March 2026

March was a major release month. We rewrote the CLI from Python to Go — shipping a single binary across 16 platform targets that's 75-90% smaller. We introduced Secret Types with sealed write-only secrets, added Azure as a second external identity provider, launched Azure Key Vault sync, released Go SDK 2.0 with pure-Go cryptography, and shipped native AI agent integration. Here's everything.

Phase CLI 2.0 — Rewritten in Go

After 40 releases and 2.4 years, the Phase CLI has been completely rewritten from Python to Go. The result is a single statically-linked binary with zero runtime dependencies — no Python interpreter, no pip, no virtualenvs, no GLIBC or OpenSSL version requirements.

v1 vs v2:

16 build targets across 6 operating systems: Linux (amd64, arm64, mips, mipsle, mips64, mips64le, riscv64, ppc64le, s390x), macOS (amd64, arm64), Windows (amd64, arm64), FreeBSD (amd64, arm64), OpenBSD (amd64), and NetBSD (amd64). Packaged as raw binaries, .deb, .rpm, .apk, Homebrew tap, and Scoop bucket — 48 release assets per version.

The new install script has been rewritten from Bash to POSIX sh for broader compatibility, adds SHA-256 checksum verification against GoReleaser's checksums.txt, falls back to rootless install at ~/.local/bin when no sudo is available, and automatically detects native package managers (deb/rpm/apk) for cleaner installs. It also cleans up v1 Python CLI remnants — PyInstaller _internal/ directories and stale symlinks.

Other improvements: system keyring integration via go-keyring with config file fallback, PHASE_HOST now correctly overrides host for all auth methods (was broken for non-service-token auth in v1), and full command parity with the Python CLI.

Check out the CLI docs for the updated command reference.

Available in CLI v2.0.0.

Secret Types — Secret, Sealed & Config

Secrets now have a type field with three options:

• Secret (default) — The standard masked secret. Same behavior as before
• Sealed — Write-only. Once saved, the plaintext value is no longer visible or editable in the UI, and only readable via the API, CLI and syncing jobs. Ideal for signing keys, tokens, and credentials that should never be exposed or changed after initial entry
• Config — Non-sensitive configuration values that are revealed by default and skip masking in the UI. Think feature flags, service URLs, port numbers — values that don't need to be hidden

The new TypeSelector toggle lets you set types inline when creating or editing secrets, in both the single-environment and cross-environment editors. The CLI supports --type on secrets create, secrets update, and secrets import, and shows type indicators in secrets list output.

Check out the Secret Types docs for more details.

Available in Console v2.64.0, CLI v2.1.0, and Go SDK v2.1.1.

External Identities — Azure

Following the launch of AWS IAM external identities in October, Azure is now the second supported external identity provider. Workloads running on Azure infrastructure can authenticate to Phase using Azure Managed Identity or Service Principals — no static tokens to rotate.

How it works:

1. Create a service account in Phase Console and configure it with an Azure external identity (Tenant ID + allowed Application/Object IDs)
2. From your Azure workload, authenticate with phase auth --mode azure
3. The CLI acquires an Azure AD JWT via DefaultAzureCredential and exchanges it for a short-lived Phase token

All Azure credential types are supported: environment variables, Workload Identity, Managed Identity (IMDS), Azure CLI, and Azure Developer CLI. JWT validation is performed statelessly using OIDC public keys — no Azure credentials are stored on the Phase backend.

Check out the External Identities docs for setup instructions.

Available in Console v2.65.0, CLI v2.1.0, and Go SDK v2.1.1.

Azure Key Vault Sync

Phase now supports syncing secrets to Azure Key Vault — in addition to existing AWS Secrets Manager, GitHub Actions, GitHub Dependabot, GitLab CI, and Vercel integrations.

Two sync modes:

• Individual Secrets — Each Phase secret is synced as a separate Key Vault secret. Underscores are transformed to hyphens to comply with Key Vault naming rules. Secrets removed from Phase are soft-disabled (not deleted) in Key Vault
• JSON Blob — All Phase secrets are synced as a single JSON object to one Key Vault secret

The integration includes credential validation at setup, soft-delete recovery to avoid 409 Conflict errors, rate limit retry with exponential backoff, and sanitized error messages (verbose Azure errors are logged server-side only).

Check out the Azure Key Vault integration docs for setup instructions.

Available in Console v2.62.0.

Go SDK 2.0 — Pure Go, No CGO

The Phase Go SDK has been rewritten to drop the libsodium / CGO dependency entirely. All cryptographic operations now use golang.org/x/crypto (X25519, XChaCha20-Poly1305, Blake2b) with a comprehensive backwards-compatibility test suite — 55+ unit tests verifying byte-for-byte identical output to the libsodium implementation.

What this means in practice:

• No more CGO_ENABLED=1 or C compiler required
• No need to install libsodium-dev on your system or in CI
• Cross-compilation works out of the box
• Smaller, simpler builds with no system library dependencies

The SDK also introduces a cleaner API: typed SecretResult structs (replacing map[string]interface{}), a unified Get() method that merges the old Get()/GetAll(), bulk delete with return values, dynamic secret and lease management, user token support, personal secret overrides, and a Raw option to skip reference resolution.

Breaking change: The module path has changed to github.com/phasehq/golang-sdk/v2. See the Go SDK docs for the full migration guide.

Available in Go SDK v2.0.0.

AI Agent Integration

The Phase CLI now integrates natively with AI coding agents via skill-based integration. Instead of running a middleware server, the CLI installs a skill document directly into each agent's configuration directory, teaching it how to use the Phase CLI safely — including which commands are available, how to handle different secret types, and what operations to avoid.

New commands:

• phase ai enable — Interactive skill installation + secret visibility configuration
• phase ai disable — Remove AI config and uninstall skill documents
• phase ai skill — Dump the raw skill markdown to stdout
• phase apps list — List apps and environments as JSON (useful for non-interactive workflows)

Supported agents: Claude Code, Cursor, VS Code Copilot, OpenAI Codex, and OpenCode.

Security model: The integration enforces a layered security model in AI mode. Sealed secrets are always redacted. Secret-type values are redacted based on your ai.json configuration. Config-type values are always visible. phase run blocks environment-dumping commands (printenv, env, export, set, declare, compgen), and phase shell is blocked entirely.

Check out the integration docs for Claude Code, Cursor, VS Code Copilot, Codex, and OpenCode.

Available in CLI v2.1.0.

Authelia SSO

Phase now supports Authelia as an SSO identity provider via OpenID Connect — contributed by @amauryconstant. Authelia is a lightweight, self-hosted authentication server that runs as a single Go binary (~25 MB RAM), making it a good fit for teams that want OIDC SSO without depending on a third-party SaaS provider.

Configure it with AUTHELIA_URL, AUTHELIA_CLIENT_ID, AUTHELIA_CLIENT_SECRET environment variables and add authelia to your SSO_PROVIDERS list. Check out the Authelia SSO docs for setup instructions.

Available in Console v2.65.0.

Console UI & UX

A series of frontend improvements shipped across five Console releases this month:

• UI scaling overhaul — More compact typography, spacing, and layout density across the entire Console. You should see more responsive sizing and spacing in the UI and improved information density on smaller screens in particular
• Org lobby restyle — The organization selection screen has been redesigned with a responsive card grid, plan badges, and member/app count stats
• App descriptions — Apps now support optional descriptions, giving teams a way to add context about what each app is for
• Secret sorting — Improved the secret sorting UX with persistent sort across both the single and cross-environment editors

Available in Console v2.65.0.

Backend Performance

A round of GraphQL resolver optimizations reduced database query volume across core API paths:

• N+1 query elimination — Replaced per-item existence checks with batched set lookups across multiple resolvers
• Duplicate query caching — Cached repeated membership lookups that were firing 5 identical queries per request
• Batched queries — Environment and app queries are now batched instead of running one per item
• Race condition fix — Fixed a potential race condition in environment reordering
• Bulk operations — Service account cleanup now uses bulk operations instead of per-item deletes

Available in Console v2.62.0.

Other improvements and fixes

• Invite expiry extended to 14 days — Organization member invites now expire after 14 days instead of 3, reducing friction for users who don't check email immediately
• Fix stale app access cache — Fixed a bug where removing and re-adding a member or service account to an app would show stale environment access
• Security patches — Django 4.2.29 (CVE-2026-25674, CVE-2026-25673), jsPDF 4.2.1 (HTML/PDF injection), minimatch ReDoS fixes, Prototype Pollution fix in immutable via sass/codegen upgrades

All features are live on Phase Cloud and available in the latest releases for self-hosted users.

As always, we'd love your feedback — come say hi on Slack or GitHub.