v4.1 — GitHub permissions = your env ACL

Stop Slacking
your secrets.

Share .env files using the access list you already have — your GitHub repo collaborators. Revoke a teammate, they lose env access. Done.

$ curl -fsSL https://boltenv.dev/install.sh | sh
Join the Waitlist — boltenv - Airdrop for Developers | Product Hunt
~/acme-app
$boltenv push
Encrypting 12 variables (AES-256-GCM)...
✓ .env → acme/api:production v4
⚡ Encryption key stored on boltenv
No key sharing needed.
$# on a teammate’s laptop —
$boltenv pull
Loaded encryption key from boltenv...
✓ .env ← acme/api:production

Three commands. That's it.

No dashboards. No config files. No infrastructure. Just your terminal.

1

Login with GitHub

One-time setup. GitHub OAuth Device Flow — no passwords, no new accounts.

$boltenv login
✓ Logged in as anasahmad
2

Push your .env

Encrypted locally with AES-256-GCM. Server stores ciphertext + your wrapped key.

$boltenv push
⚡ .env → acme/api:production v1 — key stored on boltenv
3

Teammates pull

Server checks GitHub repo permissions, releases the wrapped key. No key paste, no Slack.

$boltenv pull
✓ .env ← acme/api:production (12 vars)

Built for developers. Not enterprise dashboards.

access

GitHub permissions = your ACL

Server checks GitHub repo write access on every push and pull. Remove a teammate from the repo, they immediately lose env access.

git

Branch-aware sync

Auto-maps branches to environments. Configurable in .boltenv.yaml with wildcard patterns like release/*.

collab

Three-way merge

Concurrent pushes get auto-merged when keys don't collide. Real conflicts get git-style markers your editor already understands.

infra

Works everywhere

Local dev, Docker, CI/CD, headless VPS. Set BOLTENV_TOKEN to any GitHub PAT and the same flow works in any pipeline.

security

AES-256-GCM encryption

Encrypted on your machine with HKDF-SHA256-derived keys. Server stores ciphertext + a wrapped copy of your key (KMS-encrypted at rest).

audit

Version history

Every push is a versioned snapshot. Roll back with --revision N. 50 per environment, free forever.

Compare

How it stacks up.

Setup time

boltenv60 seconds
dotenvHours
VaultHours

Access control

boltenvGitHub permissions
dotenvManual
VaultCustom ACL

Encryption

boltenvAES-256-GCM (client-side)
dotenvNone
VaultServer-side

Conflict resolution

boltenvThree-way merge
dotenvNone
VaultLast-write-wins

Versioning

boltenv50 per env
dotenvNone
VaultVaries

Infrastructure

boltenvZero
dotenvZero
VaultSelf-host or SaaS

Team sync

boltenvOne command
dotenvCopy-paste
VaultDashboard

CI/CD

boltenvGitHub PAT only
dotenvManual .env
VaultAPI token

Free for small teams. Pay when you grow.

No credit card required. Start with the free tier and upgrade when your team needs more.

Free

$0forever

For indie devs and small side projects.

  • Up to 3 users
  • 5 repos
  • 10 versions per environment
  • AES-256-GCM encryption
  • GitHub auth
  • Multi-file sync
  • Branch-based environments
Get Started
Most popular

Team

$8per user / month

For teams that ship together. $24/mo minimum.

  • Unlimited users
  • Unlimited repos
  • 50 versions per environment
  • Unlimited pushes & pulls
  • TTL-based expiration
  • Audit log
  • Priority support
  • $6/user on annual billing
Start Free Trial

Questions.

On every push and pull, the server calls GET /repos/{repo} with your GitHub token and reads permissions.push. If you don't have write access, the request is rejected before any data moves. Add a teammate to the GitHub repo, they can pull. Remove them, they can't.

By default, the master key is encrypted on the server with a KMS-style wrapping key (BOLTENV_KEY_WRAPPER) and gated by GitHub repo permission. Teammates pull → server unwraps → key arrives over TLS, no manual sharing. Run with --client-key-only if you want the key to never leave your machine.

AES-256-GCM with HKDF-SHA256 key derivation, 12-byte random IV per push, 16-byte auth tag. Same primitives as Signal, 1Password, AWS Secrets Manager. Encryption happens on YOUR machine — the server only ever sees ciphertext.

boltenv runs a three-way merge against the common ancestor. Keys touched on only one side auto-merge. Keys with real conflicts get git-style <<<<<<< === >>>>>>> markers in your .env file — VS Code, Cursor, and JetBrains all recognize them natively. Resolve in your editor and run 'boltenv push --continue'.

Yes. Set BOLTENV_TOKEN to any GitHub PAT (or secrets.GITHUB_TOKEN in Actions) with repo scope. Set BOLTENV_REPO if there's no .git in the runner. The server checks the token's repo permission and releases the key — same flow as your laptop.

boltenv reads your current git branch and maps it to an environment. Defaults: main → production, staging → staging, develop → development. Customize with wildcard patterns in .boltenv.yaml (e.g., release/* → staging) or override with --env.

Your local key cache at ~/.boltenv/keys/ is gone, but the server has it. Login on a new machine, run 'boltenv pull', and the key auto-fetches. If you used --client-key-only, you'll need a teammate to re-export their copy of the key.

Not today. Cloud-only. If you need on-prem secrets management, use HashiCorp Vault or Infisical (which both self-host). boltenv is built for small teams who want managed simplicity without the Doppler price tag.

Full server compromise (attacker with both database and BOLTENV_KEY_WRAPPER env var would be able to decrypt stored keys), supply-chain attacks against the npm package, and malicious-but-authorized teammates. See SECURITY.md for the full breakdown.

free tier · no credit card · setup in 60s

Ready when you are.

$ curl -fsSL https://boltenv.dev/install.sh | sh
See pricingRead the docs