Now in production · 100% uptime

Environment variables
your whole team can trust

Encrypted at rest, pulled anywhere. One place for secrets across every server, cluster, and CI pipeline — with team access control and a full audit log.

Get started free See integrations
terminal
# Install
curl -fsSL https://snapenv.io/install.sh | sh

# Authenticate
snapenv login --token snp_live_xxxxxxxxxxxx

# Pull secrets to .env
snapenv pull --env prod
✓ 14 variables written to .env
AES-256-GCMencryption at rest
4 platformslinux/mac, amd64/arm64
Zero plaintextstored in the database
Full audit logevery pull, push, change
Features

Everything you need, nothing you don't

Built for teams that take secrets seriously — from a single server to a multi-cluster Kubernetes setup.

Encrypted at rest

Every variable is encrypted with AES-256-GCM before it touches the database. Each project has a unique derived key — a breach of one project exposes nothing else.

Team access control

Workspace roles, project roles, and per-environment permissions. Developers can write to staging but only read production. Every action is in the audit log.

Variable history

Every change is versioned. See who changed what and when, view the old value, and restore any variable to a previous state in one click.

Webhooks

Trigger deploys or Slack alerts when variables change. HMAC-SHA256 signed payloads, per-event filtering, and a delivery log with status codes.

Secret expiry

Set expiry dates on sensitive credentials. SnapEnv emails your team before they expire so rotating API keys and certificates never gets missed.

Audit log

Append-only record of every pull, push, change, and team action. Filter by project, environment, or actor. Required for SOC2 and compliance reviews.

Integrations

Pull secrets wherever they run

Every method authenticates with an access token. Scoped by environment, project, and permission level.

CLI

Pull to any server or shell in seconds.

$ snapenv pull --env prod
✓ 14 variables written to .env
Kubernetes Operator

Auto-sync into native Kubernetes Secrets. No init containers.

kubectl apply -f https://get.snapenv.io/operator/install.yaml
GitHub Actions

Inject secrets into any CI step — no third-party action needed.

- run: |
    curl -fsSL https://snapenv.io/install.sh | sh
    snapenv pull --env prod
Docker

Resolve secrets at container start, not at build time.

CMD snapenv pull --env prod && node server.js
Security model

Zero plaintext in the database

Every variable value is encrypted before any write hits PostgreSQL. The encryption key is derived per-project using HKDF-SHA256 from a master key that lives only on the API server — never in the database, never in the CLI.

Even if someone exfiltrated the entire database, they would get AES-256-GCM ciphertext with no way to derive the keys.

Master key never leaves the server
Unique IV per variable write
Per-project key derivation isolates breaches
Tokens stored as bcrypt(sha256(plaintext))
TOTP 2FA with single-use backup codes
encryption.go
// Key derived per project, never stored
key = HKDF-SHA256(
  MASTER_KEY,
  salt=projectID,
  info="snapenv-variable-key",
)

// Unique IV per write
ciphertext, iv = AES-256-GCM(key, plaintext)

// Only ciphertext + iv stored in DB
INSERT INTO variables (value_enc, iv, ...)
Pricing

Simple, transparent pricing

Start free. Upgrade when you need more. No surprise charges.

Free
$0 /forever
  • 3 projects
  • 3 team members
  • 3 environments per project
  • CLI + Kubernetes operator
  • Variable history
  • Webhooks
  • Audit log
Get started
Most popular
Pro
$19 /per month
  • 20 projects
  • 20 team members
  • 10 environments per project
  • Everything in Free
  • Priority support
Start Pro
Team
$49 /per month
  • Unlimited projects
  • Unlimited members
  • Unlimited environments
  • Everything in Pro
  • SSO (coming soon)
  • SLA
Start Team

Ready to stop committing secrets?

Set up in under 5 minutes. No credit card required.

Get started free Read the docs