Your .env file,
but it's a vault.
Drop-in replacement for dotenv. One key in your environment, everything else encrypted remotely. AES-256-GCM. Per-device secrets. Hot reload. Zero config migration.
Four steps. No config files.
If you know dotenv, you know vaultdotenv. The migration takes about 90 seconds.
Install and log in
Install the CLI, then authenticate with your dashboard account. One login connects everything.
$ npm install -g @vaultdotenv/cli $ vde login Opening browser to authenticate... ✓ Logged in as you@example.com
Create a project and push
Initialize a project and push your .env secrets. They're encrypted with AES-256-GCM before leaving your machine. Or link to a project you already created on the dashboard.
$ vde init --name my-app ✓ Project created and linked to your account # Or link to an existing dashboard project $ vde init --link Your projects: [1] my-app (d7bbf0ef…) Select a project (1-1): 1 ✓ Linked to project: my-app $ vde push --env production Pushing 14 secrets to production... Pushed. Version: 1 (14 added)
Replace one import
Swap dotenv for @vaultdotenv/cli. Same API, same behavior. Your code doesn't change. Deploy with just VAULT_KEY.
// Before
require('dotenv').config()
// After — that's it
require('@vaultdotenv/cli').config()Manage from the dashboard
Invite team members, approve devices, view version history, and rotate secrets — all from the web. Changes propagate to running processes in seconds.
$ vde set STRIPE_KEY "sk_live_new..." --env production Set STRIPE_KEY. Version: 2 (14 total secrets) # Running processes pick up the change automatically # No redeploy. No restart.
Security without the ceremony
Everything you need to stop committing secrets. Nothing you don't.
AES-256-GCM encryption
Secrets are encrypted before they leave your machine. The vault server never sees plaintext.
Per-device secrets
Each machine gets a unique device key. Revoke a laptop without rotating every secret.
HMAC-signed requests
Every API call is signed with a time-stamped HMAC. No bearer tokens flying around.
Hot reload
Change a secret in the dashboard, it propagates to running processes. No redeploys.
Encrypted cache
Secrets are cached locally with AES-256-GCM. If the vault is unreachable, your app still boots.
Zero config migration
Run vde push. Your .env becomes a VAULT_KEY. That's the entire migration.
Change a secret.
Skip the redeploy.
vaultdotenv watches for changes and updates process.env in-place. Rotate an API key from the dashboard and every running process picks it up within seconds. No restart, no downtime.
- Lightweight polling — only checks a version number, no secrets transferred until something changes
- onChange callback with the diff — reconnect databases, refresh tokens, whatever you need
- Background thread (Python) or unref'd timer (Node.js) — won't keep your process alive
const vault = require('@vaultdotenv/cli');
await vault.config();
vault.watch({
interval: 30000,
onChange(changed, allSecrets) {
console.log('Updated:', Object.keys(changed));
// Reconnect DB, refresh tokens, etc.
},
});import vaultdotenv
vaultdotenv.load_vault()
vaultdotenv.watch(
interval=30.0,
on_change=lambda changed, all:
print("Updated:", list(changed.keys())),
)Simple, honest pricing
No per-seat charges. No request metering. No surprises.
Free
Enough to ship something real.
- 10 secrets
- 2 environments
- 1 project
- 2 devices
- Encrypted cache
- Community support
Pro
For solo devs and small teams.
- 30 secrets
- 3 environments
- 3 projects
- 5 devices
- Hot reload
- Version history
- Email support
Team
For teams who ship to prod.
- Unlimited secrets
- Unlimited environments
- 10 projects
- Unlimited devices
- Hot reload
- Version history
- Audit log
- Priority support