New: inject secrets at runtime — no .env file needed

Secrets management
from your terminal.

Stop sharing .env files over Slack. Encrypted storage, role-based access, and CLI-first workflow for teams that live in the terminal.

bash — envpilot

$ npm install -g @envpilot/cli man envpilot

// features

Built for the command line

encrypt

envpilot encrypt --algorithm aes-256-gcm

End-to-End Encryption

AES-256 encryption at rest via WorkOS Vault. Zero-knowledge architecture — we never see your secrets.

acl

envpilot acl --role admin,lead,member

Role-Based Access

Three-tier RBAC with per-variable permissions. Members request access; leads and admins approve.

audit

envpilot audit --format json --days 90

Audit Logging

40+ event types with IP, user agent, and location. Filter, search, and export for SOC 2 compliance.

run

envpilot run -- bun dev

Runtime Injection

Inject secrets directly into any process with envpilot run. No .env file written, nothing to leak. Fingerprint-gated cache keeps startup near-instant.

sync

envpilot sync --target vscode

VS Code Extension

Real-time WebSocket sync. Multi-directory linking. Automatic file cleanup on access revocation.

dashboard

envpilot dashboard --view projects

Web Dashboard

Manage projects, variables, team members, and audit logs. Approve requests. Export compliance reports.

// workflow

From zero to running in four commands

bash — setup

[01]

$ npm install -g @envpilot/cli

added 1 package in 2.3s

[02]

$ envpilot login

✓ Authenticated as dev@company.com

[03]

$ envpilot init

✓ Linked to project: backend-api (staging)

[04]

$ envpilot run -- bun dev

✓ Injected 47 variables from backend-api/staging

// demo

No .env file. Ever.

before — .env (shared via Slack)

# DON'T COMMIT THIS!

DATABASE_URL=postgres://admin:p@ssw0rd@prod.db:5432

API_SECRET=sk_live_4eC39HqLyjWDarj

AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG

Leaked in #general 3 months ago

after — envpilot run -- bun dev

# No .env file. Secrets injected at runtime.

$ envpilot run -- bun dev

✓ Injected 12 vars from backend/staging ⚡ cache (4s ago)

DATABASE_URL → decrypted inline

API_SECRET → decrypted inline

Never written to disk. Gone when process exits.

// platform

Three surfaces, one vault

Terminal, IDE, or browser — your secrets stay encrypted and in sync everywhere.

cli

CLI Tool

$ envpilot login

$ envpilot init

$ envpilot run -- bun dev

$ envpilot pull --env production

$ envpilot push --dry-run

$ envpilot switch staging

12 commands. Runtime injection. Browser-based SSO. CI/CD ready.

vscode

VS Code Extension

> Envpilot: Sign In

> Envpilot: Link Project

> Envpilot: Pull Variables

> Envpilot: Add Directory

> Envpilot: Select Environments

> Envpilot: Request Variable

Real-time WebSocket sync. Multi-directory. Auto-cleanup on revoke.

dashboard

Web Dashboard

/ Projects & Environments

/ Variables & Secrets

/ Team & Permissions

/ Audit Logs & Exports

/ Version History & Rollback

/ Settings & Integrations

Full management UI. Approve requests. Compliance exports.

// pricing

Simple, transparent pricing

bash — get started

# Ready to secure your secrets?

$ npm install -g @envpilot/cli

$ envpilot login

$ envpilot init

Project initialized. Welcome aboard.

Start Free Read the Docs

New: inject secrets at runtime — no .env file needed

Secrets management
from your terminal.

Stop sharing .env files over Slack. Encrypted storage, role-based access, and CLI-first workflow for teams that live in the terminal.

bash — envpilot

$ npm install -g @envpilot/cli man envpilot

// features

Built for the command line

encrypt

envpilot encrypt --algorithm aes-256-gcm

End-to-End Encryption

AES-256 encryption at rest via WorkOS Vault. Zero-knowledge architecture — we never see your secrets.

acl

envpilot acl --role admin,lead,member

Role-Based Access

Three-tier RBAC with per-variable permissions. Members request access; leads and admins approve.

audit

envpilot audit --format json --days 90

Audit Logging

40+ event types with IP, user agent, and location. Filter, search, and export for SOC 2 compliance.

run

envpilot run -- bun dev

Runtime Injection

Inject secrets directly into any process with envpilot run. No .env file written, nothing to leak. Fingerprint-gated cache keeps startup near-instant.

sync

envpilot sync --target vscode

VS Code Extension

Real-time WebSocket sync. Multi-directory linking. Automatic file cleanup on access revocation.

dashboard

envpilot dashboard --view projects

Web Dashboard

Manage projects, variables, team members, and audit logs. Approve requests. Export compliance reports.

// workflow

From zero to running in four commands

bash — setup

[01]

$ npm install -g @envpilot/cli

added 1 package in 2.3s

[02]

$ envpilot login

✓ Authenticated as dev@company.com

[03]

$ envpilot init

✓ Linked to project: backend-api (staging)

[04]

$ envpilot run -- bun dev

✓ Injected 47 variables from backend-api/staging

// demo

No .env file. Ever.

before — .env (shared via Slack)

# DON'T COMMIT THIS!

DATABASE_URL=postgres://admin:p@ssw0rd@prod.db:5432

API_SECRET=sk_live_4eC39HqLyjWDarj

AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG

Leaked in #general 3 months ago

after — envpilot run -- bun dev

# No .env file. Secrets injected at runtime.

$ envpilot run -- bun dev

✓ Injected 12 vars from backend/staging ⚡ cache (4s ago)

DATABASE_URL → decrypted inline

API_SECRET → decrypted inline

Never written to disk. Gone when process exits.

// platform

Three surfaces, one vault

Terminal, IDE, or browser — your secrets stay encrypted and in sync everywhere.

cli

CLI Tool

$ envpilot login

$ envpilot init

$ envpilot run -- bun dev

$ envpilot pull --env production

$ envpilot push --dry-run

$ envpilot switch staging

12 commands. Runtime injection. Browser-based SSO. CI/CD ready.

vscode

VS Code Extension

> Envpilot: Sign In

> Envpilot: Link Project

> Envpilot: Pull Variables

> Envpilot: Add Directory

> Envpilot: Select Environments

> Envpilot: Request Variable

Real-time WebSocket sync. Multi-directory. Auto-cleanup on revoke.

dashboard

Web Dashboard

/ Projects & Environments

/ Variables & Secrets

/ Team & Permissions

/ Audit Logs & Exports

/ Version History & Rollback

/ Settings & Integrations

Full management UI. Approve requests. Compliance exports.

// pricing

Simple, transparent pricing

bash — get started

# Ready to secure your secrets?

$ npm install -g @envpilot/cli

$ envpilot login

$ envpilot init

Project initialized. Welcome aboard.

Start Free Read the Docs

Secrets managementfrom your terminal.

Built for the command line

From zero to running in four commands

No .env file. Ever.

Three surfaces, one vault

Simple, transparent pricing

Secrets managementfrom your terminal.

Built for the command line

From zero to running in four commands

No .env file. Ever.

Three surfaces, one vault

Simple, transparent pricing

Secrets management
from your terminal.

Secrets management
from your terminal.