User Guide

Welcome to the env.cat user guide! This section covers everything you need to know about using env.cat to manage and deliver environment variables securely.

Core Concepts

Keys

Keys are individual environment variables stored in your key library. Each key has:

Name (e.g., DATABASE_URL, API_KEY)
Value (encrypted at-rest)
Type (secret or non-secret)
Description (optional)

Keys are reusable - you can attach the same key to multiple bundles. When you update a key's value, the change propagates to all bundles using that key.

Learn more about keys →

Bundles

Bundles are named collections of keys (e.g., dev/api, prod/database). They help you organize environment variables by:

Project (frontend, backend, mobile)
Environment (dev, staging, prod)
Purpose (database, api-keys, feature-flags)

Learn more about bundles →

Approval Flow

The approval flow is the heart of env.cat's zero-trust design:

CLI requests secrets (generates ephemeral keypair)
Server stores request (no secrets yet)
User approves in browser (selects which keys to share)
Server encrypts to CLI's public key (end-to-end encryption)
CLI decrypts and injects into shell

Learn more about approval flow →

Getting Started

Create your account at https://env.cat.

Sign-up guide →

2. Add Keys

Add environment variables to your key library:

Manual entry - Create keys one by one
Vendor gallery - Use pre-built templates (PostgreSQL, Stripe, OpenAI, etc.)
Import - Upload from .env or JSON files

Keys guide →

3. Create Bundles

Organize keys into bundles:

Create a bundle (e.g., dev/api)
Attach keys from your library
Reorder keys (optional)

Bundles guide →

4. Request via CLI

Install the CLI and request secrets:

curl -fsSL https://env.cat/cli/install.sh | sh
envcat get --bundle dev/api --api-base https://env.cat

CLI reference →

5. Approve & Inject

Approve the request in your browser, then inject into your shell:

eval "$(envcat get --bundle dev/api --api-base https://env.cat)"

Approval flow guide →

Advanced Topics

Try It Out (Terminal Drawer)

Test the approval flow directly from the bundle page without leaving your browser.

Try it out guide →

Vendor Gallery

Browse pre-built key templates for popular services (databases, payment processors, AI APIs, etc.).

Keys guide →

Multi-Tenancy

Organize work across multiple teams or projects with tenants.

Multi-tenancy guide →

Security

Encryption

At-rest: All key values encrypted with AES-256-GCM
In-transit: HTTPS (TLS 1.3)
End-to-end: CLI approval uses NaCl sealed boxes

Security model →

Zero-Trust

The server never sees plaintext values during approval. Only your CLI can decrypt secrets.

Threat model →

Need Help?

Quick Start - 5-minute setup
Troubleshooting - Common issues
GitHub Discussions - Community help
API Reference - Technical docs

Core Concepts​

Keys​

Bundles​

Approval Flow​

Getting Started​

1. Sign Up​

2. Add Keys​

3. Create Bundles​

4. Request via CLI​

5. Approve & Inject​

Advanced Topics​

Try It Out (Terminal Drawer)​

Vendor Gallery​

Multi-Tenancy​

Security​

Encryption​

Zero-Trust​

Need Help?​