Not yet, but self-hosting is planned for a future release.

Envshed

Stop leaking secrets. Start shipping faster.

Q: Is my data encrypted?

Yes. All secret values are encrypted with AES-256-GCM at rest. Data in transit is protected by HTTPS.

Q: What happens if I cancel?

You retain access until your billing period ends. You can export all secrets via the CLI before your access expires.

Q: How does billing work?

Stripe handles all payments. You can cancel anytime from your account settings.

Q: What are placeholder secrets?

Keys that require each developer to set their own value — great for personal API tokens and local database passwords.

Q: Can I set expiration dates on secrets?

Yes. You will get warnings in the UI and CLI when secrets are expiring or have expired.

Manage environment variables across teams, projects, and environments — encrypted, versioned, and auditable.

$ npx envshed@latest login

View on npm

Get Started — $5/month Learn More

Problems we solve

Secrets shared over Slack

API keys and passwords pasted in plain text messages anyone can search.

Encrypted vault with fine-grained access control. Secrets never leave the platform unencrypted.

Slow onboarding

New team members wait hours or days to get the right environment variables.

Invite to your org and they instantly access every project secret they need.

"Works on my machine"

Everyone has different local .env files, leading to inconsistent environments.

Per-user overrides let each dev customize values without affecting the shared config.

No change tracking

Someone changed a secret and broke production. Who? When? No one knows.

Full audit log with user, timestamp, and diff for every single change.

Copy-pasting secrets

The same database URL exists in 5 different .env files, all slightly different.

Define a value once and reference it across all environments.

Expired credentials

Third-party API keys expire silently and break production at 3 AM.

Set expiration dates on secrets with automatic warnings before and after expiry.

Developer Experience

Get started in 30 seconds

Three commands. That's all it takes.

Authenticate

$ npx envshed@latest login

Opens your browser for secure device authentication.

Initialize your project

$ npx envshed@latest init

Creates a .envshed.json config linked to your org and project.

Pull your secrets

$ npx envshed@latest pull

Downloads encrypted secrets into a local .env file.

Watch the CLI workflow

Developer Experience

Get started in 30 seconds

View on npm

Monorepo Support

One config, every workspace

Manage secrets across your entire monorepo with a single config file.

Auto-detect packages

$ npx envshed@latest init

Scans pnpm-workspace.yaml or package.json workspaces and discovers all packages.

Map each workspace

$ cat .envshed.json

Each subdirectory maps to its own project and environment in one config file.

Pull all at once

$ envshed pull

Run from root to pull secrets for every workspace in a single command.

Watch the workspace workflow

Monorepo Support

One config, every workspace

Node.js SDK

Programmatic access to your secrets

Use @envshed/node to manage secrets from your backend, scripts, or CI pipelines.

import { EnvshedClient } from "@envshed/node"; const client = new EnvshedClient({ token: process.env.ENVSHED_TOKEN, }); const secretsClient = client.createSecretsClient({ org: "acme", project: "web", env: "production", }); const { secrets } = await secretsClient.secrets.list();

View on npm

Everything you need

End-to-end encryption

AES-256-GCM — secrets never stored in plaintext.

Developer-friendly CLI

envshed pull, envshed run, envshed init.

Service tokens

Machine-to-machine auth for CI/CD and infrastructure.

GitHub Actions

Inject secrets into CI/CD workflows with one step.

Node.js SDK

Manage secrets programmatically from any Node.js app.

Team management

Roles, project access, member invites.

Environment management

Dev, staging, production with secret sharing.

Per-user overrides

Personal config with comments.

Secret expiration

Set expiry dates, get warnings.

Project duplication

Clone entire projects with all secrets.

Audit trail

Every read and write logged.

SAML SSO

Single sign-on with Okta, Azure AD, Google Workspace, or custom SAML.

Simple, fair pricing

Start free. Scale as your team grows. No hidden fees.

Developer

For individual developers

Up to 2 members
Up to 3 projects
Unlimited secrets
AES-256-GCM encryption
CLI & API access

Team

Popular

/user/month

For growing teams

Unlimited members
Unlimited projects
Unlimited secrets
CLI & API access
Webhooks
Service tokens (CI/CD)
Audit logs

Business

/user/month

For organizations needing SSO

Everything in Team
SAML SSO
Priority support

14-day free trial on paid plans. No charge during trial. Cancel anytime.

Frequently Asked Questions

Is my data encrypted?

Can I self-host?

What happens if I cancel?

How does billing work?

What are placeholder secrets?

Can I set expiration dates on secrets?