EnvCat
Your machine. Your secrets.
EnvCat is a local-first, open-source environment-variable manager for teams. Run it on your infrastructure, keep full control of secrets, and fetch the exact environment variables developers need with a secure device-approval flow.
Primary CTAs: Get started — Run in 5 minutes · View on GitHub
TL;DR
- Local-first and self-hosted: no cloud dependency and no per-user fees.
- Developer-friendly UX: CLI → browser approval → secrets injected into your shell.
- Secure by design: end-to-end encryption, ephemeral approvals, single-use retrieval.
Why EnvCat?
- Privacy & ownership — Your secrets live on your infrastructure. Open source (MIT).
- Cost-efficient — No per-user pricing. Self-host on minimal infra.
- Simple & focused — Designed for environment variables, not an enterprise vault.
- Fast onboarding — Developers productive in minutes.
How it works (3-step flow)
1) CLI: `envcat get --bundle myproject`
→ generates ephemeral keypair and creates request
2) Browser: open /approve/{id} → authenticate → select bundle & keys → Approve
→ server encrypts selected values to CLI public key
3) CLI: polls /wait → receives ciphertext → decrypts locally → emits export lines
For team leads — faster onboarding, less risk
- Onboard engineers in minutes: invite, assign bundles, approve devices.
- Bundle-based access: create role- or environment-specific bundles (backend, frontend, demo).
- Scoped ephemeral keys for AI sandboxes and services — reduce blast radius.
See the Onboarding recipe → ./recipes/onboard-new-dev.md
Quickstart (one-liner + 3 steps)
Get up and running in under 5 minutes (local development):
git clone https://github.com/check-the-vibe/envcat
cd envcat
docker compose up -d --build
docker compose exec api python seed.py # seeds dev/example bundle
curl -fsSL https://env.cat/cli/install.sh | sh
# In a new shell:
eval "$(envcat get --api-base http://localhost:8888 --bundle dev/example)"
Complete Quickstart → ./quick-start.md
Use cases (short)
- Onboard new engineers quickly — see Onboard recipe
- Give designers demo access with stubbed keys — see Designer Demo recipe
- Issue scoped, short-lived keys for AI sandboxes or MCP servers — see AI-safe Keys recipe
- Replace .env copy/paste workflows and reduce accidental leaks
Product snapshot
- Bundles: named collections of env vars for a project, role, or environment
- Device-approval flow: ephemeral keypair per request, browser approval, sealed-box encryption
- Storage: encrypted at-rest (libsodium secretbox) in SQLite; ciphertext in Redis for ephemeral approvals
Comparison (short)
| Need | EnvCat | Doppler | Vault | .env files |
|---|---|---|---|---|
| Privacy & control | ✅ local-first | ❌ cloud | ⚪ self-hosted complex | ❌ plaintext |
| Setup time | ~5 min (Docker) | 0 min SaaS | Days/weeks | ~1 min |
| Cost | Free (OSS) | $/user | infra & ops | Free but risky |
| Best for | Teams who want control & fast onboarding | Teams who want zero-ops SaaS | Enterprise secrets | Solo projects / prototyping |
Security & trust
- End-to-end encryption for approvals (sealed boxes)
- At-rest encryption for bundles (secretbox)
- Requests are single-use and expire by default
- Open source (MIT). Inspect the code on GitHub.
Links: Quickstart · Getting Started · Security
Contribute & Community
- GitHub: https://github.com/check-the-vibe/envcat
- Issues & Discussions: file bugs, request features, ask questions
- License: MIT
Your machine. Your secrets.