Powered by HashiCorp Vault

Secrets that stay secret.

Envault gives your team a single, audited place to store, share, and inject environment variables — backed by HashiCorp Vault, controlled by roles, and observable from a modern dashboard.

End-to-end encrypted Team-ready Full audit trail
my-project / production
DATABASE_URL
••••••••••••••••••••
STRIPE_SECRET_KEY
••••••••••••••••••••
JWT_SIGNING_KEY
••••••••••••••••••••
AWS_SECRET_ACCESS_KEY
••••••••••••••••••••
Vault connected
AES-256 4 secrets
AES-256
Encryption standard
<50ms
Secret retrieval
3
RBAC roles
3
Environments

Everything you need for secrets management

A complete platform that replaces scattered .env files with a secure, audited, team-friendly workflow.

Vault-Backed Storage

Secret values are stored exclusively in HashiCorp Vault's KV-v2 engine. They never touch your metadata database — ever.

Role-Based Access

Three granular roles — Admin, Developer, and CI — control who can read, write, or manage secrets per project.

Multi-Environment

Development, staging, and production environments are isolated by default. Pull the right secrets for the right context.

Complete Audit Trail

Every secret read, write, and deletion is logged with user identity, timestamp, and metadata. Full compliance visibility.

Powerful CLI

Initialize projects, push/pull .env files, set individual secrets, and onboard teammates — all from your terminal.

Prometheus Metrics

Built-in observability with request counters, latency histograms, and Vault operation tracking out of the box.

Reveal on Demand

Secret values are masked by default in the dashboard. Reveal them on-demand with an automatic 10-second auto-hide timer.

Credential Rotation

Rotate project Vault tokens with one click or command. All previous tokens are immediately invalidated.

Version Tracking

Every secret update increments the version counter via Vault's native versioning. See when each secret was last modified.

Up and running in minutes

Four steps from zero to a fully secured secrets pipeline for your team.

1

Initialize

Create a project and receive your Vault token.

envault init my-app
2

Add Secrets

Push your .env file or set secrets one by one.

envault env push --env prod -f .env
3

Invite Team

Onboard teammates with scoped roles.

envault onboard dev@co.com --role developer
4

Pull & Deploy

Pull secrets into any environment or CI pipeline.

envault env pull --env prod
Security-first architecture

Built for teams that can't afford leaks

Every architectural decision in Envault prioritizes security. Secret values are completely isolated from metadata, access is scoped by role, and every action leaves an audit trail.

Supabase JWT Auth

Every request is validated against your Supabase JWKS endpoint. No session cookies to steal.

Split Data Model

PostgreSQL stores metadata only. Vault stores values. A database breach never exposes secrets.

RBAC Enforcement

Middleware enforces roles on every request. CI tokens can only read — they can never write or manage.

Immutable Audit Log

Who read what, when, from where. Every secret access is recorded with full user context.

Architecture

Dashboard & CLI
Next.js + Cobra CLI
Go API Server
JWT Auth · RBAC · Rate Limiting
PostgreSQL
Users, Projects,
Audit Logs
Vault KV-v2
Secret Values
(Encrypted)

Your secrets, one command away

A full-featured CLI that fits into any workflow — local dev, CI/CD pipelines, or team onboarding.

terminal
$envault init my-saas-app
Project "my-saas-app" created.
Vault Token: hvs.CAES...k2Nz
Config saved to ~/.envault.yaml
$envault secret set DATABASE_URL=postgresql://... --env production
Secret DATABASE_URL set (version 1) in my-saas-app/production
$envault env pull --env production
Pulled 12 secrets to .env
DATABASE_URL, STRIPE_SECRET_KEY, JWT_SIGNING_KEY, ...
$envault onboard alice@team.com --role developer
Added alice@team.com as developer to my-saas-app
Vault Token: hvs.CAES...x9Fp
$
envault init

Create project

envault env pull

Download secrets

envault env push

Upload .env file

envault secret set

Set a secret

envault secret get

Read a secret

envault onboard

Invite teammate

envault rotate

Rotate tokens

envault env list

List all keys

envault secret delete

Remove a secret

Stop sharing secrets in Slack

Envault gives your team a secure, audited, role-scoped workflow for managing environment variables. Set up in minutes, not days.