Skip to content

APM Documentation

APM is a Go-based password manager with two binaries:

  • pm for personal vaults
  • pm-team for shared organizational vaults

The source tree implements more than a basic password CLI. It includes sessions, recovery, cloud sync, plugins, MCP access, Windows autofill, shell injection, and a TUI alongside the core encrypted vault.

What APM currently does

  • Stores 25 personal secret types in one encrypted vault.
  • Uses explicit unlock sessions with expiry and inactivity controls.
  • Supports delegated ephemeral sessions for automation and AI-agent access.
  • Syncs encrypted vault blobs to Google Drive, GitHub, and Dropbox.
  • Exposes a built-in MCP server with scoped tokens and mutation previews.
  • Runs a manifest-based plugin system with hooks and runtime-added commands.
  • Offers Windows autofill and autocomplete support plus shell-side secret injection.
  • Provides a separate team edition with departments, approvals, roles, and shared entries.

Quick start

go build -o pm .
pm setup
pm unlock
pm add
pm get github
pm lock

Team edition:

cd team
go build -o pm-team .

Documentation map

Getting Started

Guides

Concepts

Reference

Team

Important implementation notes

  • The current personal vault format is APMVAULT v4.
  • Built-in profiles are standard, hardened, paranoid, and legacy.
  • Personal pm add supports 25 entry types; team pm-team add currently supports 22 shared entry types.
  • Plugin commands can extend the pm command surface at runtime.