diff --git a/.changeset/add-keeper-plugin.md b/.changeset/add-keeper-plugin.md
new file mode 100644
index 00000000..5e3ed03b
--- /dev/null
+++ b/.changeset/add-keeper-plugin.md
@@ -0,0 +1,5 @@
+---
+"@varlock/keeper-plugin": minor
+---
+
+Add Keeper Security plugin for loading secrets from Keeper vaults via the Secrets Manager SDK. Supports fetching secrets by record UID, title, or Keeper notation syntax, with access to both standard and custom fields. Includes `keeperSmToken` data type for config token validation, `@initKeeper()` root decorator for initialization, and `keeper()` resolver function for secret retrieval.
diff --git a/bun.lock b/bun.lock
index 9a1c38b2..7ca9a7bc 100644
--- a/bun.lock
+++ b/bun.lock
@@ -289,6 +289,22 @@
         "varlock": "workspace:^",
       },
     },
+    "packages/plugins/keeper": {
+      "name": "@varlock/keeper-plugin",
+      "version": "0.0.1",
+      "devDependencies": {
+        "@env-spec/utils": "workspace:^",
+        "@keeper-security/secrets-manager-core": "17.4.0",
+        "@types/node": "catalog:",
+        "outdent": "catalog:",
+        "tsup": "catalog:",
+        "varlock": "workspace:^",
+        "vitest": "catalog:",
+      },
+      "peerDependencies": {
+        "varlock": "workspace:^",
+      },
+    },
     "packages/plugins/pass": {
       "name": "@varlock/pass-plugin",
       "version": "0.0.6",
@@ -906,6 +922,8 @@
 
     "@jsdevtools/ono": ["@jsdevtools/ono@7.1.3", "", {}, "sha512-4JQNk+3mVzK3xh2rqd6RB4J46qUR19azEHBneZyTZM+c456qOrbbM/5xcR8huNCCcbVt7+UmizG6GuUvPvKUYg=="],
 
+    "@keeper-security/secrets-manager-core": ["@keeper-security/secrets-manager-core@17.4.0", "", {}, "sha512-KjJKPlQiHK00ft2lhirLSyZHv1qLui4oD0AkMTFXXC4BpNlQFwR/CLTtJc4dLTJ3tKoA5aGs8A8l4sNqcNPUxQ=="],
+
     "@manypkg/find-root": ["@manypkg/find-root@1.1.0", "", { "dependencies": { "@babel/runtime": "^7.5.5", "@types/node": "^12.7.1", "find-up": "^4.1.0", "fs-extra": "^8.1.0" } }, "sha512-mki5uBvhHzO8kYYix/WRy2WX8S3B5wdVSc9D6KcU5lQNglP2yt58/VfLuAK49glRXChosY8ap2oJ1qgma3GUVA=="],
 
     "@manypkg/get-packages": ["@manypkg/get-packages@1.1.3", "", { "dependencies": { "@babel/runtime": "^7.5.5", "@changesets/types": "^4.0.1", "@manypkg/find-root": "^1.1.0", "fs-extra": "^8.1.0", "globby": "^11.0.0", "read-yaml-file": "^1.1.0" } }, "sha512-fo+QhuU3qE/2TQMQmbVMqaQ6EWbMhi4ABWP+O4AM1NqPBuy0OrApV5LO6BrrgnhtAHS2NH6RrVk9OL181tTi8A=="],
diff --git a/packages/plugins/keeper/CHANGELOG.md b/packages/plugins/keeper/CHANGELOG.md
new file mode 100644
index 00000000..657aa81e
--- /dev/null
+++ b/packages/plugins/keeper/CHANGELOG.md
@@ -0,0 +1 @@
+# @varlock/keeper-plugin
diff --git a/packages/plugins/keeper/README.md b/packages/plugins/keeper/README.md
new file mode 100644
index 00000000..0578d1e4
--- /dev/null
+++ b/packages/plugins/keeper/README.md
@@ -0,0 +1,253 @@
+# @varlock/keeper-plugin
+
+[![npm version](https://img.shields.io/npm/v/@varlock/keeper-plugin.svg)](https://www.npmjs.com/package/@varlock/keeper-plugin) [![GitHub stars](https://img.shields.io/github/stars/dmno-dev/varlock.svg?style=social&label=Star)](https://github.com/dmno-dev/varlock) [![license](https://img.shields.io/npm/l/@varlock/keeper-plugin.svg)](https://github.com/dmno-dev/varlock/blob/main/LICENSE)
+
+This package is a [Varlock](https://varlock.dev) [plugin](https://varlock.dev/guides/plugins/) that enables loading secrets from [Keeper Security](https://keepersecurity.com/) vaults via the [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/) SDK.
+
+## Features
+
+- 🔐 Fetch individual secrets by record UID, title, or Keeper notation
+- 🏷️ Access standard and custom fields (password, login, URL, notes, etc.)
+- 🔑 Secure authentication via base64-encoded Secrets Manager configuration
+- 📦 Multiple instance support for different vaults or applications
+- ✅ Built-in validation for Keeper Secrets Manager config tokens
+
+## Installation
+
+```bash
+# npm
+npm install @varlock/keeper-plugin
+
+# pnpm
+pnpm add @varlock/keeper-plugin
+
+# yarn
+yarn add @varlock/keeper-plugin
+
+# bun
+bun add @varlock/keeper-plugin
+```
+
+## Prerequisites
+
+You need a [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/) application set up in your Keeper vault:
+
+1. In the Keeper Admin Console, create a **Secrets Manager Application**
+2. Share a folder with the application
+3. Generate a **one-time access token**
+4. Use the [KSM CLI](https://docs.keeper.io/secrets-manager/secrets-manager/secrets-manager-command-line-interface) to initialize a config:
+
+```bash
+pip install keeper-secrets-manager-cli
+ksm profile init <one-time-token>
+ksm profile export --format json | base64
+```
+
+5. Store the base64-encoded config as the `KSM_CONFIG` environment variable
+
+## Setup
+
+### Basic setup
+
+```env-spec title=".env.schema"
+# @plugin(@varlock/keeper-plugin)
+# @initKeeper(token=$KSM_CONFIG)
+# ---
+
+# @type=keeperSmToken @sensitive
+KSM_CONFIG=
+```
+
+### Multiple instances
+
+```env-spec title=".env.schema"
+# @plugin(@varlock/keeper-plugin)
+# @initKeeper(token=$KSM_CONFIG_PROD, id=prod)
+# @initKeeper(token=$KSM_CONFIG_DEV, id=dev)
+# ---
+
+# @type=keeperSmToken @sensitive
+KSM_CONFIG_PROD=
+
+# @type=keeperSmToken @sensitive
+KSM_CONFIG_DEV=
+```
+
+## Loading secrets
+
+### By record UID (defaults to password field)
+
+```env-spec title=".env.schema"
+# fetches the "password" field from the record
+DB_PASSWORD=keeper("XXXXXXXXXXXXXXXXXXXX")
+```
+
+### By record UID with a specific field
+
+```env-spec title=".env.schema"
+# fetch the "login" standard field
+DB_USER=keeper("XXXXXXXXXXXXXXXXXXXX#login")
+
+# fetch a custom field by label
+API_KEY=keeper("XXXXXXXXXXXXXXXXXXXX#API_KEY")
+
+# or use the named field parameter
+DB_HOST=keeper("XXXXXXXXXXXXXXXXXXXX", field="host")
+```
+
+### Using Keeper notation
+
+The plugin supports [Keeper's notation syntax](https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk#notation) for more advanced access patterns:
+
+```env-spec title=".env.schema"
+# standard field by type
+DB_PASS=keeper("XXXX/field/password")
+
+# standard field by label
+DB_LOGIN=keeper("XXXX/field/login")
+
+# custom field by label
+MY_SECRET=keeper("XXXX/custom_field/MySecretLabel")
+
+# by record title instead of UID
+API_KEY=keeper("My API Keys/field/password")
+```
+
+### With named instances
+
+```env-spec title=".env.schema"
+# first arg is instance id, second is the secret reference
+PROD_SECRET=keeper(prod, "XXXX/field/password")
+DEV_SECRET=keeper(dev, "YYYY#password")
+```
+
+## Reference
+
+### Root decorators
+
+#### `@initKeeper()`
+
+Initialize a Keeper Secrets Manager plugin instance.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `token` | string | yes | Base64-encoded Secrets Manager config (typically from `$KSM_CONFIG`) |
+| `id` | string | no | Instance identifier for multiple configurations (defaults to `_default`) |
+
+### Data types
+
+#### `keeperSmToken`
+
+A sensitive string type for Keeper Secrets Manager configuration tokens. Validates that the value is a valid base64-encoded JSON string.
+
+### Resolver functions
+
+#### `keeper(reference)` / `keeper(instanceId, reference)`
+
+Fetch a single secret field from Keeper.
+
+**Arguments:**
+
+| Position | Type | Required | Description |
+|----------|------|----------|-------------|
+| 1 | string | yes (if no instanceId) | Secret reference (see formats below) |
+| 1, 2 | string, string | for named instances | Instance ID, then secret reference |
+
+**Named parameters:**
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `field` | string | no | Explicit field type/label to extract |
+
+**Reference formats:**
+
+| Format | Description | Example |
+|--------|-------------|---------|
+| `<uid>` | Record UID (defaults to password field) | `keeper("XXXX")` |
+| `<uid>#<field>` | Record UID with field selector | `keeper("XXXX#login")` |
+| `<uid>/field/<type>` | Keeper notation (standard field) | `keeper("XXXX/field/password")` |
+| `<uid>/custom_field/<label>` | Keeper notation (custom field) | `keeper("XXXX/custom_field/API_KEY")` |
+| `<title>/field/<type>` | Keeper notation (by title) | `keeper("My Record/field/password")` |
+
+## Keeper Secrets Manager setup guide
+
+### Step 1: Create a Secrets Manager Application
+
+1. Log in to the [Keeper Admin Console](https://keepersecurity.com/console)
+2. Navigate to **Secrets Manager** → **Applications**
+3. Click **Create Application**
+4. Give it a descriptive name (e.g., "varlock-dev")
+
+### Step 2: Share folders
+
+1. In your Keeper vault, right-click the folder containing your secrets
+2. Select **Share Folder**
+3. Share it with your Secrets Manager application
+
+### Step 3: Generate a one-time access token
+
+1. In the application settings, click **Add Device**
+2. Copy the one-time access token
+
+### Step 4: Initialize and export the config
+
+```bash
+# Install the KSM CLI
+pip install keeper-secrets-manager-cli
+
+# Initialize with the one-time token
+ksm profile init <one-time-token>
+
+# Export as base64 for use as an env var
+ksm profile export --format json | base64
+```
+
+### Step 5: Set up your schema
+
+```env-spec title=".env.schema"
+# @plugin(@varlock/keeper-plugin)
+# @initKeeper(token=$KSM_CONFIG)
+# ---
+
+# @type=keeperSmToken @sensitive
+KSM_CONFIG=
+
+# Your secrets
+DB_PASSWORD=keeper("your-record-uid/field/password")
+API_KEY=keeper("your-record-uid/custom_field/api_key")
+```
+
+## Troubleshooting
+
+### "Failed to parse Keeper config token"
+
+The `KSM_CONFIG` value must be a valid base64-encoded JSON string. Regenerate it:
+```bash
+ksm profile export --format json | base64
+```
+
+### "Keeper access denied"
+
+- Verify the Secrets Manager application has not been revoked
+- Check that the shared folder permissions are still active
+- The one-time token may have expired before being used — generate a new one
+
+### "Record not found"
+
+- Verify the record UID or title is correct
+- Ensure the record is in a folder shared with the Secrets Manager application
+- Record UIDs are case-sensitive
+
+### "Field not found in record"
+
+- Check available field types with `keeper("uid/field/password")`
+- Custom fields use the label: `keeper("uid/custom_field/My Label")`
+- Standard field types include: `login`, `password`, `url`, `oneTimeCode`, `note`
+
+## Links
+
+- [Varlock Documentation](https://varlock.dev)
+- [Keeper Security](https://keepersecurity.com/)
+- [Keeper Secrets Manager Docs](https://docs.keeper.io/secrets-manager/)
+- [JavaScript SDK Docs](https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk)
+- [KSM CLI Docs](https://docs.keeper.io/secrets-manager/secrets-manager/secrets-manager-command-line-interface)
diff --git a/packages/plugins/keeper/package.json b/packages/plugins/keeper/package.json
new file mode 100644
index 00000000..d9932d86
--- /dev/null
+++ b/packages/plugins/keeper/package.json
@@ -0,0 +1,58 @@
+{
+  "name": "@varlock/keeper-plugin",
+  "description": "Varlock plugin to load secrets from Keeper Security vaults via the Secrets Manager SDK",
+  "version": "0.0.1",
+  "type": "module",
+  "homepage": "https://varlock.dev/plugins/keeper/",
+  "bugs": "https://github.com/dmno-dev/varlock/issues",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dmno-dev/varlock.git",
+    "directory": "packages/plugins/keeper"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    "./plugin": "./dist/plugin.cjs"
+  },
+  "files": ["dist"],
+  "scripts": {
+    "dev": "tsup --watch",
+    "build": "tsup",
+    "test": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "varlock",
+    "plugin",
+    "varlock-plugin",
+    "keeper",
+    "keeper-security",
+    "secrets-manager",
+    "password-manager",
+    "secrets",
+    "env",
+    ".env",
+    "dotenv",
+    "environment variables",
+    "env vars",
+    "config"
+  ],
+  "author": "dmno-dev",
+  "license": "MIT",
+  "engines": {
+    "node": ">=22"
+  },
+  "peerDependencies": {
+    "varlock": "workspace:^"
+  },
+  "devDependencies": {
+    "@keeper-security/secrets-manager-core": "17.4.0",
+    "@env-spec/utils": "workspace:^",
+    "@types/node": "catalog:",
+    "outdent": "catalog:",
+    "tsup": "catalog:",
+    "varlock": "workspace:^",
+    "vitest": "catalog:"
+  }
+}
diff --git a/packages/plugins/keeper/src/plugin.ts b/packages/plugins/keeper/src/plugin.ts
new file mode 100644
index 00000000..868a5942
--- /dev/null
+++ b/packages/plugins/keeper/src/plugin.ts
@@ -0,0 +1,445 @@
+import { type Resolver, plugin } from 'varlock/plugin-lib';
+import { createDeferredPromise, type DeferredPromise } from '@env-spec/utils/defer';
+import {
+  getSecrets,
+  getValue,
+  inMemoryStorage,
+  type KeeperSecrets,
+  type SecretManagerOptions,
+} from '@keeper-security/secrets-manager-core';
+
+const { SchemaError, ResolutionError, ValidationError } = plugin.ERRORS;
+
+const KEEPER_ICON = 'simple-icons:keeper';
+
+// ════ PLUGIN CONFIGURATION ═══════════════════════════════════════════════════
+
+plugin.name = 'keeper';
+const { debug } = plugin;
+debug('init - version =', plugin.version);
+plugin.icon = KEEPER_ICON;
+plugin.standardVars = {
+  initDecorator: '@initKeeper',
+  params: {
+    token: { key: 'KSM_CONFIG', dataType: 'keeperSmToken' },
+  },
+};
+
+// ════ PLUGIN INSTANCE CLASS ═══════════════════════════════════════════════════
+
+// Keeper record UIDs are base64url strings (16-30 chars, no spaces)
+const KEEPER_UID_RE = /^[A-Za-z0-9_-]{16,30}$/;
+
+/** Extract the record UID from any supported reference format, or return null
+ *  if the reference looks like a human-readable title. */
+function extractUidFromRef(ref: string): string | null {
+  // Strip #field suffix
+  let uid = ref;
+  const hashIndex = uid.indexOf('#');
+  if (hashIndex !== -1) uid = uid.substring(0, hashIndex);
+
+  // Strip /field/type notation suffix
+  const slashIndex = uid.indexOf('/');
+  if (slashIndex !== -1) uid = uid.substring(0, slashIndex);
+
+  return KEEPER_UID_RE.test(uid) ? uid : null;
+}
+
+class KeeperPluginInstance {
+  private configToken?: string;
+
+  constructor(
+    readonly id: string,
+  ) {}
+
+  setAuth(token: any) {
+    if (token && typeof token === 'string') this.configToken = token;
+    debug('keeper instance', this.id, 'set auth - hasToken:', !!this.configToken);
+  }
+
+  private sdkOptionsPromise: Promise<SecretManagerOptions> | undefined;
+  private initSdkOptions(): Promise<SecretManagerOptions> {
+    this.sdkOptionsPromise ||= (async () => {
+      if (!this.configToken) {
+        throw new ResolutionError('Keeper Secrets Manager config token is not set', {
+          tip: 'Provide a base64-encoded config via @initKeeper(token=$KSM_CONFIG)',
+        });
+      }
+
+      let configData: Record<string, any>;
+      try {
+        const decoded = Buffer.from(this.configToken, 'base64').toString('utf-8');
+        configData = JSON.parse(decoded);
+      } catch {
+        throw new ResolutionError('Failed to parse Keeper config token', {
+          tip: [
+            'The token must be a valid base64-encoded JSON configuration.',
+            'Generate one using the Keeper Secrets Manager CLI:',
+            '  ksm profile init <one-time-token>',
+            '  ksm profile export --format json | base64',
+          ].join('\n'),
+        });
+      }
+
+      const storage = inMemoryStorage(configData);
+      return { storage };
+    })();
+    return this.sdkOptionsPromise;
+  }
+
+  /** Active batch being assembled before the next setImmediate tick */
+  private pendingBatch?: {
+    uids: Set<string>;
+    needsAll: boolean;
+    defers: Array<DeferredPromise<KeeperSecrets>>;
+  };
+
+  /**
+   * Request secrets, optionally scoped to a specific record UID.
+   *
+   * All concurrent calls (within the same event-loop tick) are coalesced into a
+   * single SDK request via `setImmediate` batching, analogous to the 1password
+   * plugin. When every caller provides a UID, the SDK call is filtered to only
+   * those records; if any caller needs all records (title-based or dynamic ref)
+   * the filter is omitted.
+   */
+  private fetchSecrets(uid?: string): Promise<KeeperSecrets> {
+    let triggerBatch = false;
+    if (!this.pendingBatch) {
+      this.pendingBatch = { uids: new Set(), needsAll: false, defers: [] };
+      triggerBatch = true;
+    }
+
+    if (uid) {
+      this.pendingBatch.uids.add(uid);
+    } else {
+      this.pendingBatch.needsAll = true;
+    }
+
+    const deferred = createDeferredPromise<KeeperSecrets>();
+    this.pendingBatch.defers.push(deferred);
+
+    if (triggerBatch) {
+      setImmediate(() => this._executeBatch());
+    }
+
+    return deferred.promise as Promise<KeeperSecrets>;
+  }
+
+  private async _executeBatch() {
+    const batch = this.pendingBatch!;
+    this.pendingBatch = undefined;
+
+    // Only apply a UID filter when every caller specified a known UID
+    const recordsFilter = !batch.needsAll && batch.uids.size > 0
+      ? [...batch.uids]
+      : undefined;
+
+    try {
+      const secrets = await this._doFetchSecrets(recordsFilter);
+      for (const deferred of batch.defers) {
+        deferred.resolve(secrets);
+      }
+    } catch (err) {
+      for (const deferred of batch.defers) {
+        deferred.reject(err);
+      }
+    }
+  }
+
+  private async _doFetchSecrets(recordsFilter?: Array<string>): Promise<KeeperSecrets> {
+    const options = await this.initSdkOptions();
+    try {
+      debug('Fetching secrets', recordsFilter ? `(filter: ${recordsFilter.join(', ')})` : '(all)');
+      return await getSecrets(options, recordsFilter);
+    } catch (err: any) {
+      const message = err?.message || String(err);
+
+      if (message.includes('access denied') || message.includes('Access denied')) {
+        throw new ResolutionError('Keeper access denied', {
+          tip: [
+            'Verify your Secrets Manager config token is valid and not expired.',
+            'The application may have been revoked or the shared folder permissions may have changed.',
+          ].join('\n'),
+        });
+      }
+
+      if (message.includes('hostname') || message.includes('Client Id')) {
+        throw new ResolutionError(`Keeper config error: ${message}`, {
+          tip: [
+            'Your config token may be incomplete or corrupted.',
+            'Regenerate it using the Keeper Secrets Manager CLI:',
+            '  ksm profile init <one-time-token>',
+          ].join('\n'),
+        });
+      }
+
+      throw new ResolutionError(`Keeper error: ${message}`);
+    }
+  }
+
+  async getSecretByNotation(notation: string): Promise<string> {
+    // Extract UID for a targeted fetch; fall back to all records for title-based refs
+    const uid = extractUidFromRef(notation) || undefined;
+    const secrets = await this.fetchSecrets(uid);
+
+    try {
+      const value = getValue(secrets, notation);
+
+      if (value === undefined || value === null) {
+        throw new ResolutionError(`Keeper notation "${notation}" resolved to empty value`);
+      }
+
+      // getValue may return a string, array element, or object - coerce to string
+      if (typeof value === 'string') return value;
+      if (Array.isArray(value)) return value[0] ?? '';
+      if (typeof value === 'object') return JSON.stringify(value);
+      return String(value);
+    } catch (err: any) {
+      if (err instanceof ResolutionError) throw err;
+      const message = err?.message || String(err);
+      throw new ResolutionError(`Keeper notation error: ${message}`, {
+        tip: [
+          'Notation format: <uid_or_title>/field/<type> or <uid_or_title>/custom_field/<label>',
+          'Examples:',
+          '  keeper("XXXX/field/password")   - standard field by type',
+          '  keeper("XXXX/field/login")       - login field',
+          '  keeper("XXXX/custom_field/API_KEY") - custom field by label',
+          '  keeper("My Record/field/password")  - by record title',
+        ].join('\n'),
+      });
+    }
+  }
+
+  async getSecretField(recordRef: string, fieldType?: string): Promise<string> {
+    // When recordRef is a UID, fetch only that record; fall back to all for title-based refs
+    const uid = KEEPER_UID_RE.test(recordRef) ? recordRef : undefined;
+    const secrets = await this.fetchSecrets(uid);
+
+    // Find the record by UID or title
+    const record = secrets.records.find(
+      (r) => r.recordUid === recordRef || r.data?.title === recordRef,
+    );
+
+    if (!record) {
+      throw new ResolutionError(`Record "${recordRef}" not found`, {
+        tip: [
+          'Verify the record UID or title is correct.',
+          `Available records: ${secrets.records.map((r) => `${r.recordUid} (${r.data?.title || 'untitled'})`).join(', ') || 'none'}`,
+        ].join('\n'),
+      });
+    }
+
+    const targetType = fieldType || 'password';
+
+    // Search standard fields
+    const fields = record.data?.fields || [];
+    const field = fields.find(
+      (f: any) => f.type === targetType || f.label === targetType,
+    );
+    if (field?.value?.[0] !== undefined) {
+      return String(field.value[0]);
+    }
+
+    // Search custom fields
+    const customFields = record.data?.custom || [];
+    const customField = customFields.find(
+      (f: any) => f.type === targetType || f.label === targetType,
+    );
+    if (customField?.value?.[0] !== undefined) {
+      return String(customField.value[0]);
+    }
+
+    const availableFields = [
+      ...fields.map((f: any) => f.type || f.label),
+      ...customFields.map((f: any) => `custom:${f.label || f.type}`),
+    ].filter(Boolean);
+
+    throw new ResolutionError(`Field "${targetType}" not found in record "${recordRef}"`, {
+      tip: `Available fields: ${availableFields.join(', ') || 'none'}`,
+    });
+  }
+}
+
+const pluginInstances: Record<string, KeeperPluginInstance> = {};
+
+function getPluginInstance(instanceId: string, resolverName: string): KeeperPluginInstance {
+  const selectedInstance = pluginInstances[instanceId];
+  if (!selectedInstance) {
+    if (!Object.keys(pluginInstances).length) {
+      throw new SchemaError('No Keeper plugin instances found', {
+        tip: 'Initialize at least one Keeper instance using the @initKeeper() root decorator',
+      });
+    }
+    if (instanceId === '_default') {
+      throw new SchemaError('Keeper plugin instance (without id) not found', {
+        tip: [
+          'Either remove the `id` param from your @initKeeper call',
+          `or use \`${resolverName}(id, ...)\` to select an instance by id.`,
+          `Possible ids are: ${Object.keys(pluginInstances).join(', ')}`,
+        ].join('\n'),
+      });
+    }
+    throw new SchemaError(`Keeper plugin instance id "${instanceId}" not found`, {
+      tip: `Valid ids are: ${Object.keys(pluginInstances).join(', ')}`,
+    });
+  }
+  return selectedInstance;
+}
+
+// ════ ROOT DECORATOR: @initKeeper ════════════════════════════════════════════
+
+plugin.registerRootDecorator({
+  name: 'initKeeper',
+  description: 'Initialize a Keeper Secrets Manager plugin instance',
+  isFunction: true,
+  async process(argsVal) {
+    const objArgs = argsVal.objArgs;
+    if (!objArgs) throw new SchemaError('Expected some args');
+
+    // Validate id is static
+    if (objArgs.id && !objArgs.id.isStatic) {
+      throw new SchemaError('Expected id to be static');
+    }
+    const id = String(objArgs?.id?.staticValue || '_default');
+    if (pluginInstances[id]) {
+      throw new SchemaError(`Instance with id "${id}" already initialized`);
+    }
+
+    // token is required
+    if (!objArgs.token) {
+      throw new SchemaError('token parameter is required', {
+        tip: [
+          'Provide your Keeper Secrets Manager config token:',
+          '  @initKeeper(token=$KSM_CONFIG)',
+          '',
+          'Generate one using the KSM CLI:',
+          '  ksm profile init <one-time-token>',
+          '  ksm profile export --format json | base64',
+        ].join('\n'),
+      });
+    }
+
+    pluginInstances[id] = new KeeperPluginInstance(id);
+
+    return {
+      id,
+      tokenResolver: objArgs.token,
+    };
+  },
+  async execute({ id, tokenResolver }) {
+    const token = await tokenResolver?.resolve();
+    pluginInstances[id].setAuth(token);
+  },
+});
+
+// ════ DATA TYPE: keeperSmToken ═══════════════════════════════════════════════
+
+plugin.registerDataType({
+  name: 'keeperSmToken',
+  sensitive: true,
+  typeDescription: 'Base64-encoded configuration token for the [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/) SDK',
+  icon: KEEPER_ICON,
+  docs: [
+    {
+      description: 'Keeper Secrets Manager',
+      url: 'https://docs.keeper.io/secrets-manager/',
+    },
+    {
+      description: 'JavaScript SDK',
+      url: 'https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk',
+    },
+  ],
+  async validate(val) {
+    if (typeof val !== 'string' || !val.trim()) {
+      throw new ValidationError('Keeper Secrets Manager config token must be a non-empty string');
+    }
+    try {
+      const decoded = Buffer.from(val, 'base64').toString('utf-8');
+      JSON.parse(decoded);
+    } catch {
+      throw new ValidationError('Keeper Secrets Manager config token must be a valid base64-encoded JSON string', {
+        tip: [
+          'Generate one using the KSM CLI:',
+          '  ksm profile init <one-time-token>',
+          '  ksm profile export --format json | base64',
+        ].join('\n'),
+      });
+    }
+  },
+});
+
+// ════ RESOLVER FUNCTION: keeper() ═══════════════════════════════════════════
+
+plugin.registerResolverFunction({
+  name: 'keeper',
+  label: 'Fetch a secret field from Keeper Secrets Manager',
+  icon: KEEPER_ICON,
+  argsSchema: {
+    type: 'mixed',
+    arrayMinLength: 1,
+    arrayMaxLength: 2,
+  },
+  process() {
+    let instanceId = '_default';
+    let secretRefResolver: Resolver | undefined;
+    let fieldResolver: Resolver | undefined;
+
+    // Check for named 'field' parameter
+    if (this.objArgs?.field) {
+      fieldResolver = this.objArgs.field;
+    }
+
+    if (this.arrArgs!.length === 1) {
+      secretRefResolver = this.arrArgs![0];
+    } else if (this.arrArgs!.length === 2) {
+      if (!this.arrArgs![0].isStatic) {
+        throw new SchemaError('Expected instance id to be a static value');
+      }
+      instanceId = String(this.arrArgs![0].staticValue);
+      secretRefResolver = this.arrArgs![1];
+    } else {
+      throw new SchemaError('Expected 1 or 2 args');
+    }
+
+    getPluginInstance(instanceId, 'keeper');
+
+    return { instanceId, secretRefResolver, fieldResolver };
+  },
+  async resolve({ instanceId, secretRefResolver, fieldResolver }) {
+    const selectedInstance = pluginInstances[instanceId];
+
+    const secretRef = await secretRefResolver.resolve();
+    if (typeof secretRef !== 'string') {
+      throw new SchemaError('Expected secret reference to resolve to a string');
+    }
+
+    // Resolve optional field parameter
+    let field: string | undefined;
+    if (fieldResolver) {
+      const fieldVal = await fieldResolver.resolve();
+      if (typeof fieldVal !== 'string') {
+        throw new SchemaError('Expected field parameter to resolve to a string');
+      }
+      field = fieldVal;
+    }
+
+    // Parse #field syntax: "uid#fieldType" or "uid#custom:label"
+    let recordRef = secretRef;
+    let explicitField: string | undefined;
+    const hashIndex = secretRef.indexOf('#');
+    if (hashIndex !== -1) {
+      recordRef = secretRef.substring(0, hashIndex);
+      explicitField = secretRef.substring(hashIndex + 1);
+    }
+
+    // If the ref contains a slash, treat as notation (uid/field/type format)
+    if (recordRef.includes('/')) {
+      return await selectedInstance.getSecretByNotation(secretRef);
+    }
+
+    // Otherwise use simple field access
+    const targetField = field || explicitField;
+    return await selectedInstance.getSecretField(recordRef, targetField);
+  },
+});
diff --git a/packages/plugins/keeper/test/keeper.test.ts b/packages/plugins/keeper/test/keeper.test.ts
new file mode 100644
index 00000000..ccdd7d5a
--- /dev/null
+++ b/packages/plugins/keeper/test/keeper.test.ts
@@ -0,0 +1,217 @@
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import {
+  describe, test,
+} from 'vitest';
+import outdent from 'outdent';
+import { pluginTest } from 'varlock/test-helpers';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PLUGIN_PATH = path.join(__dirname, '..');
+
+// ── Helpers ──────────────────────────────────────────────────────────
+
+/** Create a fake base64-encoded KSM config token */
+function fakeKsmToken(overrides: Record<string, string> = {}): string {
+  const config = {
+    hostname: 'keepersecurity.com',
+    clientId: 'fake-client-id',
+    privateKey: 'fake-private-key',
+    appKey: 'fake-app-key',
+    serverPublicKeyId: '7',
+    ...overrides,
+  };
+  return Buffer.from(JSON.stringify(config)).toString('base64');
+}
+
+type KeeperTestOpts = {
+  /** Schema items section (after ---). Required unless fullSchema is provided. */
+  schema?: string;
+  /** Full schema override (skips auto-generated boilerplate) */
+  fullSchema?: string;
+  /** Extra @initKeeper params */
+  initParams?: string;
+} & Omit<Parameters<typeof pluginTest>[0], 'schema'>;
+
+function keeperTest(opts: KeeperTestOpts) {
+  const {
+    schema,
+    initParams = '',
+    fullSchema: fullSchemaOverride,
+    ...rest
+  } = opts;
+
+  const initLine = initParams
+    ? `# @initKeeper(token=$KSM_CONFIG, ${initParams})`
+    : '# @initKeeper(token=$KSM_CONFIG)';
+
+  const fullSchema = fullSchemaOverride ?? outdent`
+    # @plugin(${PLUGIN_PATH})
+    ${initLine}
+    # ---
+    # @type=keeperSmToken
+    KSM_CONFIG=
+    ${schema}
+  `;
+
+  return {
+    ...rest,
+    schema: fullSchema,
+    injectValues: {
+      KSM_CONFIG: fakeKsmToken(),
+      ...rest.injectValues,
+    },
+  };
+}
+
+
+// ── Tests ────────────────────────────────────────────────────────────
+
+describe('keeper plugin', () => {
+  describe('data types', () => {
+    test('keeperSmToken accepts valid base64 JSON', pluginTest(keeperTest({
+      schema: outdent`
+        # @type=keeperSmToken
+        MY_TOKEN=${fakeKsmToken()}
+      `,
+      expectValues: { MY_TOKEN: fakeKsmToken() },
+    })));
+
+    test('keeperSmToken rejects non-base64 string', pluginTest(keeperTest({
+      schema: outdent`
+        # @type=keeperSmToken
+        MY_TOKEN=not-valid-base64!!!
+      `,
+      expectValues: { MY_TOKEN: Error },
+    })));
+
+    test('keeperSmToken rejects base64 non-JSON', pluginTest(keeperTest({
+      schema: outdent`
+        # @type=keeperSmToken
+        MY_TOKEN=${Buffer.from('not-json').toString('base64')}
+      `,
+      expectValues: { MY_TOKEN: Error },
+    })));
+
+    test('keeperSmToken is marked sensitive', pluginTest(keeperTest({
+      schema: outdent`
+        # @type=keeperSmToken
+        MY_TOKEN=${fakeKsmToken()}
+      `,
+      expectSensitive: { MY_TOKEN: true },
+    })));
+  });
+
+  describe('@initKeeper decorator', () => {
+    test('missing token param', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper()
+        # ---
+      `,
+      expectSchemaError: true,
+    }));
+
+    test('duplicate default instance id', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$KSM_CONFIG)
+        # @initKeeper(token=$KSM_CONFIG)
+        # ---
+        # @type=keeperSmToken
+        KSM_CONFIG=
+      `,
+      expectSchemaError: true,
+    }));
+
+    test('duplicate named instance id', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$KSM_TOKEN_1, id=prod)
+        # @initKeeper(token=$KSM_TOKEN_2, id=prod)
+        # ---
+        # @type=keeperSmToken
+        KSM_TOKEN_1=
+        # @type=keeperSmToken
+        KSM_TOKEN_2=
+      `,
+      expectSchemaError: true,
+    }));
+
+    test('unused plugin with valid init causes no errors', pluginTest(keeperTest({
+      schema: 'UNRELATED=hello',
+      expectValues: { UNRELATED: 'hello' },
+    })));
+  });
+
+  describe('keeper() resolver schema validation', () => {
+    test('no args produces an error', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$T)
+        # ---
+        # @type=keeperSmToken
+        T=
+        SECRET=keeper()
+      `,
+      injectValues: { T: fakeKsmToken() },
+      expectValues: { SECRET: Error },
+    }));
+
+    test('valid single arg does not produce schema errors', pluginTest(keeperTest({
+      schema: 'SECRET=keeper("some-uid/field/password")',
+    })));
+
+    test('valid two args (instance, notation) does not produce schema errors', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$T, id=myinst)
+        # ---
+        # @type=keeperSmToken
+        T=
+        SECRET=keeper(myinst, "some-uid/field/password")
+      `,
+      injectValues: { T: fakeKsmToken() },
+    }));
+
+    test('non-static instance id produces an error', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$T)
+        # ---
+        # @type=keeperSmToken
+        T=
+        MY_ID=dynamic
+        SECRET=keeper($MY_ID, "some-uid")
+      `,
+      injectValues: { T: fakeKsmToken() },
+      expectValues: { SECRET: Error },
+    }));
+
+    test('unknown instance id produces an error', pluginTest(keeperTest({
+      schema: 'SECRET=keeper(nonexistent, "some-uid")',
+      expectValues: { SECRET: Error },
+    })));
+  });
+
+  describe('named instances', () => {
+    test('multiple named instances do not produce schema errors', pluginTest({
+      schema: outdent`
+        # @plugin(${PLUGIN_PATH})
+        # @initKeeper(token=$T1, id=prod)
+        # @initKeeper(token=$T2, id=staging)
+        # ---
+        # @type=keeperSmToken
+        T1=
+        # @type=keeperSmToken
+        T2=
+        SECRET_A=keeper(prod, "uid-a")
+        SECRET_B=keeper(staging, "uid-b")
+      `,
+      injectValues: {
+        T1: fakeKsmToken(),
+        T2: fakeKsmToken({ hostname: 'keepersecurity.eu' }),
+      },
+    }));
+  });
+});
diff --git a/packages/plugins/keeper/tsconfig.json b/packages/plugins/keeper/tsconfig.json
new file mode 100644
index 00000000..d69c25fa
--- /dev/null
+++ b/packages/plugins/keeper/tsconfig.json
@@ -0,0 +1,5 @@
+{
+  "extends": "@varlock/tsconfig/plugin.tsconfig.json",
+  "include": ["**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}
diff --git a/packages/plugins/keeper/tsup.config.ts b/packages/plugins/keeper/tsup.config.ts
new file mode 100644
index 00000000..a4ffa83a
--- /dev/null
+++ b/packages/plugins/keeper/tsup.config.ts
@@ -0,0 +1,14 @@
+import { defineConfig } from 'tsup';
+
+export default defineConfig({
+  entry: ['src/plugin.ts'],
+  dts: true,
+  sourcemap: true,
+  treeshake: true,
+  clean: false,
+  outDir: 'dist',
+  format: ['cjs'],
+  splitting: false,
+  target: 'esnext',
+  external: ['varlock'],
+});
diff --git a/packages/plugins/keeper/vitest.config.ts b/packages/plugins/keeper/vitest.config.ts
new file mode 100644
index 00000000..e9819654
--- /dev/null
+++ b/packages/plugins/keeper/vitest.config.ts
@@ -0,0 +1,11 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  resolve: {
+    conditions: ['ts-src'],
+  },
+  define: {
+    __VARLOCK_BUILD_TYPE__: JSON.stringify('test'),
+    __VARLOCK_SEA_BUILD__: 'false',
+  },
+});
diff --git a/packages/varlock-website/astro.config.ts b/packages/varlock-website/astro.config.ts
index a7011174..86d172a8 100644
--- a/packages/varlock-website/astro.config.ts
+++ b/packages/varlock-website/astro.config.ts
@@ -189,6 +189,7 @@ export default defineConfig({
             { label: 'HashiCorp Vault', slug: 'plugins/hashicorp-vault' },
             { label: 'Infisical', slug: 'plugins/infisical' },
             { label: 'KeePass', slug: 'plugins/keepass' },
+            { label: 'Keeper', slug: 'plugins/keeper' },
             { label: 'Pass', slug: 'plugins/pass' },
             { label: 'Passbolt', slug: 'plugins/passbolt' },
             { label: 'Proton Pass', slug: 'plugins/proton-pass' },
diff --git a/packages/varlock-website/src/content/docs/plugins/keeper.mdx b/packages/varlock-website/src/content/docs/plugins/keeper.mdx
new file mode 100644
index 00000000..ba8e74ea
--- /dev/null
+++ b/packages/varlock-website/src/content/docs/plugins/keeper.mdx
@@ -0,0 +1,281 @@
+---
+title: Keeper Plugin
+description: Using Keeper Security Secrets Manager with Varlock
+---
+
+import { Steps, Icon } from '@astrojs/starlight/components';
+import Badge from '@/components/Badge.astro';
+
+<div class="page-badges">
+  <Badge npmPackage="@varlock/keeper-plugin" />
+</div>
+
+Our [Keeper Security](https://keepersecurity.com/) plugin enables secure loading of secrets from Keeper vaults via the [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/) SDK.
+
+The plugin uses base64-encoded configuration tokens for programmatic access to your Keeper secrets, making it suitable for both CI/CD and production environments.
+
+## Features
+
+- **SDK-based authentication** - Secure access via base64-encoded Secrets Manager config tokens
+- **Flexible secret access** - Fetch by record UID, title, `#field` selector, or [Keeper notation](https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk#notation)
+- **Standard and custom fields** - Access any field type including password, login, URL, notes, and custom fields
+- **Multiple instances** - Connect to different Keeper applications or vaults simultaneously
+- **Built-in secret caching** - Avoids redundant API calls within a single resolution pass
+- **Comprehensive error handling** with helpful tips
+
+## Installation and setup
+
+In a JS/TS project, you may install the `@varlock/keeper-plugin` package as a normal dependency.
+Otherwise you can just load it directly from your `.env.schema` file, as long as you add a version specifier.
+See the [plugins guide](/guides/plugins/#installation) for more instructions on installing plugins.
+
+```env-spec title=".env.schema"
+# 1. Load the plugin
+# @plugin(@varlock/keeper-plugin)
+#
+# 2. Initialize the plugin - see below for more details on options
+# @initKeeper(token=$KSM_CONFIG)
+# ---
+
+# 3. Add a config item for the Secrets Manager config token
+# @type=keeperSmToken @sensitive
+KSM_CONFIG=
+```
+
+### Secrets Manager application setup
+
+<Steps>
+1. **Create a Secrets Manager Application** in the Keeper Admin Console
+
+    Navigate to **Secrets Manager** → **Applications** → Click **Create Application**. Give it a descriptive name (e.g., "varlock-prod").
+
+2. **Share a folder** with the application
+
+    In your Keeper vault, right-click the folder containing your secrets, select **Share Folder**, and share it with your Secrets Manager application.
+
+3. **Generate a one-time access token**
+
+    In the application settings, click **Add Device** and copy the one-time access token.
+
+4. **Initialize and export the config**
+
+    Use the [KSM CLI](https://docs.keeper.io/secrets-manager/secrets-manager/secrets-manager-command-line-interface) to create a config:
+
+    ```bash
+    pip install keeper-secrets-manager-cli
+    ksm profile init <one-time-token>
+    ksm profile export --format json | base64
+    ```
+
+    :::caution[Save the config securely]
+    Store the base64-encoded config token securely. The one-time access token can only be used once to initialize a device.
+    :::
+
+5. **Wire up the token in your config**
+
+    ```env-spec title=".env.schema"
+    # @plugin(@varlock/keeper-plugin)
+    # @initKeeper(token=$KSM_CONFIG)
+    # ---
+
+    # @type=keeperSmToken @sensitive
+    KSM_CONFIG=
+    ```
+
+6. **Set your config token in environments**
+
+    Use your CI/CD system or platform's env var management to securely inject the `KSM_CONFIG` value.
+</Steps>
+
+### Multiple instances
+
+If you need to connect to different Keeper applications or vaults, register multiple named instances:
+
+```env-spec title=".env.schema"
+# @plugin(@varlock/keeper-plugin)
+# @initKeeper(token=$KSM_PROD, id=prod)
+# @initKeeper(token=$KSM_DEV, id=dev)
+# ---
+
+# @type=keeperSmToken @sensitive
+KSM_PROD=
+# @type=keeperSmToken @sensitive
+KSM_DEV=
+
+PROD_SECRET=keeper(prod, "XXXXXXXXXXXXXXXXXXXX")
+DEV_SECRET=keeper(dev, "XXXXXXXXXXXXXXXXXXXX")
+```
+
+## Loading secrets
+
+Once the plugin is installed and initialized, you can start adding config items that load values using the `keeper()` resolver function.
+
+### By record UID
+
+Fetch secrets by record UID. By default, the `password` field is returned:
+
+```env-spec title=".env.schema"
+# Fetches the "password" field from the record
+DB_PASSWORD=keeper("XXXXXXXXXXXXXXXXXXXX")
+```
+
+### With a field selector
+
+Use the `#` syntax to access a specific field:
+
+```env-spec title=".env.schema"
+# Standard fields
+DB_USER=keeper("XXXXXXXXXXXXXXXXXXXX#login")
+SITE_URL=keeper("XXXXXXXXXXXXXXXXXXXX#url")
+
+# Custom fields by label
+API_KEY=keeper("XXXXXXXXXXXXXXXXXXXX#API_KEY")
+```
+
+Or use the named `field` parameter:
+
+```env-spec title=".env.schema"
+DB_HOST=keeper("XXXXXXXXXXXXXXXXXXXX", field="host")
+```
+
+### Using Keeper notation
+
+The plugin supports [Keeper's notation syntax](https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk#notation) for advanced access patterns:
+
+```env-spec title=".env.schema"
+# Standard field by type
+DB_PASS=keeper("XXXX/field/password")
+
+# Login field
+DB_USER=keeper("XXXX/field/login")
+
+# Custom field by label
+MY_SECRET=keeper("XXXX/custom_field/MySecretLabel")
+
+# By record title instead of UID
+API_KEY=keeper("My API Keys/field/password")
+```
+
+### With named instances
+
+When using multiple instances, specify which one to use as the first argument:
+
+```env-spec title=".env.schema"
+PROD_SECRET=keeper(prod, "XXXX/field/password")
+DEV_SECRET=keeper(dev, "YYYY#password")
+```
+
+:::tip[Record UIDs vs titles]
+You can reference records by either their UID or their title. UIDs are more reliable since titles can be changed, but titles are more readable. UIDs are case-sensitive.
+:::
+
+---
+
+## Reference
+
+### Root decorators
+<div class="reference-docs">
+<div>
+#### `@initKeeper()`
+
+Initialize a Keeper Secrets Manager plugin instance for accessing secrets.
+
+**Key/value args:**
+- `token` (required): Base64-encoded Secrets Manager config token. Should be a reference to a config item of type `keeperSmToken`.
+- `id` (optional): Instance identifier for multiple instances
+
+```env-spec "@initKeeper"
+# @initKeeper(token=$KSM_CONFIG)
+# ---
+# @type=keeperSmToken @sensitive
+KSM_CONFIG=
+```
+</div>
+</div>
+
+### Data types
+<div class="reference-docs">
+<div>
+#### `keeperSmToken`
+
+Represents a base64-encoded configuration token for the Keeper Secrets Manager SDK. Validation ensures the value is a valid base64-encoded JSON string.
+Note that the type itself is marked as `@sensitive`, so adding an explicit `@sensitive` decorator is optional.
+
+```env-spec "keeperSmToken"
+# @type=keeperSmToken
+KSM_CONFIG=
+```
+</div>
+</div>
+
+### Resolver functions
+<div class="reference-docs">
+<div>
+#### `keeper()`
+
+Fetch a secret field from Keeper Secrets Manager.
+
+**Array args:**
+- `instanceId` (optional): instance identifier to use when multiple plugin instances are initialized
+- `reference` (required): record UID, title, UID with `#field` selector, or Keeper notation string
+
+**Key/value args:**
+- `field` (optional): explicit field type or label to extract from the record
+
+```env-spec /keeper\\(.*\\)/
+# By record UID (defaults to password field)
+DB_PASSWORD=keeper("XXXXXXXXXXXXXXXXXXXX")
+
+# With field selector
+DB_USER=keeper("XXXXXXXXXXXXXXXXXXXX#login")
+
+# With named field parameter
+DB_HOST=keeper("XXXXXXXXXXXXXXXXXXXX", field="host")
+
+# Using Keeper notation
+API_KEY=keeper("XXXX/field/password")
+CUSTOM=keeper("XXXX/custom_field/API_KEY")
+
+# With instance ID
+PROD_SECRET=keeper(prod, "XXXXXXXXXXXXXXXXXXXX")
+```
+</div>
+</div>
+
+---
+
+## Troubleshooting
+
+### Failed to parse config token
+- The `KSM_CONFIG` value must be a valid base64-encoded JSON string
+- Regenerate it using the KSM CLI:
+  ```bash
+  ksm profile export --format json | base64
+  ```
+
+### Access denied
+- Verify the Secrets Manager application has not been revoked
+- Check that the shared folder permissions are still active
+- The one-time token may have expired before being used — generate a new one
+
+### Record not found
+- Verify the record UID or title is correct
+- Ensure the record is in a folder shared with the Secrets Manager application
+- Record UIDs are case-sensitive
+
+### Field not found in record
+- Check available field types: `login`, `password`, `url`, `oneTimeCode`, `note`
+- Custom fields use the label: `keeper("uid/custom_field/My Label")`
+- Use the `#` syntax for quick field access: `keeper("uid#login")`
+
+### Config token issues
+- One-time access tokens can only be used once to initialize a device
+- If you need a new config, create a new device in the application settings
+- Config tokens contain encrypted keys — do not modify them manually
+
+## Resources
+
+- [Keeper Security](https://keepersecurity.com/)
+- [Keeper Secrets Manager](https://docs.keeper.io/secrets-manager/)
+- [JavaScript SDK Documentation](https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/javascript-sdk)
+- [KSM CLI Documentation](https://docs.keeper.io/secrets-manager/secrets-manager/secrets-manager-command-line-interface)