A secrets manager priced for a startup's actual budget.
Most secrets managers charge like you already have a CISO. Envshed is encrypted, team-aware secret storage with a real CLI and a real audit trail — flat $5 per user, SAML SSO at $9, and no sales call to get started.
You are a startup. You have a Postgres URL, a Stripe key, a few OAuth clients, and five people. You do not need a platform. You need a place to put these values that your whole team can use, the security person can defend later, and the bill does not explode when you hire your seventh engineer. That is Envshed.
The secret-management mess every startup hits
Third-party API keys break production at 3 AM
Stripe webhook secret rotates. Postmark rate-limits. Nobody knows which values are current. Your pager is the source of truth.
The same DATABASE_URL lives in five places
Two laptops, staging, production, and a .env.local that someone committed to git in April. Values drift. Bugs get reproduced only on the CEO's machine.
Rotation means DMing everyone
You change a credential, then chase five teammates on Slack until the new value lands in every local setup. Meanwhile, the old value is still valid.
Envshed is the place every secret actually belongs
One vault for every credential your app depends on. A CLI that pulls those values onto a laptop or into a CI runner. A dashboard a security reviewer can look at during due diligence. Organizations contain projects, projects contain environments, environments contain secrets. Roles control who sees what. You can roll it out in an afternoon.
One CLI, laptop and CI
Same command locally, same command in GitHub Actions.
# on a laptop envshed init envshed pull # in GitHub Actions envshed run --env production -- pnpm build
How a 5-person team rolls it out
Start free, upgrade when you are ready
2 users, 3 projects, unlimited secrets on the free tier. Enough to run a real proof of concept without a credit card.
SAML SSO without a sales call
$9 per user per month on Business, with SCIM for deprovisioning. Turn it on from the dashboard — no procurement cycle.
Works with the tools you already ship on
GitHub Actions, Vercel, Docker, a Node.js SDK, and a REST API. If it reads process.env, it works with Envshed.
What you get
- AES-256-GCM encryption at rest, TLS 1.3 in transit
- Org, project, and environment roles — owner, admin, editor, viewer
- Every read and write logged with user, IP, and timestamp
- Expiration dates on secrets, with warnings before production breaks
- Flat $5/user/month on Team, $9/user/month on Business with SAML
Questions startups actually ask
Is it SOC 2 compliant?
Not today. We do not claim certifications we do not hold. The security page documents the controls we do run, and every change to our encryption model is in the changelog.
Can I trial it before paying?
Yes. The free tier covers 2 users, 3 projects, and unlimited secrets — enough to run a real proof of concept without a credit card.
What happens if Envshed goes down?
Every plan includes export. Your secrets are yours. Run envshed pull --env production > .env once a day in CI and you are operational even if we are offline.
Is SAML SSO locked behind an enterprise contract?
No. SAML SSO is $9 per user per month on the Business plan, provisioned from a self-serve dashboard. SCIM is included.
Put your API keys somewhere you can defend in a security review
Two users free, $5 per user when you are ready. No sales call, no seat tiers.
Start freePart of the Envshed.