Simple, honest pricing

No per-seat charges. No request metering. No surprises.
Start free, upgrade when you need more.

Free

Enough to ship something real.

$0forever
  • 10 secrets
  • 2 environments
  • 1 project
  • 2 devices
  • Encrypted local cache
  • CLI access
  • Community support
Start free
Most popular

Pro

For solo devs and small teams.

$4.95/mo
  • 30 secrets
  • 3 environments
  • 3 projects
  • 5 devices
  • Hot reload (watch mode)
  • Version history (30 days)
  • Dashboard access
  • Email support
Start free trial

Team

For teams who ship to prod.

$9.95/mo
  • 100 secrets
  • Unlimited environments
  • 10 projects
  • Unlimited devices
  • Hot reload (watch mode)
  • Version history (90 days)
  • Audit log
  • Device management
  • Dashboard access
  • Priority support
Start free trial

Frequently asked questions

What counts as a secret?

Each key-value pair is one secret. DATABASE_URL is one secret, STRIPE_KEY is another. Environment variables that are the same across environments still count once per environment.

Can I use vault-env in CI/CD?

Yes. Register your CI runner as a device and set VAULT_KEY + VAULT_DEVICE_SECRET as pipeline variables. Secrets are pulled at build time, never stored in your CI config.

What happens if the vault server is down?

Your app still boots. vault-env maintains an AES-256-GCM encrypted local cache that's refreshed on every successful pull. If the server is unreachable, cached secrets are used.

Is there a self-hosted option?

Not yet, but the vault server is a single Cloudflare Worker with a D1 database. We're considering open-sourcing the server component.

How do I revoke a compromised device?

Remove the device from your dashboard. Its device-specific encryption key is immediately invalidated — it can no longer decrypt secrets even if it has the VAULT_KEY.