EnvVault is a native macOS developer tool that stores every environment variable in the system Keychain — encrypted, organized by project, and never written to a plain text file that could be accidentally committed.
Authenticate once with Touch ID or your Mac login password. Every subsequent reveal reads straight from the Keychain — no repeated prompts. The vault locks automatically the moment you switch to another app.
Organize variables by project and tag each one with Development, Staging, Production, or Custom. Link a shared DATABASE_URL to multiple projects — your API and worker process can both reference the same source of truth.
Point EnvVault at any project folder and it scans for .env, .env.local, .env.development, .env.staging, .env.production, and .env.test. Preview every variable before importing, with duplicates flagged automatically.
Export any selection to a .env file with one click — the save panel defaults to your project folder and pre-fills .env.local. Generate a keys-only .env.example for source control, or copy to clipboard with a 30-second auto-clear.
Compare your variables across environments side-by-side. Instantly see which keys exist in Development but are missing from Production — the most common source of 'works on my machine' bugs.
Spin up new projects fast with built-in templates for Next.js + Supabase, Next.js + Postgres, Django + Postgres, Rails + Postgres, Node.js/Express, and Firebase. Variable names, descriptions, and secret flags pre-populated.
Set a rotation interval on any secret (30, 60, 90, 180, or 365 days). Overdue variables get a red badge in the list, a 'Needs Rotation' filter surfaces everything due, and macOS notifications take you straight to the variable.
Select multiple variables and act on the whole group: copy as a .env block, export to file, link to another project, schedule rotation, or delete with confirmation. Useful for onboarding environments or cleaning up stale secrets.
Native SwiftUI with full support for macOS Sonoma and later. Keyboard-navigable, searchable, Dark Mode ready, and sandboxed for App Store security. No network requests. No telemetry. Your secrets never leave your machine.
Download from the Mac App Store and launch. Touch ID or your login password unlocks the vault for the session — no account required, no cloud sync, nothing to configure.
Point EnvVault at an existing project folder to scan its .env files, or pick a stack template (Next.js + Supabase, Django + Postgres, and more) to start a fresh project with the right variables pre-populated.
Sort variables by project, tag each one with its environment, mark secrets, and set rotation intervals on the ones that matter. Use the Diff View to confirm nothing is missing across Dev, Staging, and Production.
Drop a .env.local into your project folder with one click, generate a keys-only .env.example for source control, or copy a KEY=value block to the clipboard that auto-clears in 30 seconds.
You're juggling four side projects, two client apps, and a day job. Each one has its own .env file scattered across folders, half of them out of date. EnvVault becomes the single source of truth — every secret in the Keychain, organized by project, exportable in one click when you need a .env.local on disk.
Stripe keys, AWS credentials, Postgres passwords — every one of them should rotate on a schedule, but nobody actually tracks it. EnvVault flags overdue secrets in-app and surfaces them through macOS notifications. The 'Needs Rotation' filter is the dashboard you didn't know you needed.
You don't have a secrets manager because you don't have a platform team. The Environment Diff View shows you which keys exist in Development but are missing from Production — before they cause incidents at 2 AM. Stack templates get a new project running in minutes, not hours.
EnvVault stores all secret values exclusively in the macOS Keychain. There is no sign-up, no cloud sync, and no analytics SDK linked into the binary. Your secrets never leave your machine.
The app is sandboxed, uses the keychain-access-groups entitlement for a single service name, and authenticates via LocalAuthentication (Touch ID or password) once per session.
EnvVault is a one-time $9.99 purchase on the Mac App Store. No subscriptions, no upgrades, no upsells. Runs on macOS Sonoma and later.