Secrets manager · CLI-first

Share secrets with your team.
Hide them from your agents.

Klavex holds your team's environment variables in a single encrypted vault and injects them into your shell at runtime. Sync across the team in seconds — and scope what every Cursor, Claude Code, or Copilot session can actually see.

Get started — free See how it works

No credit card required · pip install klavex · macOS, Linux, WSL

~/projects/checkout-api · zsh

klavex pull checkout-api

→ synced from team acme-eng · 3 environments, 12 vars ✓

klavex exec checkout-api/Production -- node server.js

→ injecting 7 secrets into child process ✓

Server listening on :3000

# meanwhile, in your Cursor session…

klavex exec checkout-api/Dev -- npm test

→ actor: cursor (agent) · scope: Dev only ✓

# Production keys? Cursor doesn't even know they exist.

The agent problem

Your .env is a coding-agent buffet.

It might be in .gitignore, but it's still sitting plaintext on your disk — one read_file('.env') tool call away from a model's context window. And sharing it with the team is still a Slack DM.

Today

Agents read everything. Teams sync nothing.

The same .env that lets your dev server boot also feeds every coding agent in your editor — and getting a teammate set up is still a manual copy-paste ritual.

×Agents have full read access. Cursor, Claude Code, and MCP servers can cat your .env any time — there's no way to scope them down.

×Onboarding takes a day. New hire? Ping six people on Slack for the right keys, paste them into a fresh .env, hope nothing's stale.

×Drift between machines. Someone rotates a key. Half the team's local .env is now broken — and nobody knows why CI keeps passing.

×No audit, no revocation. When someone leaves, every key they ever touched is theoretically still on their laptop.

With Klavex

One source of truth. One leash for agents.

The team shares one encrypted vault. The CLI pulls the right secrets into the shell you're running — humans get everything, agents get only what you scope to them.

✓Agents on a leash. Add Cursor as a read-only member, scoped to Dev only. Production stays invisible to it.

✓Team sync in seconds. Invite by email — they pip install klavex, run klavex login, and every project is already there.

✓Rotate once, everywhere. Update a key in the dashboard. Every shell on every machine picks it up on next klavex exec.

✓Audit + instant revoke. Every fetch is logged. Someone leaves? One click, every machine running their token loses access.

How it works

Three commands. Zero .env files.

Install once. Authenticate once. Then every command you'd normally run gets klavex exec in front of it.

STEP 01

Install

One Python package. Works on macOS, Linux, and WSL. The CLI is the only thing that ever talks to the vault.

$ pip install klavex

STEP 02

Authenticate

Browser-based device login binds the CLI to your machine. No long-lived API keys to leak.

$ klavex login # → opens https://klavex.dev/cli/... # ✓ device authorized as alex@team

STEP 03

Run anything

Wrap your dev server, test runner, deploy script — anything. Secrets are injected only into the child process.

$ klavex exec checkout-api/Production \ -- node server.js

For AI coding agents

Bring the agent to the team — without bringing the keys.

Add Cursor, Claude Code, or any agent as a first-class team member with its own scoped token. Read-only by default, locked to specific environments, every fetch logged.

Per-environment scoping — Staging yes, Production no.
Read-only by default. Agents can use secrets, never modify them.
Revoke instantly. One click, every machine running that token loses access.
Audit log records every variables_accessed by actor and time.

checkout-api · team

Alex Helle (you) owner · all environments

OWNER

Cursor agent · read-only

Staging Dev

Claude Code agent · read-only

Dev

Cursor accessed checkout-api/Staging · 46s ago

What's inside

Everything a secrets manager should be.

Built for engineers who ship every day. No proprietary file formats, no agent sprawl, no surprises in the audit log.

Per-team KMS encryption

Envelope-encrypted with AES-256-GCM. A customer master key per team means crypto-shred deletes are real, not promised.

Environments as first class

Production, Staging, Dev — and any custom env you need. Same keys, different values, scoped access per member.

Audit log for everything

Every reveal, every fetch, every membership change — by actor, IP, timestamp. 90-day retention on Team, longer on Enterprise.

One-shot rotation

Rotate a key in the dashboard. Every shell, every CI runner, every agent picks it up on next exec. No redeploys.

Team scoping that fits

Owner / Admin / Editor / Viewer roles, plus per-environment access lists. Invite by email, revoke in a click.

Drop-in for CI & Docker

klavex exec works in GitHub Actions, GitLab CI, and Docker. Or klavex export --format docker if you need a one-shot env file.

Pricing

Free to start. Priced for teams, not seats.

All plans include unlimited projects, environments, and variables — only the seat count and audit retention change.

Solo

$0/forever

For one developer with their own machine. Everything you need to never write a .env again.

1 seat (you)
Unlimited projects, envs, vars
7-day audit retention
Up to 2 agents

Team

$24/mo · billed annually

For small teams sharing secrets across projects. The plan most Klavex customers run on.

10 seats (humans + agents)
Unlimited projects, envs, vars
90-day audit retention
Per-team KMS CMK
Priority email support

Enterprise

$48/mo · billed annually

For larger teams running Klavex across multiple squads or business units.

100 seats (humans + agents)
1-year audit retention
SSO / SAML (coming soon)
IP allowlists per environment
DPA + on-call support

Get started

Your secrets don't belong on disk.

Install in 30 seconds. Migrate your first .env in 5 minutes. Sleep better tonight knowing the agents on your machine don't have a free copy of your AWS keys.