varsafe
Secure secrets management for developers and teams. CLI-first, encrypted at rest and in transit, AI agent ready via MCP.
varsafe keeps your application secrets out of plaintext files and injects them into your processes at runtime. One CLI command replaces scattered .env files across machines, teammates, and CI.

Quick start
# Install
curl -fsSL https://varsafe.dev/install.sh | bash
# Log in once
varsafe login
# Inject secrets and run your app — nothing is written to disk
varsafe run -- npm run dev
# Or export an encrypted .env when a file is required
varsafe export -o .env
What you get
CLI-first workflow
Inject secrets directly into your process environment — no files on disk. Export encrypted .env files when a file is required.
Encrypted storage
Secrets are encrypted at rest (vault + KMS) and in transit (TLS), and injected only into the child process environment at runtime.
Audit trail
Every access is recorded in an append-only audit trail. Know who accessed what, when, and from where.
Version history & rollback
Every change is tracked. Preview diffs and roll back to any previous state.
SSO & passwordless
SAML 2.0, OIDC, passkeys, 2FA, and device trust.
AI agents via MCP
Connect Claude Code, Cursor, and other tools with scoped access and a full audit trail.
Next steps
- Getting started — from zero to injected secrets in five minutes.
- Core concepts — teams, projects, environments, and secrets.
- CLI reference — every command and flag.