Skip to content
envsh

Quick Start

1. Log in

Section titled “1. Log in”
Terminal window
envsh login
# Email: alice@example.com
# Code: 483921   ← check your email for the 6-digit code
# ok: Logged in as alice@example.com
# ok: SSH key registered from /Users/alice/.ssh/id_ed25519.pub

On first login, envsh automatically creates your workspace and registers your SSH public key.

2. Check your setup

Section titled “2. Check your setup”
Terminal window
envsh doctor
#   ok  SSH key at ~/.ssh/id_ed25519.pub
#   ok  Credentials file exists
#   ok  Active session token
#   ok  Server reachable at https://api.envsh.dev
#   ok  SSH key registered on server
#
# ok: All checks passed

3. Create a project

Section titled “3. Create a project”
Terminal window
envsh project create "My API" my-api
# ok: Created project My API (slug: my-api)

4. Push secrets

Section titled “4. Push secrets”
Terminal window
envsh push .env --project my-api --env production
# ok: Pushed v1 → my-api/production

Your .env file is encrypted locally and uploaded as ciphertext.

5. Pull secrets

Section titled “5. Pull secrets”

On another machine (or after cloning a fresh repo):

Terminal window
envsh pull production --project my-api
# ok: Pulled v1 from my-api/production → .env

6. Run with secrets

Section titled “6. Run with secrets”

Inject secrets as environment variables without writing them to disk:

Terminal window
envsh run --project my-api production -- node server.js

The process receives your secrets as env vars. When it exits, they’re gone.

What just happened?

Section titled “What just happened?”

When you pushed:

  1. envsh generated a random AES-256 key
  2. Encrypted your .env with AES-256-GCM
  3. Wrapped the AES key with your SSH public key (and every team member’s key)
  4. Sent only the ciphertext to the server

When you pulled:

  1. Downloaded the ciphertext bundle
  2. Used your SSH private key to unwrap the AES key
  3. Decrypted locally
  4. Wrote .env with 0600 permissions

The server never saw your plaintext. It can’t — it doesn’t have anyone’s private key.

Invited to a team?

Section titled “Invited to a team?”

If someone invited you, log in and switch to their workspace:

Terminal window
envsh login
envsh workspace list
# NAME                   SLUG      ROLE     ID
# you@example.com        you       admin    abc123-...
# Acme Corp              acme      member   def456-...


envsh workspace switch def456-...
# ok: Switched to workspace Acme Corp


envsh pull production --project my-api