Phase

We've been shipping flat-out through April. Here's an update on everything we've shipped over the last month: - Azure Auth via the Phase CLI and Golang SDK - Offline mode for the CLI and Golang SDK - Refactored the auth stack in the Phase Console - Email + password auth for Phase Cloud and Self-hosted - Self-service OIDC SSO managed by organization admins Check out the changelog for all the details 👉 https://lnkd.in/dPuPWMhm

We're thrilled to announce that we are officially SOC 2 Type 2 compliant! You can find more information to the exact security controls we are complying with and request to see the full audit report at https://trust.phase.dev. Big thanks to Oneleet and their team for all their help through this process! https://lnkd.in/dXurF_CC

📢 We're excited to introduce ⚡ Dynamic Secrets, a major leap in reducing the attack surface of your secrets. With this update, you can now generate short-lived, one-off credentials on demand that automatically expire once they have been used by the target machine, workflow or environment. This means fewer long-lived static secrets, far smaller blast radius in case of exposure, and stronger auditability across your organization. For AWS IAM, here's what this means behind the scenes when you generate a Dynamic Secret: 1. Assume AWS IAM role in your account 2. Create a dynamic IAM user 3. Attach policies & groups you may have set 4. Generate ACCESS KEY + SECRET KEY 5. On revoke/expiry: delete key, detach policies, remove groups, delete user Check out the Changelog to learn more about Dynamic Secrets in Phase, as well as several other platform improvements including better multi-line secret support and several performance and optimization updates: https://lnkd.in/d_er8-6C

📢 We're happy to announce that we have concluded an external penetration test, Thanks to Oneleet! The pentest scope included the following Phase assets: – Web: Phase Console – API: GraphQL – API: Secrets REST API You can now view the full report in our new Trust Center -> https://trust.phase.dev/

For early-stage founders, SOC 2 can feel like a huge, expensive mystery. But if you’re a small, remote team using modern tooling, you’re probably closer to compliance than you think. Here's what we learned over the last few weeks as we got stuck in with SOC 2 Type 2 compliance: 🤔 What to expect: - Budget around $10–15k annually - Plan for a 4–5 month timeline - Works great for teams ≤5 people, fully remote, running on tools like AWS, Cloudflare, GitHub, Slack, Google Workspace, Stripe, etc. 🚀 If you already follow these habits, you’re ahead of the game: - GitHub pull requests require at least one reviewer before merging - Team-wide password manager (Bitwarden, 1Password, etc.) - Centralized secrets management across dev/staging/prod - Company-wide VPN or managed access service (Tailscale, Netbird) - Data encrypted in transit and at rest - Database backups enabled and tested within the last 90 days - Monitoring and alerting in place (CloudWatch, Datadog, Sentry, Slack alerts) - Full-disk encryption on all work laptops - S3 buckets encrypted and non-public unless absolutely necessary If you're using the typical modern SaaS stack for communication, code hosting, and cloud infra, a lot of the heavy lifting is already done for you. ⚠️ Common pitfalls to avoid: - Overcommitment without follow-through — stick to controls you can actually maintain. - Unclear ownership — define exactly who is responsible for each requirement. - Policy–evidence gaps — if you can’t prove it with artifacts, it doesn’t count. - SOC 2 isn’t magic — it’s a structured set of habits. If your engineering culture is already disciplined, you can “speedrun” it without derailing product momentum. If you're curious about learning more about SOC 2 compliance and what the process actually looks like for a small early stage company like ours, check out -> https://lnkd.in/df35tryP

🚨 New: External Identities for AWS IAM! The latest update for Phase lets you manage secrets without secrets! Provision secrets to your applications in various AWS deployments – EC2, ECS, EKS, Lambda, Lightsail etc., without manually managing Phase Service Tokens: 🎯 Set the ARN of the IAM role, instance profile, or IRSA allowed to access secrets 🪪 The client sends an AWS SigV4 signature to Phase 🔐 Phase validates the trust relationship and returns a short-lived access token 🗝️ The client uses the token to access secrets ♻️ Repeat There are several benefits to using external identities for your AWS deployments: - No manual token provisioning - Ephemeral access tokens - Fully-automated token lifecycle - Native integration with AWS IAM - Centralized trust relationships Check out the docs for more details and complete instructions on setting up external identities on Phase for your AWS workflows: https://lnkd.in/d_6R_S-V

📜 CHANGELOG! New in Phase: - Render secret sync integration - Authentik OAuth SSO support - Improved secret import workflow - New login screen - Service account optimizations & more. Here's a quick catch up of everything we've shipped over the last few weeks 👉 https://lnkd.in/dMpUEsxF

Vercel introduced the Instrumentation feature in Next.js 14 to initialize tools such as logging and telemetry, but this feature could also be a powerful way to add runtime secret injection to your apps. Unfortunately, Vercel's documentation on this feature is very minimal, so we explored what a real-world implementation of runtime secret injection via the instrumentation file would look like. The results were very interesting! https://lnkd.in/gNz4a3aN

We have raised a pre-seed round from Balaji Srinivasan. https://lnkd.in/dUbETHmP

📜 CHANGELOG! The latest Phase release is out, packed with new features, integrations, improvements, and bug-fixes. Here's the highlights: 🤝 AWS Assume Role Auth 🖥️ GitHub Enterprise Server Auth & Integration 🚢 AWS EKS Helm deployment 🛡️ New & improved Access Management 🔎 Global secret search 📨 Bulk invite users 🧑💻 Improved CLI Read the changelog post for all the details 👉 https://lnkd.in/d-mBRAZU