Push & Pull
Push encrypts a .env file and uploads the ciphertext.
envsh push .env --project my-api --env production# ok: Pushed v1 → my-api/productionWith a message
Section titled “With a message”envsh push .env --project my-api --env production --message "rotate DB password"# ok: Pushed v2 → my-api/productionWhat --env means
Section titled “What --env means”Environment names are arbitrary strings. Use whatever your team uses:
envsh push .env --project my-api --env devenvsh push .env --project my-api --env stagingenvsh push .env --project my-api --env productionenvsh push .env --project my-api --env preview-pr-42Environments are created implicitly on first push. No setup needed.
File size limit
Section titled “File size limit”.env files must be under 1 MB. envsh is designed for key-value pairs, not large binary files.
Conflict detection
Section titled “Conflict detection”If two team members push at the same time:
envsh push .env --project my-api --env production# error: CONFLICT: version conflict: base_version mismatch# hint: pull the latest version first, merge your changes, then push againPull the latest, merge your changes, push again.
Pull downloads and decrypts the latest secrets for an environment.
envsh pull production --project my-api# ok: Pulled v2 from my-api/production → .envThe output file is created with 0600 permissions (owner-read only).
To a specific file
Section titled “To a specific file”envsh pull production --project my-api --output .env.productionTo stdout
Section titled “To stdout”envsh pull production --project my-api --stdout# DATABASE_URL=postgres://...# SECRET_KEY=abc123Export format
Section titled “Export format”envsh pull production --project my-api --stdout --format export# export DATABASE_URL=postgres://...# export SECRET_KEY=abc123
# Source directly:source <(envsh pull production --project my-api --stdout --format export)JSON format
Section titled “JSON format”envsh pull production --project my-api --stdout --format json# {"DATABASE_URL": "postgres://...", "SECRET_KEY": "abc123"}With a different SSH key
Section titled “With a different SSH key”envsh pull production --project my-api --key ~/.ssh/id_ed25519_work