A dotenv alternative that stops leaking your .env files.
dotenv was never meant for three people sharing a DATABASE_URL in Slack. Envshed is the encrypted, team-aware replacement: one .envshed.json at the repo root, values pulled on demand, and an audit trail on every read.
dotenv is the file everybody uses and nobody admits they manage with a Slack DM. Two people join the team. Someone forgets to paste the new RESEND_API_KEY. CI breaks at 2 AM. You are reading this because that already happened. Here is what a real dotenv alternative looks like once you are past the one-person project.
Why teams hit the dotenv ceiling
The .env file is the source of truth, and nobody trusts it
Five copies, all slightly different. Staging has an extra key. Prod is missing one. Someone committed it to git in 2023 and the history is still there.
New hires wait days for a working local env
Pairing calls, screenshares, DMs with secret values. Onboarding should not mean paste-by-paste reconstruction of a JSON blob.
You have no idea who read what, or when
A key rotates. You cannot tell who still has the old one. Every process.env read is invisible.
What Envshed gives you that dotenv does not
Envshed keeps the shape you already understand — files with KEY=value pairs — and adds the three things dotenv never did. Central storage, encrypted at rest with AES-256-GCM so values never land in plaintext on disk. Access by user and project, not "everyone in the Slack channel". And a CLI that pulls the current values on demand so the file on your laptop is always the right one.
Your dotenv workflow, rebuilt
Drop the file. Keep the workflow.
# before: hunt down the latest .env in Slack cat .env # after: pull the real values for your env envshed pull envshed run -- pnpm dev
Every dotenv pain, replaced
One source of truth per environment
Development, staging, production — each has a vault. envshed pull --env staging is the only way to end up with staging values on disk.
Instant access when someone joins
Invite a teammate to the org. They run envshed init && envshed pull and they are unblocked in 30 seconds.
Every read is logged
The audit trail shows which user pulled which secret from which machine at which timestamp. Rotation becomes a known operation, not an incident.
What you get
- AES-256-GCM encryption at rest for every secret value
- One .envshed.json detects every package in a monorepo
- Service tokens for CI without sharing human credentials
- Per-user overrides — your local values stay local
- $5 per user per month, flat — no seat tiers
dotenv to Envshed, answered
Can I keep using a .env file for local dev?
Yes. envshed pull writes a .env to your working directory that every tool (node, vite, next) reads exactly like before. The difference is that the file was fetched from a vault, not a Slack DM.
What happens to my existing .env files?
Import them. envshed push uploads every KEY=value pair into a project environment you choose. After that, you can delete the committed copies.
Does it work with dotenv-cli, dotenvx, Next.js, and Vite?
Yes. Envshed writes the same .env format those tools expect. You can also run your process directly with envshed run -- your-command and skip the intermediate file.
Do I still need python-dotenv or dotenv-cli?
Only if you want to. Envshed can emit the file they expect, or inject values directly into your process so your code keeps reading process.env.X or os.environ['X'] without a loader.
Move your .env files somewhere sensible
Sign up, pull your first secret in under 30 seconds, and delete the .env.template you never update.
Start freePart of the Envshed.