Environment Vault
Store, organize, and manage environment variables per project. All values are end-to-end encrypted — encrypted in your browser before they reach the server, and decrypted only on your device. See Encryption & Security for details.
You’ll need to enter your vault password to view or edit encrypted values. The vault locks automatically after 30 minutes of inactivity.
Vaults
A vault is a named container for environment variables and secret files inside a project. Name it however fits your repo — api-prod, api-dev, worker, eu-west-1, etc. — and organize by service, region, deployment target, or a single flat namespace if you prefer.
| Field | Required | Description |
|---|---|---|
| Name | Yes | Unique within the project. |
| Directory path | No | Where depvault pull writes .env and .secrets/ for this vault. |
| Tags | No | Freeform labels. Blessed tags (prod, staging, dev, preview) get colored chips. Use tags to filter pulls (depvault pull --tag prod). |
Creating a Vault
Open the Vault tab, click New Vault, and fill in the name, optional directory path, and any tags. Tag suggestions autocomplete from tags already used on the same project.
Duplicating a Vault
Open the vault’s menu → Duplicate. This creates a full copy of the vault — same keys, values, descriptions, required flags, directory path, and tags. Secret files are not copied. Useful for bootstrapping a new environment (e.g., duplicate api-prod → api-staging) when you want a working baseline to edit down from.
Managing Variables
Adding a Variable
Select a vault, click Add Variable, and fill in:
| Field | Required | Description |
|---|---|---|
| Key | Yes | Variable name (e.g., DATABASE_URL). Must be unique within the vault. |
| Value | Yes | Encrypted immediately upon save. |
| Description | No | What this variable is for. |
| Required for Local Setup | No | Counted by the vault’s “N of M required filled” progress indicator and included in .env.example. |
Editing and Deleting
Click a variable row to edit. Each save creates a new version automatically. To delete, click the delete icon and confirm — deletion is permanent.
Required-Filled Progress
Each vault card shows N of M required filled with a progress bar. Variables flagged Required for Local Setup count toward M; variables with a non-empty encrypted value count toward N. Clone-created blanks start at 0 of M; the bar turns green when all required keys have values.
Role-Based Access
| Role | View keys | Decrypt values | Edit variables |
|---|---|---|---|
| Owner / Editor | Yes | Yes | Yes |
| Viewer | Yes | No | No |
Version History
Every value update creates a version entry with the previous value, timestamp, and author. Open a variable’s History tab to browse versions. Click Rollback on any version to restore it as the current value.
Bulk Import and Export
Supported Formats
.env, appsettings.json, secrets.yaml, config.toml
Web UI
Use the Import and Export buttons in the Vault tab. On import, review parsed key-value pairs and choose to skip or overwrite existing keys.
CLI
# Pull every vault in the project
depvault pull
# Pull specific vaults by name
depvault pull --vault api-prod,web-prod
# Pull vaults matching a tag (intersection for comma-separated tags)
depvault pull --tag prod
# Push a file into a specific vault
depvault push --vault api-prod --file .envPull Flags
| Flag | Description | Default |
|---|---|---|
--vault | Comma-separated vault names. Prompts interactively when omitted. | Interactive |
--tag | Comma-separated tags; matches vaults carrying all listed tags. | — |
--format | env, appsettings.json, secrets.yaml, config.toml. | env |
--output-dir | Base directory for written files. | Repo root |
--include-secrets | Also download secret files. | true |
--force | Skip overwrite confirmation. | false |
Push Flags
| Flag | Description | Default |
|---|---|---|
--vault | Target vault name. Creates the vault if it doesn’t exist. | Auto-matched from directory |
--file | Path to the file to import. Auto-discovers env files when omitted. | Interactive |
--create-missing | Auto-create suggested vaults in non-interactive mode. | false |
--no-sync | Skip removing stale variables not present in the pushed file. | false |
Without --vault, push matches files to vaults by directory path or blessed tag inferred from the filename (.env.production → prod tag). If no match exists, interactive mode prompts to create a new vault.
List Variables
depvault env list --vault-id <id>Values are masked by default. Use --output json for full decrypted values (use with caution).
Generate .env.example
Click Generate .env.example in the Vault tab to create a file with keys and placeholders — no real secrets. Variables flagged as Required for Local Setup are included automatically. Safe to commit to version control.