Troubleshooting
“not logged in — run: envsh login”
Section titled ““not logged in — run: envsh login””Your credentials are missing or expired. Run:
envsh loginAccess tokens expire in 24 hours (auto-refreshed). Refresh tokens expire in 30 days — after that, log in again.
”UNAUTHORIZED: access revoked”
Section titled “”UNAUTHORIZED: access revoked””You were removed from this workspace. Your JWT is still valid but access has been revoked.
# See which workspaces you belong toenvsh workspace list
# Switch to your own workspace (or another one you're a member of)envsh workspace switch WORKSPACE_ID”decrypting: no recipient entry for this key”
Section titled “”decrypting: no recipient entry for this key””Your key fingerprint is not in the recipients list. This happens when:
- You or your machine were added after the secret was last pushed
- You’re using a different SSH key than the one registered
- (CI/CD) The machine was created but nobody re-pushed to include the machine’s key
Fix:
# Check which keys are registeredenvsh keys list
# Register your key if it's not thereenvsh keys add
# Have someone push again to include your key as a recipientenvsh pull production --project my-api --key ~/.ssh/id_ed25519_oldenvsh push .env --project my-api --env production“decrypting: checksum mismatch”
Section titled ““decrypting: checksum mismatch””The ciphertext was corrupted. This should not happen under normal operation. If you see this, file an issue.
”project X not found”
Section titled “”project X not found””The slug doesn’t match any project in your workspace:
envsh project list“file too large: max 1MB”
Section titled ““file too large: max 1MB””Your .env file exceeds 1 MB. envsh is designed for key-value pairs, not large files.
”CONFLICT: version conflict”
Section titled “”CONFLICT: version conflict””Someone pushed after you last pulled:
envsh pull production --project my-api # get latest# merge your changes into .envenvsh push .env --project my-api --env productionRate limits (429)
Section titled “Rate limits (429)”| Endpoint | Limit |
|---|---|
/auth/email-login | 5/min per IP |
/auth/email-verify | 10/min per IP |
| All other endpoints | 100/min per IP |
Wait 60 seconds and retry.
Machine auth fails with 403
Section titled “Machine auth fails with 403”error: FORBIDDEN: machine is revokedThe machine was revoked. Create a new one:
envsh machine create new-deploy-prod --project my-api --env production# Update ENVSH_MACHINE_KEY in your CI/CD system# Then re-push to include the new machine as a recipientenvsh push .env --project my-api --env productionMachine “no recipient entry” in CI/CD
Section titled “Machine “no recipient entry” in CI/CD”The machine was created but nobody re-pushed secrets to include it as a recipient. On your local machine:
envsh pull production --project my-apienvsh push .env --project my-api --env production --message "include machine key"SSH key has a passphrase
Section titled “SSH key has a passphrase”envsh will prompt for the passphrase. To avoid repeated prompts, add your key to ssh-agent:
ssh-add ~/.ssh/id_ed25519envsh doctor checks
Section titled “envsh doctor checks”Run envsh doctor to diagnose issues. It checks:
- SSH key exists at
~/.ssh/id_ed25519.pub - Credentials file exists
- Active session token is valid
- Server is reachable
- SSH key is registered on the server
Each failing check shows a hint with the fix.