Secure, Versioned Environment Variable Management for Teams.
EnvHub helps you manage secrets across projects, services, and environments with a Git-like workflow. It includes a beautiful web dashboard and a powerful CLI.
- π Secure Storage: Secrets are encrypted at rest using Fernet (AES-128).
- π Version History: Track every change (who changed what, when, and why).
- π’ Organization-Ready: Gate access to your GitHub Organization (
ALLOWED_ORGS). - π» Cross-Platform CLI: Python-based CLI for Windows, Mac, and Linux.
- βοΈ Serverless: Built on Next.js and Vercel Blob (No database required).
You can deploy your own private instance of EnvHub in minutes.
- A GitHub Account (or Organization).
- A Vercel Account.
Clone this repository and deploy it to Vercel.
git clone https://github.com/Harivelu0/EnvHub.git
cd EnvHub
vercel deployTo ensure your instance is 100% Secure and private to your organization, you must set these variables in Vercel:
| Variable | Description |
|---|---|
GITHUB_ID |
Required. Create a New OAuth App on GitHub. This allows users to "Login with GitHub". |
GITHUB_SECRET |
Required. The secret key from your GitHub OAuth App. |
ALLOWED_ORGS |
CRITICAL. Comma-separated list of GitHub Organizations (e.g., MyCompany,OpenAI). β Security Guarantee: Only users who are public members of these organizations can log in. Everyone else is rejected. |
ALLOWED_USERS |
(Optional) Restrict access to specific GitHub handles (e.g., octocat). |
| Variable | Description |
|---|---|
BLOB_READ_WRITE_TOKEN |
Required. Go to Vercel Storage -> Create Database -> Blob. Copy the Read/Write Token. This is where your secrets live. |
ENVHUB_MASTER_KEY |
Required. Run the python command found in .env.example to generate this. β Encryption: All variables are encrypted before they are saved. |
| Variable | Value |
|---|---|
NEXTAUTH_SECRET |
A random string (run openssl rand -base64 32). |
NEXTAUTH_URL |
Your Vercel deployment URL (e.g., https://envhub-mycompany.vercel.app). |
NEXT_PUBLIC_ENABLE_DEMO_MODE |
Set to false (default). Only set to true for public demos (Sandboxed). |
After deploying your app to Vercel, you must update your GitHub OAuth App to recognize the new production domain.
- Go to GitHub Developer Settings.
- Select the OAuth App you created in Step 3.
- Update Homepage URL:
- Set to your Vercel URL (e.g.,
https://your-project.vercel.app).
- Set to your Vercel URL (e.g.,
- Update Authorization Callback URL:
- Set to
https://your-project.vercel.app/api/auth/callback/github.
- Set to
- Click Update Application.
After deploying, configure your local CLI to point to your new instance:
# 1. Initialize
envhub init --api-url https://your-project.vercel.app/api
# 2. Login
envhub loginUpload your local .env file to the prod app.
envhub push -p <project> -s <service> -e <env> -r "Reason"
# Example:
envhub push -p demo-project -s backend -e prod -r "Added API keys"Fetch variables. By default, it prints to console (great for piping). Use -o to save to file.
# Save to .env
envhub pull -p demo-project -s backend -e prod -o .env
# Pipe to Docker or other tools
envhub pull -p demo-project -s backend -e prod | grep DATABASE_URLSee a full audit trail of who changed what.
envhub history -p demo-project -s backend -e prodWe take security seriously. Here is how EnvHub protects your infrastructure:
- Zero-Knowledge Architecture: You own the infrastructure. You deploy it to your Vercel account, using your database. We (the creators) have zero access to your data.
- Encryption at Rest: We use Fernet (AES-128) symmetric encryption. Secrets are encrypted before writing to storage.
- Strict Isolation: By setting
ALLOWED_ORGS, you enforce a hardware-level gate. If a user is not in your GitHub Org, they cannot even see the dashboard. - Audit Logs: Every change is versioned and attributed to a GitHub User Handle. You always know who changed
DATABASE_URLand when.
MIT
Created By Haripriya Veluchamy