Envault is a secure, modern vault application built with Next.js, Supabase, and Tailwind CSS. It provides a robust authentication system and a sleek user interface for storing and managing sensitive information.
- Bank-Grade Security: AES-256-GCM encryption with master/data key hierarchy and automatic key rotation.
- Project Workspaces: Organize secrets into distinct projects for better management.
- Semantic Routing: Clean, GitHub-style URLs (
/[username]/[project-slug]) for easy sharing and navigation. - Team Collaboration: Secure project sharing with strict Role-Based Access Control:
- Owner: Full administrative control (Rename, Delete, Manage Team).
- Editor: Active contributor (Read/Write secrets, request to Share).
- Viewer: Read-only access to variables.
- Secure Authentication: Powered by Supabase Auth for robust user management, including Passkey support for passwordless, biometric login.
- Modern UI/UX: Built with Tailwind CSS, Shadcn UI, and Framer Motion for a premium experience.
- Interactive 3D Elements: High-performance 3D visuals powered by React Three Fiber.
- Keyboard First: Navigate efficiently with fully customizable, conflict-free hotkeys.
- Responsive Design: Fully responsive layout that works seamlessly on desktop and mobile.
- Dark Mode Support: Built-in support for light and dark themes.
- CLI Support: Manage your secrets directly from your terminal, featuring automatic non-blocking background update checks.
- Real-time System Status: Monitor system health, active incidents, and historical uptime with a dedicated status page.
- Dedicated Support Page: Integrated support features directly within the app to help users manage troubleshooting options efficiently.
- Comprehensive Documentation: Integrated docs site with guides, API reference, and CLI documentation.
Envault natively supports the Model Context Protocol (MCP), so AI coding assistants like Claude Desktop, Cursor, and RooCode/Cline can pull and push your secure environments effortlessly.
# Automatically configure your AI clients (Global & Local Workspaces)
envault mcp install
# Or install strictly for the current workspace
envault mcp install --localmacOS & Linux (Universal)
curl -fsSL https://raw.githubusercontent.com/DinanathDash/Envault/main/install.sh | shmacOS (Homebrew)
brew tap DinanathDash/envault
brew install --formula envaultHomebrew cask installs are deprecated. If you installed via cask, migrate with:
brew uninstall --cask dinanathdash/envault/envault
brew install --formula envaultFor more details, check out the CLI Documentation.
Envault local development now uses portless with HTTPS hostnames.
npm install -g portlessTo use the Envault CLI with the local development server, set the ENVAULT_CLI_URL environment variable:
export ENVAULT_CLI_URL="https://envault.localhost/api/cli"
envault loginEnvault uses a hybrid encryption model to ensure maximum security:
- Master Key: A 32-byte key stored in environment variables, used solely to encrypt/decrypt Data Keys.
- Data Keys: Unique keys for encrypting actual data. These are stored encrypted in the database.
- Key Rotation: Data keys can be rotated. The active key is cached in Redis for high performance without compromising security.
- AES-256-GCM: Industry-standard authenticated encryption for all secrets.
- Framework: Next.js (App Router)
- Database & Auth: Supabase
- KV Store: Upstash Redis
- Documentation: Fumadocs
- Styling: Tailwind CSS
- UI Components: Shadcn UI / Radix UI
- 3D & Graphics: React Three Fiber / Three.js
- Animations: Framer Motion
- Icons: Lucide React
- State Management: Zustand
- Forms: React Hook Form + Zod
- Notifications: Sonner
- Analytics: Vercel Analytics
Follow these steps to get the project running locally.
- Node.js 18+ installed
- A Supabase project set up
-
Clone the repository
git clone https://github.com/dinanathdash/envault.git cd envault -
Install dependencies
npm install # or yarn install # or pnpm install # or bun install
-
Environment Setup
Copy the example environment file:
cp .env.example .env.local
Open
.env.localand add your Supabase credentials:NEXT_PUBLIC_SUPABASE_URL=your-project-url NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key # Generate a secure key: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" ENCRYPTION_KEY=your-64-char-hex-key SUPABASE_SERVICE_ROLE_KEY=your-service-role-key UPSTASH_REDIS_REST_URL=your-upstash-url UPSTASH_REDIS_REST_TOKEN=your-upstash-token # Used for securely signing and verifying frontend API mutations (POST, PUT, DELETE, PATCH) NEXT_PUBLIC_API_SIGNATURE_SALT=your-secure-random-hmac-secret
-
Run the development server
npm run dev
Open https://envault.localhost:1355 with your browser to see the result.
-
Test Email Configuration (Optional)
To verify that your Resend API configuration is working, you can send a test email to yourself:
npm run test:email -- your-email@example.com
This repository contains multiple publishable/runtime components. Use this map when cloning and contributing.
| Folder | Purpose | Install | Common Commands |
|---|---|---|---|
./ |
Main Next.js app | npm install |
npm run dev, npm run build, npm run lint, npm run test:all |
cli-go/ |
Go CLI (envault) |
go mod download |
go test ./..., go build ./... |
src/lib/sdk/ |
npm SDK package (@dinanathdash/envault-sdk) |
npm install |
npm run typecheck, npm run build |
mcp-server/ |
npm MCP package (@dinanathdash/envault-mcp-server) |
npm install |
npm run check, npm start |
cli-wrapper/ |
npm wrapper for CLI install/bootstrap | npm install |
node install.js |
- Clone and install root dependencies:
git clone https://github.com/dinanathdash/envault.git
cd envault
npm install- Copy env file and configure required keys:
cp .env.example .env.local- Install package-local dependencies for publishable subpackages:
cd src/lib/sdk && npm install
cd ../../.. && cd mcp-server && npm install
cd ..- Validate everything in one pass:
npm run lint
npm run test:all
npm run build- SDK:
@dinanathdash/envault-sdk(source:src/lib/sdk/) - MCP:
@dinanathdash/envault-mcp-server(source:mcp-server/)
- CLI release workflow:
.github/workflows/publish.yml - SDK publish workflow:
.github/workflows/publish-sdk.yml - MCP publish workflow:
.github/workflows/publish-mcp.yml
Each package versions independently via semantic-release when changes occur in its own folder:
- CLI tags:
v<version> - SDK tags:
sdk-v<version> - MCP tags:
mcp-v<version>
This keeps SDK and MCP release streams decoupled from CLI version bumps.
npm run sdk:check
npm run mcp:checknpm run sdk:publish
npm run mcp:publishUse these commands so users can quickly verify what version they are on and update safely.
Check installed CLI version:
envault --versionUpdate via Homebrew formula:
brew update
brew untap dinanathdash/envault || true
brew tap dinanathdash/envault
brew upgrade --formula envaultCheck installed and latest SDK versions:
npm ls @dinanathdash/envault-sdk
npm view @dinanathdash/envault-sdk versionUpdate SDK (preferred via Envault CLI):
envault sdk updateUpdate SDK (npm fallback):
npm install @dinanathdash/envault-sdk@latestRuntime behavior:
- SDK prints a warning when a newer SDK version exists.
- SDK blocks execution when below minimum supported version configured by server.
Check installed MCP version (standalone MCP package installs):
envault-mcp-server --versionCheck MCP update availability (standalone MCP package installs):
envault-mcp-server --check-updateUpdate MCP integration (preferred via Envault CLI):
envault mcp updateUpdate MCP globally (npm fallback for standalone installs):
npm install -g @dinanathdash/envault-mcp-server@latestEnvault is source-available under the Functional Source License (FSL). You are free to read the code, audit it for security, and self-host it for your own internal use. You are strictly prohibited from using this code to offer a competing commercial service. After 24 months, the license for specific versions automatically converts to the MIT License.
See the LICENSE file for the complete license text.