Capy logo

The one command for securing app secrets

Get Early Access
GitHub
Managing secrets should be easy

No more leaked .env files on Slack, juggling multiple KMSs, getting lost in IaC scripts, wrestling with IAM controls, or setting up Vaults. Built for modern development teams who value time and want security that just works.

Seamless Authentication

OAuth, SAML or SSO based authentication grants your team temporary access to your secrets. Credentials self-destruct after a TTL.

.env
NODE_ENV=prod
MY_SECRET_ENV=exposed_key
DATABSE_STRING=db:gone@postgres:5432
3RD_PARTY_KEY=bye_rate_limits
...
Run capy
Capy Authentication
Capy logo
Google
GitHub
Work Email
SSO/SAML
Temporary decrypt key (session or file based)
A7B3F9E2D4C8916F...
Personalized .env (encrypted)
NODE_ENV=capy:7A8E2:m_91Qx_k
MY_SECRET_ENV=capy:B3F9C:ex_45Hy_ey
DATABSE_STRING=capy:D6E1A:db_83Vw_432
3RD_PARTY_KEY=capy:C4B7F:bye_67Jt_its
...
.vault (committed to source control)
NODE_ENV=7A8E2
MY_SECRET_ENV=B3F9C
DATABSE_STRING=D6E1A
3RD_PARTY_KEY=C4B7F
...
Probably the only documentation you'll need

When we say one command, we seriously mean it—capy is all you need to sync, push, and pull variables for a project.

Getting Started

Run
capy
capy

Found 1 new local variable(s):

VariableValue
ACCESS_TOKENa.........en1 (NEW)
? Push all local variables to capy-vault? (y/N)

Managing Access

Run
capy users
capy invite jon@mycompany.com
capy kick lars@mycompany.com
capy users

Found 1 user who has access to this project
(my-secure-project):

UserAdded
me@mycompany.com4 months ago
capy invite jon@mycompany.com

Invite jon@mycompany.com to "my-secure-project"? (y/N)

Syncing

1. Update your .env file
-MY_SECRET_ENV=capy:Q94Zd4:Z04...4aFe
+MY_SECRET_ENV=myverysecuresecret123
2. Run
capy
1 conflict(s) 4 unchanged

Found 1 conflict(s):

VariableLocalRemote
MY_SECRET_ENVmyv...123 (NEW)mys...234
? MY_SECRET_ENV conflict: (Use arrow keys)
❯ Use local value (myv...123)
  Use remote value (mys...234)

Branching

Run
capy -b main
capy -b dev
capy -b my-own-work-in-progress
capy -b dev

Switched to capy branch "dev"

capy reset -b

Reverted back to configured branch "main"

Using

1. Install SDK
npm install capy-sdk
2. Use
1import capy from 'capy-sdk'
2// decrypts on runtime
3capy.init(process.env)
4
5// use as normal
6fn(process.env.MY_SECRET_ENV)

Pricing

Free
1-3 seats
  • AI Agent-compatible SecretOps
  • Access controls for team members and services
  • File-based secrets decryption
  • Zero-trust vault retrieval architecture
  • Secure high-availability HSM storage
  • Encrypted .env files
  • Automated code integration
  • Automated CI/CD integration
Get Early Access
Business
3+ seats
  • All Free Features +
  • Fine-grained access control
  • Session-based secrets decryption
  • Real-time secrets access revocation
  • Personalized and encrypted .env files
  • SOC2 and HIPAA compliant
  • Observability tools
  • SAML/SSO Authentication
Coming Soon
Capy logoBecause sharing .env files is so 2019
Copyright © 2025 by Incentv. All rights reserved. SOC2, HIPAA