Core Concepts
The varsafe mental model — teams, projects, environments, secrets, context resolution, and how injection works.
Organizational Model
Teams
Teams are the top-level organizational unit. They represent a group of people who collaborate on projects together.
- Teams own projects
- Teams have members with roles — and a user can belong to multiple teams
- Access to secrets flows through team membership
- Billing is managed at the team level
- Teams on the Team plan can configure SSO (SAML 2.0 / OIDC) for domain-based login
Projects
Projects represent applications or repositories that need secrets. Each project has:
- A name (typically matching your repository)
- An owning team
- Multiple environments
- Its own secret history
Environments
Every project has environments for different deployment stages:
| Environment | Purpose | Default Protected |
|---|---|---|
development |
Local development | No |
staging |
Pre-production testing | No |
production |
Live systems | Yes |
You can also create custom environments for specific needs (e.g., qa, demo, feature-x), and protect or unprotect any environment in its settings.
Each environment also has a server-managed keypair used to produce encrypted .env exports — files that only your team can decrypt.
Secrets
Secrets are key-value pairs stored securely:
- Key: starts with an uppercase letter, then uppercase letters, digits, and underscores (e.g.,
DATABASE_URL); up to 255 characters - Value: encrypted, up to 64 KB
- Version: auto-incremented on each change
- History: full change history with rollback capability
CLI-First Architecture
varsafe is designed around the CLI workflow:
The dashboard exists for management tasks (creating teams, inviting members, viewing audit logs) but the primary developer interaction is through the CLI.
Context Management
Most commands need to know which project and environment you mean. The CLI resolves context in this order:
- Explicit flags (
-p,-e) always win - Local
.varsafefile — a small context file in your repository, found by searching from the current directory up to the git root - Global saved context — set with
varsafe use, stored in the CLI’s local database - Auto-selection if only one option exists, or an interactive prompt otherwise
# Set your working context
varsafe use -p my-api -e development
# Now these commands use that context automatically
varsafe list
varsafe run -- npm run dev
varsafe export -o .env
When you run varsafe use inside a git repository, the context is written to a .varsafe file in the repo — teammates and future shells in that repo pick it up automatically. Outside a repository, the context is saved globally.
Override context anytime with flags:
varsafe list -p my-api -e staging
Ephemeral Injection
Secrets are never written to disk by default. Instead, they’re injected directly into your process’s environment:
varsafe run -- npm run dev
This command:
- Authenticates with the varsafe API over TLS
- Fetches secrets for the current context
- Spawns
npm run devwith secrets as environment variables - Secrets exist only in the child process’s environment
When your app terminates, the secrets are gone — no files left behind.
Access Control Model
Access follows this hierarchy:
Six roles exist: owner, admin, developer, operator, viewer, and billing. Owners and admins manage the team and write everywhere; developers write to non-protected environments; operators and viewers are read-only; billing members manage billing without secret access. The full permissions matrix lives in the roles reference.
API Tokens
Token properties:
- Scoped to a specific team
- Prefixed
vs_at_so scanners can recognize them - Separate audit trail (shows as a service account)
- Optional expiration date; revocable at any time
See API tokens for creation and usage.
Version History
Every secret change is tracked. Operation types include:
create— New secrets addedupdate— Secret values changeddelete— Secrets removedrotate— Secret rotated
Rollback
You can roll back an environment to any previous state via the dashboard:
- Go to Secrets → History
- Select the operation to roll back
- Review the preview showing what will change
- Confirm rollback
Audit Trail
Every action is logged. An audit event looks like this (illustrative):
{
"action": "secret.accessed",
"actor": "alice@example.com",
"project": "api-backend",
"environment": "production",
"secretKeys": ["DATABASE_URL", "API_KEY"],
"ip": "192.168.1.100",
"source": "cli",
"timestamp": "2026-02-15T10:30:00Z"
}
Audit logs are:
- Append-only — Events are added, never edited
- Complete — Every action is logged
- Queryable — Filter by team, project, actor, or time range
- Exportable — Download for compliance reviews
Audit retention is plan-gated:
- Developer plan: 7 days
- Team plan: 90 days
Session Management
varsafe uses opaque session tokens for authentication:
- High-entropy tokens generated with secure randomness
- Hashed before storage — the raw token is never stored server-side
- Instantly revocable — no waiting for token expiry
- Session metadata includes IP, user agent, and timestamp
When you revoke a session, it’s immediately invalid everywhere. See the security model for the full picture.
Related Documentation
- CLI Reference — Command details
- Roles — Full permissions matrix
- Dashboard Guide — Full dashboard features
- API Tokens — Service accounts
- MCP Server — AI agent access via Model Context Protocol
- Security Model — Security architecture
- Operations — Operational workflows