limits (documented) | Audit log retention |
|---|---|---|---|---|---|---|---|
| Infisical | Yes, free forever on Cloud or self-hosted | Pro $18/month per identity; Enterprise custom | Up to 5 identities | 3 projects, 3 environments | All integrations, capped at 10 | Cloud free: 200 reads/min, 90 writes/min, 120 secret ops/min; self-hosted: no rate limits | Audit logs paid; Pro includes 90-day retention |
| Doppler | Yes, Developer plan free for 3 users | $8/month per additional user on Developer; Team/Enterprise above | Free for 3 users; plan limit 25 users | 10 projects; 4 environments per project | Integrations plus 5 config syncs | 240 reads/min, 120 secret-reads/min, 60 writes/min per access token | Developer: 3 days; Team: 90 days; Enterprise: 1,095 days |
| 1Password | No, 14-day trial only | Teams Starter Pack $19.95/month up to 10 users; Business $7.99/user/month annually | Teams Starter: 10 members + 5 guests | Vaults and Environments (beta), not “projects” | CLI, service accounts, Connect, GitHub Actions, CircleCI | Service accounts: 1,000 reads/hr and 100 writes/hr on Teams; Business 10,000 reads/hr; Connect allows unlimited re-requests after first fetch | Teams/Starter audit via 14-day trial; Business includes audit logs and Events API |
Doppler also documents abuse limits on Developer: 1,000 secrets per config, 500 KiB config payload, 50 KiB per secret value. Infisical did not publish a clear per-plan secret-count cap in the pricing pages I reviewed.
What the free tiers actually feel like in use
Infisical: the broadest free plan, with real self-hosting
Infisical is the option I would try first if I wanted maximum capability before paying. It is open source (MIT except the ee/ enterprise directory), with active development (main repo release June 12, 2026 in the reviewed materials) and both Infisical Cloud and documented self-hosting via Docker Compose and Helm.
The free plan is unusually capable: UI, API, CLI, SDKs across Node, Python, Go, Java, .NET, and more, Kubernetes Operator, Infisical Agent for injecting secrets into files and env vars, webhooks, 2FA, all integrations, secret referencing and overrides, secret scanning (CLI scans 140+ secret types), leak prevention, and secret sharing. For a small team or side project, that is a lot of platform before you hit a credit card.
The hard limits matter early if you grow: 5 identities, 3 projects, 3 environments, 10 integrations. On Infisical Cloud, API rate limits apply; self-hosted instances have no documented rate limits. Audit logs are paid, with 90-day retention advertised starting on Pro.
Security documentation is detailed. Infisical documents AES-256-GCM at rest, TLS 1.2 minimum on Cloud, a layered key hierarchy, and external KMS support (AWS KMS, AWS CloudHSM, GCP KMS) with optional FIPS 140-3 configuration. What I did not find is an explicit current zero-knowledge claim comparable to 1Password’s docs. The security pages emphasize encryption, KMS separation, and access control instead.
Governance features I would want on a growing team (RBAC, SAML/OIDC SSO, temporary access, secret versioning, point-in-time recovery) start on Pro ($18/month per identity). SCIM is Enterprise. On the machine-identity side, Infisical stands out in this set: custom token TTLs, IP restrictions, usage caps, dynamic secrets, and signed SSH certificates. That makes it the most ephemeral-credential-native product here.
The community story is a real differentiator and a real caveat. Self-hosters get the full open-core path, but enterprise features like SSO can remain gated, and GitHub issues show ongoing self-hosted and operator bug flow. Active bug reports are a sign the codebase is alive; they are also a sign self-hosters should budget operational attention.
Doppler: polished SaaS, excellent local developer UX
Doppler is the most clearly SaaS-first product in this comparison. The value proposition is low-friction secret orchestration with a CLI and sync model that feels finished on day one. The open-source footprint is meaningful for the CLI and Kubernetes operator, but the control plane itself is a managed service in the official materials I reviewed.
The Developer plan is free for 3 users, then $8/month per additional user on that plan. Platform limits on Developer include up to 25 users, 10 projects, 4 environments per project (each project starts with Development, Staging, Production), 10 configs per environment, 5 config syncs, 10 integration connections, 5 webhooks, 50 service tokens, and 3 days of logs.
The local workflow is where Doppler shines. The CLI supports login, directory-to-project/config mapping, env injection, downloads, filtering, and doppler.yaml hints. Secrets can be injected into apps or substituted into config files and Kubernetes YAML. Credentials live in the OS keychain with an encrypted local fallback if the API is unreachable. Project templates automate environment scaffolding. If your main pain is “.env files everywhere,” Doppler is probably the fastest relief in this set.
Security documentation describes TLS 1.2 minimum, Cloudflare/HSTS, tokenization so web servers persist opaque tokens rather than plaintext secrets, AES-GCM with per-workplace 256-bit keys protected by HSM-backed GCP KMS, and Enterprise EKM with customer cloud KMS keys. This is mature SaaS security design, not zero-knowledge.
Governance on free is thinner. Role-based access and service accounts require Team or Enterprise. MFA is on by default (email, OTP, security keys). The Kubernetes operator can use OIDC short-lived tokens instead of static API tokens, which matters for cluster hygiene. I did not find a first-class built-in source-code secret-scanning product comparable to Infisical’s scanning in the official docs reviewed.
Versioning and rollback exist, but log retention is plan-sensitive. Three days on Developer is fine for day-to-day dev, thin for incident investigation or compliance on free.
One GitOps caution: Doppler’s Node-only gitops-secrets package was archived February 20, 2026. The CLI/sync story is strong; the GitOps story feels less strategic today. GitHub issues also show practical friction around package installation and operator/chart customization worth reading before you standardize on K8s patterns.
1Password Secrets Automation: powerful, paid, best inside an existing estate
1Password approaches secrets from the opposite direction: a mature encrypted vault platform extended into developer and infrastructure workflows through service accounts, Connect, CLI secret references, and Environments (beta).
The free-tier caveat is simple: no free version, 14-day trial. For business entry, Teams Starter Pack is $19.95/month for up to 10 users; Business is $7.99/user/month billed annually. Secrets Automation spans Teams and Business for service accounts; ongoing audit and event reporting is primarily a Business capability.
The security story is the clearest of the three. 1Password documents end-to-end encryption, AES-GCM-256, two-secret key derivation, and the Secret Key model. Support docs say the Secret Key is device-generated, never known to 1Password, and adds 128 bits of entropy. Service account token creation happens client-side. If zero-knowledge is a hard requirement, 1Password is the explicit yes in this comparison.
Two automation paths matter. Service accounts are the lighter path: no extra infrastructure, direct use with 1Password CLI and SDKs, up to 100 service accounts. Connect is the private-infrastructure path: self-hosted connect-api and connect-sync containers exposing a private REST API with local caching, so production workloads can avoid hammering the public API on every startup.
Access control is robust but has operational quirks. Service accounts are least-privilege, scoped to specific vaults and optionally Environments, with read/write/create-vault privileges. Access is immutable after creation: if you need different vault or Environment access, you create a new service account. That is good for control, annoying for migrations.
Environments (beta) are 1Password’s answer to project-scoped environment variables: organize env vars separately from vault items, mount local .env destinations, read programmatically in Go/JS/Python, sync to AWS Secrets Manager. The limitation that bit me in the docs: Connect does not currently support Environments, only secret references. Pick your operating model before you standardize.
Compliance is a strength: SOC 2 Type II, ISO 27001/27017/27018/27701, plus HIPAA and GDPR-oriented positioning in official materials. Default Business audit-log retention beyond the explicit 60-day sign-in-attempts report window was not clearly published in the pages I retrieved.
Security and access control
| Attribute | Infisical | Doppler | 1Password |
|---|---|---|---|
| Encryption at rest | AES-256-GCM, per-org/per-project data keys | AES-GCM, unique workplace key; workplace keys via HSM-backed GCP KMS | AES-GCM-256, end-to-end encrypted |
| Encryption in transit | TLS 1.2 minimum on Cloud | TLS 1.2 minimum, HSTS, Cloudflare strict mode | End-to-end model; encrypted in transit per standard docs |
| BYOK / customer KMS | AWS KMS, AWS CloudHSM, GCP KMS for project data keys; FIPS mode | Enterprise EKM with AWS or GCP KMS | No general customer BYOK for standard vault encryption in reviewed docs |
| Zero knowledge | Not clearly specified in current security docs | No explicit zero-knowledge claim | Yes, explicitly documented |
| Secret versioning | Pro+ | Versioning/rollback documented; usefulness tied to log retention by plan | Item history in broader product; dedicated Environments versioning unclear in reviewed docs |
| RBAC / custom roles | Pro+; Enterprise expands groups/roles | Team/Enterprise | Granular vault permissions; Business adds team policies and SSO workflows |
| SSO / SCIM | OIDC/SAML on Pro; SCIM Enterprise | SAML/SCIM documented; RBAC on higher tiers | Unlock with SSO and provisioning on Business |
| MFA | Included on free | On by default; email, OTP, security keys | Business policies can require 2FA; standard model uses password + Secret Key |
| Ephemeral credentials | Dynamic secrets, short-lived machine tokens, signed SSH certs | OIDC short-lived tokens for K8s operator | Retrieval automation; rotatable service-account tokens, not a dynamic-secret engine |
| Secret scanning | Yes on free plan | Not surfaced as first-class in reviewed docs | Not surfaced as developer secret-scanning in reviewed docs |
Deployment, compliance, and community
| Category | Infisical | Doppler | 1Password |
|---|---|---|---|
| SaaS | Yes | Yes | Yes |
| Self-hosted control plane | Yes, Docker Compose and Helm | Not surfaced in reviewed official docs | Partial: Connect, Operator, SCIM Bridge in your infra; core vault hosted |
| Open source posture | Strongest: MIT core, enterprise ee/ directory | Tooling OSS; platform closed; CLI Apache-2.0 | OSS around Connect, Helm, SDKs; commercial platform |
| Compliance | SOC 2, HIPAA, FIPS 140-3 documented; pentests twice yearly | SOC 2 and ISO 27001 on security page | SOC 2 Type II, ISO 27001/27017/27018/27701, HIPAA/GDPR positioning |
| Community / support | Free includes Slack community support; large GitHub community | Strong docs and support portal; vendor-led | Official docs and support; less community-edition driven |
| Recent release signal | Main repo release Jun 12, 2026 | CLI release Apr 22, 2026 | Connect Helm chart release Mar 24, 2026 |
Migration checklist
| Step | Why it matters | Infisical | Doppler | 1Password |
|---|---|---|---|---|
| Inventory secrets, owners, environments | Clean source of truth before cutover | Map to projects, environments, folders | Map to projects, environments, configs | Decide vault items vs service-account vaults vs Environments (beta) |
| Decide hosted vs self-hosted early | Changes auth, ops, compliance | Full self-host via Docker Compose or Helm | Official docs center on hosted Doppler | Service accounts vs Connect; Connect adds private API and caching |
| Normalize access model before import | Rework is expensive after import | Free tier limited; RBAC/SSO/temporary access need upgrades | RBAC and service accounts need Team/Enterprise | Service-account access is immutable after creation |
| Preserve history outside the platform during cutover | Rollback models differ by plan | Versioning and PITR start on Pro | Free logs last 3 days | Teams Starter audit/reporting is trial-oriented; Business is long-term path |
| Test CI/CD separately from local dev | Behavior often diverges | GitHub Actions, Agent patterns for CI/containers | CLI + service tokens; config syncs are a separate limit bucket | Service accounts or Connect; GitHub Actions and CircleCI docs exist |
| Validate Kubernetes and GitOps before standardizing | Gaps show up in clusters first | Strong K8s tooling and self-hosted fit | Operator mature; archived gitops-secrets is a caution flag | Helm/operator available; Connect/Operator differs from Environments model |
| Plan token rotation and break-glass access | Operational failure mode when tokens sprawl | Machine identities: TTLs, IP restrictions, usage caps | OIDC short-lived tokens for K8s operator | Service-account tokens rotatable and revocable |
What I would pick
flowchart TD
start[Need secrets management] --> freeQ{Need a true free tier?}
freeQ -->|Yes| hostQ{Need self-hosted control plane?}
hostQ -->|Yes| infisical[Infisical]
hostQ -->|No, but want max free features| infisical
freeQ -->|No| existingQ{Already standardized on 1Password?}
existingQ -->|Yes| onepw[1Password Secrets Automation]
existingQ -->|No| saasQ{Want polished hosted SaaS DX?}
saasQ -->|Yes| doppler[Doppler]
saasQ -->|No| infisical Indie developer, OSS maintainer, or early startup: Infisical. The free tier is unusually broad, self-hosting is real, secret scanning and K8s tooling are included, and the open-source story is credible. Move to Pro when you need more than 5 identities, more than 3 projects or environments, RBAC, SSO, versioning, or audit logs. Enterprise when you need SCIM, custom retention, audit streaming, dedicated infrastructure, or heavy KMS/HSM controls.
Small hosted-first team replacing .env sprawl: Doppler. Excellent CLI, config syncs, and low day-one friction in a managed service. Upgrade when you need longer logs, RBAC, service accounts, more config syncs, or stronger governance. Treat Developer as an on-ramp, not a long-term free plan for serious compliance.
Organization already on 1Password: 1Password Secrets Automation despite not being free. Service accounts, Connect, secret references, and zero-knowledge fit when human credentials and application secrets should live under one security model. Upgrade to Business for audit logs, Events API, SSO, and provisioning. Use Connect when you need private API access and lower runtime dependency on the public API.
For net-new free-tier usage, the short version: Infisical for breadth and self-hosting, Doppler for managed SaaS developer experience, 1Password only if you already own the platform.
Gaps in the public docs
Doppler Team list pricing was not on the official pages I could retrieve. Infisical never spelled out a per-plan secret-count cap in the docs I read. 1Password Environments (beta) likewise hid numeric limits and default Business audit-log retention beyond the 60-day sign-in-attempts report.
On zero-knowledge: 1Password says it plainly. Doppler does not position itself that way. Infisical has solid encryption and KMS docs but no explicit zero-knowledge claim, so I left that column as unclear rather than a yes.
Release notes and vendor docs carried most of the reliability picture here. I did not run side-by-side secret-sync latency tests.
Sources
Infisical
Infisical homepage
Infisical pricing
Infisical security
Infisical documentation
Infisical GitHub
Doppler
Doppler homepage
Doppler pricing
Doppler security
Doppler documentation
Doppler CLI GitHub
1Password
1Password pricing
1Password Secrets Automation
1Password security
1Password developer documentation
1Password Connect GitHub