Envshed

Start free

For 2–50 person dev teams that outgrew shared .env files

Secrets your team can actually trust.

Envshed is the encrypted, monorepo-native secrets manager built for small engineering teams. $5 per user, flat. Pull your first secret in under 30 seconds.

$ npx envshed@latest login

Start free — no card requiredSee pricing

Free forever plan · 14-day trial on paid plans

The stuff that costs you hours every week

Secrets shared over Slack

API keys and passwords pasted in plain text messages anyone can search.

Encrypted vault with fine-grained access control. Secrets never leave the platform unencrypted.

Slow onboarding

New team members wait hours or days to get the right environment variables.

Invite to your org and they instantly access every project secret they need.

"Works on my machine"

Everyone has different local .env files, leading to inconsistent environments.

Per-user overrides let each dev customize values without affecting the shared config.

No change tracking

Someone changed a secret and broke production. Who? When? No one knows.

Full audit log with user, timestamp, and diff for every single change.

Copy-pasting secrets

The same database URL exists in 5 different .env files, all slightly different.

Define a value once and reference it across all environments.

Expired credentials

Third-party API keys expire silently and break production at 3 AM.

Set expiration dates on secrets with automatic warnings before and after expiry.

Fix this in 30 seconds — Start Free

By the numbers

Real installs and a founder who answers email.

Secrets managed

Real production secrets.

Every value stored here is wiring up software that actually ships.

Developers

Engineers shipping with it.

Real people at real keyboards — not marketing funnel numbers.

Workspaces

Codebases running on it.

Real repos with a .envshed.json at the root.

Who this is for

Built for shipping devs, not Fortune 500 procurement

Envshed is the secrets manager for indie devs, early-stage startups up to ~50 engineers, and open-source maintainers running shared infra. If that's you, the rest of this page is for you.

Indie devs & solo founders

Free Developer plan, no card. Stop pasting API keys into Notion and Slack DMs — even on a side project.

Startups up to ~50 engineers

$5 per user, flat. SAML SSO at $9. No quote, no sales call when you hire your seventh dev.

Open-source maintainers

Shared infra without per-maintainer invoices on a side project. Two co-maintainers ship for free, more on Team.

Everything a team needs to ship safely

End-to-end encryption

No secret ever lands on disk in plaintext — encrypted at rest with AES-256-GCM, so a stolen database dump is dead weight.

Developer-friendly CLI

Pull, run, and init from the terminal. No dashboard tab required to ship a feature.

Service tokens

Scoped tokens for CI, Terraform, Kubernetes, and any service that needs secrets without a human in the loop.

GitHub Actions

Drop our Action into your workflow and your CI gets the same secrets as your laptop — no copy-paste, no stale values.

Node.js SDK

Fetch secrets at runtime from any Node app — no .env file, no secrets in your Docker image.

Team management

Invite teammates, grant the right access, and revoke it in one click when someone leaves.

Environment management

Share values across dev, staging, and prod — or keep them separate when they need to be.

Per-user overrides

Each dev overrides just the values they need locally. The shared config stays untouched.

Secret expiration

Set an expiry on any secret and get warnings before it breaks production at 3 AM.

Project duplication

Spin up a new project from an existing one. Secrets, environments, and access all come with it.

Audit trail

See who read or changed any secret, when, and from where. Answering 'who broke it' becomes a 10-second lookup.

SAML SSO

Log in through Okta, Azure AD, Google Workspace, or any SAML provider. Off-boarding happens when your IDP says it does.

Start FreeSee Pricing

Works with your stack

Five integrations shipped, eight more on the roadmap with public ETAs, plus one up for community vote. See where your stack lands.

Developer Experience

Get started in 30 seconds

Authenticate, initialize, pull. Your first secret lands in 30 seconds.

1

Authenticate

$ npx envshed@latest login

Opens your browser for secure device authentication.

2

Initialize your project

$ npx envshed@latest init

Creates a .envshed.json config linked to your org and project.

3

Pull your secrets

$ npx envshed@latest pull

Downloads encrypted secrets into a local .env file.

Watch the CLI workflow

Start Free — No Credit Card
View on npm
Monorepo Support

One config, every workspace

One .envshed.json at the repo root. Every package pulls what it needs.

1

Auto-detect packages

$ npx envshed@latest init

Scans pnpm-workspace.yaml or package.json workspaces and discovers all packages.

2

Map each workspace

$ cat .envshed.json

Each subdirectory maps to its own project and environment in one config file.

3

Pull all at once

$ envshed pull

Run from root to pull secrets for every workspace in a single command.

Watch the workspace workflow

Node.js SDK

Fetch secrets at runtime. Skip the .env file.

@envshed/node pulls secrets into your process directly — no file on disk, no baked-in values in your Docker image, no secret leak when a log line goes wide.

import { EnvshedClient } from "@envshed/node"; const client = new EnvshedClient({ token: process.env.ENVSHED_TOKEN, }); const secretsClient = client.createSecretsClient({ org: "acme", project: "web", env: "production", }); const { secrets } = await secretsClient.secrets.list();

Start Free
View on npm

No lock-in. No surprises.

The answers your security reviewer, procurement lead, and future self want before signing up.

Leave whenever

`envshed pull` writes a plain .env you can take anywhere. Full export, keys in plaintext, no ticket.

See the CLI

Security posture, on the record

AES-256-GCM at rest, per-project RBAC, immutable audit log. SOC 2 Type II on the roadmap.

Review security

Simple, fair pricing

Start free. Scale as your team grows. No hidden fees.

Roughly a third of what comparable secrets managers charge

Most hosted secrets managers land at $15–$25 per user/month once you're past their free tier. Envshed is $5, flat — no quote, no sales call.

Developer

$0

For solo devs and pairs. Everything you need to stop pasting secrets into Slack.

  • Up to 2 members
  • Up to 3 projects
  • Unlimited secrets
  • AES-256-GCM encryption
  • CLI & API access
Start free — no card required

Free forever plan

14-day free trial
Popular

Team

$5

/user/month

For teams of 3+ that ship to production. Unlimited members, audit logs, CI-ready service tokens.

  • Unlimited members
  • Unlimited projects
  • Unlimited secrets
  • CLI & API access
  • Webhooks
  • Service tokens (CI/CD)
  • Audit logs
Start 14-day trial

Cancel anytime

14-day free trial

Business

$9

/user/month

For organizations that need SSO, priority support, and a name to cite in their vendor review.

  • Everything in Team
  • SAML SSO
  • Priority support
Start 14-day trial

Cancel anytime

No charge during your 14-day trial on paid plans.

Frequently Asked Questions

Start FreeStill have questions? Contact us