Envshed

Start free

Built for platform & infra teams

Secrets that pass your security review.

RBAC, SAML SSO, scoped service tokens, and a tamper-evident audit log — without an enterprise sales cycle. AES-256-GCM at rest, TLS 1.3 in transit, $9 per user with SSO included.

$ envshed run --env production -- pnpm deploy

Start free — no credit cardSee pricing

personas.platformTeams.hero.ctaMicrocopy

What platform teams inherit when secrets sprawl

Nobody knows who changed the production token

Someone rotated the Stripe webhook secret at 11pm. The post-mortem starts with three Slack threads and a guess.

Tamper-evident audit log: user, IP, timestamp, and value diff for every change. Hash-chained so deletes leave a trace.

Every engineer can read every secret

Backend devs see Stripe live keys. Contractors see staging databases. The blast radius is the whole company.

Project-level RBAC plus per-environment access. Scope each token to the exact read or write surface it needs.

The same secret lives in twelve repos' Secrets tabs

Rotation means twelve PRs or twelve browser tabs. By the third one, you stop double-checking.

One vault per environment. Service tokens pull the current value at job start — rotate in one place.

Rotation discipline lives in a spreadsheet

You rotate quarterly because that's the calendar reminder, not because you can see what's about to expire.

Per-secret expiry dates with warnings in the dashboard, the CLI, and your audit feed.

Stand up secrets infra in an afternoon — Start free

The controls a platform team actually owns

SAML SSO on the $9 tier

Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP — provisioned from a self-serve dashboard, no sales call.

Scoped service tokens

Issue tokens scoped to one environment, read-only or read/write. Revoke in Envshed and CI stops pulling within seconds.

Tamper-evident audit log

Every read and write hash-chained — your incident response team can prove the timeline.

Per-environment access

Dev, staging, production each have their own access list. Staging tokens cannot read production.

RBAC at org and project

Owner, admin, member at the org. Editor and viewer per project. Promotions and demotions are one click.

GitHub Actions, OIDC-ready

Service token or short-lived OIDC credential — the workflow pulls the current values at job start, no static secret on the runner.

AES-256-GCM at rest

Per-record IV, TLS 1.3 in transit, encryption keys held separately from the encrypted data.

Per-secret expiration

Force a rotation cadence. Warnings fire before the credential breaks the production deploy.

Start freeSee pricing

Simple, fair pricing

Start free. Scale as your team grows. No hidden fees.

Roughly a third of what comparable secrets managers charge

Most hosted secrets managers land at $15–$25 per user/month once you're past their free tier. Envshed is $5, flat — no quote, no sales call.

Developer

$0

For solo devs and pairs. Everything you need to stop pasting secrets into Slack.

  • Up to 2 members
  • Up to 3 projects
  • Unlimited secrets
  • AES-256-GCM encryption
  • CLI & API access
Start free — no card required

Free forever plan

14-day free trial
Popular

Team

$5

/user/month

For teams of 3+ that ship to production. Unlimited members, audit logs, CI-ready service tokens.

  • Unlimited members
  • Unlimited projects
  • Unlimited secrets
  • CLI & API access
  • Webhooks
  • Service tokens (CI/CD)
  • Audit logs
Start 14-day trial

Cancel anytime

14-day free trial

Business

$9

/user/month

For organizations that need SSO, priority support, and a name to cite in their vendor review.

  • Everything in Team
  • SAML SSO
  • Priority support
Start 14-day trial

Cancel anytime

No charge during your 14-day trial on paid plans.