Envshed

Start free

pnpm, Turborepo, Nx — one config

One config. Every workspace pulls its keys.

A monorepo-native secrets manager. Declare keys per workspace at the repo root, pull only what each package needs, and stop watching .env files drift one PR at a time.

$ envshed pull

Start free — no credit cardSee pricing

personas.monorepos.hero.ctaMicrocopy

Where monorepo secrets break first

DATABASE_URL drifts across packages

The API uses one value, the worker package uses a slightly older one. The bug only reproduces in one workspace.

One vault, one value per environment. Every workspace pulls the same source of truth on demand.

Each package has its own .env

Three packages, three .env files, one engineer keeping them in sync. They go on vacation and onboarding breaks.

One .envshed.json at the root declares each workspace's keys. envshed pull writes them where each package expects.

New engineer hits five missing keys at once

They clone the repo, run pnpm install, and the API crashes at startup with undefined. Nobody remembers which package needs what.

Declared keys are required keys. Envshed fails loud if a workspace is missing a value — at pull time, not at runtime.

Workspace-level changes are invisible

Someone added STRIPE_SECRET_KEY to apps/web by mistake. Three weeks later it ends up in the client bundle.

Per-workspace audit log. See which keys each package declared, who changed them, and when.

Stop diffing .env files across packages — Start free

Built around the way monorepos already work

envshed pull at the root

Walks the workspaces in your config and writes the right keys to each package — pnpm, Turborepo, Nx, Lerna.

Per-workspace environments

Run apps/api against staging while apps/web pulls development values. One repo, multiple env targets, side by side.

Per-user overrides stay local

Override DATABASE_URL on your laptop without touching the shared config. Your teammates never see the personal value.

Clone an environment in one click

Spin up a feature-branch environment with every workspace's secrets copied — no manual recreation.

CI knows your workspace shape

envshed run --workspace apps/api injects only the keys that workspace declared. Frontend bundles never see Stripe.

AES-256-GCM at rest

Plaintext never lands on disk. The same encryption posture applies to every workspace in the monorepo.

Start freeSee pricing

Simple, fair pricing

Start free. Scale as your team grows. No hidden fees.

Roughly a third of what comparable secrets managers charge

Most hosted secrets managers land at $15–$25 per user/month once you're past their free tier. Envshed is $5, flat — no quote, no sales call.

Developer

$0

For solo devs and pairs. Everything you need to stop pasting secrets into Slack.

  • Up to 2 members
  • Up to 3 projects
  • Unlimited secrets
  • AES-256-GCM encryption
  • CLI & API access
Start free — no card required

Free forever plan

14-day free trial
Popular

Team

$5

/user/month

For teams of 3+ that ship to production. Unlimited members, audit logs, CI-ready service tokens.

  • Unlimited members
  • Unlimited projects
  • Unlimited secrets
  • CLI & API access
  • Webhooks
  • Service tokens (CI/CD)
  • Audit logs
Start 14-day trial

Cancel anytime

14-day free trial

Business

$9

/user/month

For organizations that need SSO, priority support, and a name to cite in their vendor review.

  • Everything in Team
  • SAML SSO
  • Priority support
Start 14-day trial

Cancel anytime

No charge during your 14-day trial on paid plans.