Not today. Self-hosting is on our roadmap for enterprise customers — no date committed yet. Email hello@envshed.com if it's a hard requirement and we'll loop you in.

Envshed

For 2–50 person dev teams that outgrew shared .env files

Secrets your team can actually trust.

Q: Is my data encrypted?

Yes. Every secret value is encrypted at rest with AES-256-GCM, and all traffic runs over TLS 1.3. Encryption keys are held separately from the encrypted data.

Q: What happens if I cancel?

You keep full access until the end of your billing period. Before that, run `envshed pull --format env` to write every secret to a plain `.env` file you own. No data held hostage.

Q: How does billing work?

Stripe processes every payment — we never see your card. Pricing is per user, billed monthly, and you can cancel from account settings in two clicks. No refunds for partial months, but no auto-renewal traps either.

Q: What are placeholder secrets?

Keys where the name is shared but the value isn't. Each developer sets their own — perfect for personal API tokens or local database passwords.

Q: Can I set expiration dates on secrets?

Yes. Set any expiry you like — weeks, months, quarters. You get warnings in the dashboard and CLI before the secret expires and after.

Envshed is the encrypted, monorepo-native secrets manager built for small engineering teams. $5 per user, flat. Pull your first secret in under 30 seconds.

$ npx envshed@latest login

Start free — no card required See pricing

Free forever plan · 14-day trial on paid plans

AES-256-GCM encrypted

GDPR compliant

Full audit trail

See our security policy

The stuff that costs you hours every week

Secrets shared over Slack

API keys and passwords pasted in plain text messages anyone can search.

Encrypted vault with fine-grained access control. Secrets never leave the platform unencrypted.

Slow onboarding

New team members wait hours or days to get the right environment variables.

Invite to your org and they instantly access every project secret they need.

"Works on my machine"

Everyone has different local .env files, leading to inconsistent environments.

Per-user overrides let each dev customize values without affecting the shared config.

No change tracking

Someone changed a secret and broke production. Who? When? No one knows.

Full audit log with user, timestamp, and diff for every single change.

Copy-pasting secrets

The same database URL exists in 5 different .env files, all slightly different.

Define a value once and reference it across all environments.

Expired credentials

Third-party API keys expire silently and break production at 3 AM.

Set expiration dates on secrets with automatic warnings before and after expiry.

Fix this in 30 seconds — Start Free

Everything a team needs to ship safely

End-to-end encryption

No secret ever lands on disk in plaintext — encrypted at rest with AES-256-GCM, so a stolen database dump is dead weight.

Developer-friendly CLI

Pull, run, and init from the terminal. No dashboard tab required to ship a feature.

Service tokens

Scoped tokens for CI, Terraform, Kubernetes, and any service that needs secrets without a human in the loop.

GitHub Actions

Drop our Action into your workflow and your CI gets the same secrets as your laptop — no copy-paste, no stale values.

Node.js SDK

Fetch secrets at runtime from any Node app — no .env file, no secrets in your Docker image.

Team management

Invite teammates, grant the right access, and revoke it in one click when someone leaves.

Environment management

Share values across dev, staging, and prod — or keep them separate when they need to be.

Per-user overrides

Each dev overrides just the values they need locally. The shared config stays untouched.

Secret expiration

Set an expiry on any secret and get warnings before it breaks production at 3 AM.

Project duplication

Spin up a new project from an existing one. Secrets, environments, and access all come with it.

Audit trail

See who read or changed any secret, when, and from where. Answering 'who broke it' becomes a 10-second lookup.

SAML SSO

Start Free See Pricing

Works with your stack

Envshed plugs into the tools your team already uses.

GitHub Actions

Docker

Node.js SDK

CLI (any shell)

Coolify

Coming soon

Vercel

AWS / CI runners

Developer Experience

Get started in 30 seconds

Authenticate, initialize, pull. Your first secret lands in 30 seconds.

Authenticate

$ npx envshed@latest login

Opens your browser for secure device authentication.

Initialize your project

$ npx envshed@latest init

Creates a .envshed.json config linked to your org and project.

Pull your secrets

$ npx envshed@latest pull

Downloads encrypted secrets into a local .env file.

Watch the CLI workflow

Start Free — No Credit Card

View on npm

Monorepo Support

One config, every workspace

One .envshed.json at the repo root. Every package pulls what it needs.

Auto-detect packages

$ npx envshed@latest init

Scans pnpm-workspace.yaml or package.json workspaces and discovers all packages.

Map each workspace

$ cat .envshed.json

Each subdirectory maps to its own project and environment in one config file.

Pull all at once

$ envshed pull

Run from root to pull secrets for every workspace in a single command.

Watch the workspace workflow

Node.js SDK

Fetch secrets at runtime. Skip the .env file.

@envshed/node pulls secrets into your process directly — no file on disk, no baked-in values in your Docker image, no secret leak when a log line goes wide.

import { EnvshedClient } from "@envshed/node"; const client = new EnvshedClient({ token: process.env.ENVSHED_TOKEN, }); const secretsClient = client.createSecretsClient({ org: "acme", project: "web", env: "production", }); const { secrets } = await secretsClient.secrets.list();

Start Free

View on npm

Simple, fair pricing

Start free. Scale as your team grows. No hidden fees.

Roughly a third of what comparable secrets managers charge

Most hosted secrets managers land at $15–$25 per user/month once you're past their free tier. Envshed is $5, flat — no quote, no sales call.

Developer

For solo devs and pairs. Everything you need to stop pasting secrets into Slack.

Up to 2 members
Up to 3 projects
Unlimited secrets
AES-256-GCM encryption
CLI & API access

Start free — no card required

Free forever plan

14-day free trial

Popular

Team

/user/month

For teams of 3+ that ship to production. Unlimited members, audit logs, CI-ready service tokens.

Unlimited members
Unlimited projects
Unlimited secrets
CLI & API access
Webhooks
Service tokens (CI/CD)
Audit logs

Start 14-day trial

Cancel anytime

14-day free trial

Business

/user/month

For organizations that need SSO, priority support, and a name to cite in their vendor review.

Everything in Team
SAML SSO
Priority support

Start 14-day trial

Cancel anytime

No charge during your 14-day trial on paid plans.

Frequently Asked Questions

Is my data encrypted?

Is there a free trial? Do I need a credit card?

Are you SOC 2 / ISO 27001 compliant?

Who at Envshed can see my secrets?

Where is my data stored?

Can I self-host?

What does Envshed work with?

How does the GitHub Actions integration work?

Do I have to change how I run my app locally?

How do I move from 1Password / Doppler / AWS Secrets Manager?

What happens if Envshed has an outage — or we decide to leave?

What if I have more than 2 people on the free plan?

What happens if I cancel?

How does billing work?

What are placeholder secrets?

Can I set expiration dates on secrets?

Start Free Still have questions? Contact us

Secrets your team can actually trust.

The stuff that costs you hours every week

Built in the open

1,796

Public

Every week

Everything a team needs to ship safely

Works with your stack

Get started in 30 seconds

One config, every workspace

Fetch secrets at runtime. Skip the .env file.

Simple, fair pricing

Frequently Asked Questions