Hekate

An enterprise credential vault that scales to every student — without per-seat pricing.

Most password-manager vendors are SaaS-only and priced per seat. That model breaks at higher-ed scale — you have tens of thousands of users who each need a vault but only check it a few times a month. Hekate's posture is different: AGPL open source, your choice of distribution. Self-host for free in your existing infrastructure with your data in your tenancy. Or join a Synaptic Cyber-operated managed pilot if you'd rather we run it. The license itself prevents lock-in — you can always move from one path to the other.

Hekate is currently in active testing. Institutional pilots are welcome and help shape the roadmap.

Distribution today, with SaaS on the way

What Hekate ships today

• Personal vaults

  Logins, secure notes, cards, identities, SSH keys, TOTP — the full item type set.

• Organizations and collections

  Enterprise-grade sharing with owner-only member removal and atomic key rotation — the actually-hard problem in shared credential management.

• Three first-party clients

  CLI (with SSH agent integration and a fast unlock daemon), Chromium MV3 browser extension (autofill, passkey provider), SolidJS web vault. Same WASM crypto core across all three.

• Sends

  Ephemeral encrypted text and file shares with optional Argon2id-PHC password gate.

• 2FA

  TOTP and WebAuthn (FIDO2).

• Import paths

  Bitwarden, 1Password, KeePass, LastPass — so leaving your current vendor is easy.

Trust signals

• AGPL-3.0 — open source, source on GitHub, code is auditable.
• Cryptography is documented: XChaCha20-Poly1305, Argon2id, Ed25519, X25519, BLAKE3 — all modern, all reviewable.
• Signed vault manifests for set-level integrity verification.
• No vendor lock-in by construction — Bitwarden import to come in; AGPL self-host to go out.
• Trademark posture: “Hekate” is freely usable for anyone running unmodified Hekate; the Synaptic Cyber name is protected.

Where it fits the service line

Compliance Readiness uses Hekate as the institutional answer to credential-protection controls under GLBA Safeguards and NIST 800-171. Managed Services can include running Hekate for the institution as a managed pilot — one of the few Synaptic Cyber-operated platform engagements (most Managed Services work is brokered with third-party providers).

Frequently Asked Questions

How does this compare to Bitwarden?

Full feature parity at the code level — same threat model, same modern crypto primitives — plus an import path from Bitwarden so you can leave easily.

Is it production-ready?

In active testing. Institutional pilots are welcome and shape the roadmap. We'll be transparent about what's milestone-complete vs. work-in-progress when you talk to us.

Can we self-host?

Yes — AGPL-3.0, Docker compose, your infrastructure, SQLite or Postgres backend.

What about SSO and SCIM?

CAS / SAML / InCommon SSO and SCIM are on the roadmap as part of the future managed-service offering — not in the current testing release.

Why AGPL and not MIT?

Network copyleft prevents a commercial vendor from forking Hekate and closing the source. If you self-host without modifying — or use a future Synaptic Cyber SaaS — AGPL has no operational impact on you.

Free for institutions to self-host?

Yes — no per-seat license.

Can we run a forked 'Synaptic Hekate'?

Per the repo's trademark notice: anyone can run unmodified Hekate without permission. The Synaptic Cyber name is a protected mark — don't market a fork under it.

Where does data live?

Self-host: your infrastructure, your encryption keys never leave you. Managed pilot: Synaptic Cyber-operated infrastructure, your keys still derived from your master password — we cannot decrypt your vault.