Your secure foundation for effortless secrets management
Your secure foundation for effortless secrets management
Centralize, secure, and sync all your application secrets effortlessly. Manage team access, integrate via CLI & GitHub, and accelerate your deployments with confidence.
Secrets Management, Simplified
Shelve provides the secure, central platform you need for effortless secrets management. Bring all your API keys, tokens, and environment variables into one organized dashboard. Sync them seamlessly across stages using our powerful CLI and GitHub integration, ensuring your team always has the right configuration.
npx nypm add -D @shelve/cli
Envelope encryption, per project
Every variable is encrypted with a per-project Data Encryption Key (DEK), itself sealed by a platform Key Encryption Key (KEK). A leaked DEK scopes the blast radius to a single project, and rotating keys never touches your application code.
KEKplatform
DEKper project
ciphertextvariables.encryptedValue
Scoped, expiring API tokens
Stop shipping broad-power tokens. Create tokens scoped to specific teams, projects, environments, or permissions — with optional expiry and IP allowlists. Tokens are shown once, stored hashed, and every usage lands in the audit log.
ci-deploycreated 2h ago
shv_01JB7FA2TX••••••••••••••••
Scope
variable:readvariable:writeaudit:read
Expiresin 7 days
IP allowlist10.0.0.0/8
Audit everything that matters
Team changes, project writes, variable edits, token creations — every security-relevant action is captured with actor, IP, user agent, and resource context. Query the feed via API, filter by action, and build your own alerting on top.
Audit log
/api/teams/shelve/audit-logs- 12svariable.update·ownerproduction/STRIPE_SECRET_KEY
- 2mtoken.create·ownerci-deploy
- 14mvariable.delete·adminpreview/LEGACY_FLAG
- 1hteam.member.invite·ownerteammate@example.com
- 3hproject.create·adminweb-platform
Safe with your AI coding agent
Shelve treats AI agents as first-class citizens. `shelve init` provisions `.cursorignore`, `.aiderignore`, `.codeiumignore`, and more so your coding agent never reads a raw `.env` file. Tokens live in the OS keychain. Runtime injection keeps secrets in memory only.
AI agentCursor · Claude · Aider
.cursorignore
Hidden from agent
.env
.env.local
.env.production
.shelve/
Ensure Environment Parity
Stop runtime errors caused by missing variables. Shelve detects inconsistencies across your environments instantly.
STRIPE_SECRET_KEY
Development
feat/418
Production
NUXT_PUBLIC_API_URL
Development
feat/418
Production
GITHUB_APP_ID
Development
feat/418
Production
Built for Seamless Teamwork
Invite team members, manage access with clear roles (Owner, Admin, Member), and ensure everyone works with the correct, up-to-date configuration without compromising security.
Keep GitHub Secrets Synced, Effortlessly
Connect your Shelve projects to GitHub repositories via our official GitHub App. Automatically keep your GitHub Actions secrets and repository secrets perfectly synchronized with your single source of truth in Shelve, eliminating manual updates.
Command Everything
Hit Cmd+K (or Ctrl+K) to unlock Shelve's command center. Instantly search, navigate, and execute actions across your entire workspace—from switching projects to managing secrets. The ultimate shortcut to peak productivity.
Stats & Impact
Loading stats.
- Users
- Secrets Stored
- Projects
- Pull
- Push
- Saved Time
Frequently Asked Questions
Find answers to common questions about Shelve. If you don't see your question here, feel free to reach out.
Shelve is open source and free to self-host. The hosted instance at
app.shelve.cloud is currently free to use, and every security feature on this page — envelope encryption, scoped tokens, audit logs, and agent-safe ignore files — ships in the open-source core.Shelve uses a two-tier envelope encryption scheme. Each variable is sealed with a per-project Data Encryption Key (DEK) using AES-256-GCM, and the DEK itself is sealed with a platform-wide Key Encryption Key (KEK). A leaked DEK compromises one project, not the whole instance. Plaintext never lands in the database. Read the full model on the Encryption page.
Tokens are generated from a Crockford-base32 alphabet, displayed once, then stored as a SHA-256 hash alongside a short non-secret prefix used for audit display. You can scope tokens to specific teams, projects, environments, and permissions, set an expiry, and restrict them to an IP allowlist. Details on the Tokens page.
Yes, by design.
shelve init writes .cursorignore, .aiderignore, .codeiumignore, and others so your agent never reads .env files or the local cache. Use shelve run to inject variables into the spawned process memory with zero disk writes. CLI tokens live in the OS keychain (Keychain, Credential Vault, libsecret), not a plaintext dotfile.Every security-relevant action (team, project, variable, token, member) is logged with actor, IP, user agent, and resource context. Query the feed via the filterable
/api/teams/:slug/audit-logs endpoint or through the dashboard. See Audit logs.Absolutely. Shelve is designed for flexibility, including self-hosting. You can deploy your own instance using Vercel, and more providers are coming soon. You own the KEK, the database, and the audit trail end-to-end.
Yes. Native synchronization with GitHub Secrets is available today, and
shelve run injects variables into any CI, container, or process without writing a .env file. More integrations are actively in development.Yes. Shelve is actively used and trusted in production by developers and teams. The core platform is stable, covered by an e2e test suite, and every release follows a changeset-based version bump.
Open an issue on GitHub or reach out via email at contact@shelve.cloud. Contributions are welcome — see the Contributing guide to get started.
Streamline your workflow this afternoon
Imagine your workflow, just smoother and more secure. That’s the developer experience Shelve is built to deliver.