Lightweight web + CLI secrets manager for small teams. Share .env files between machines, inject secrets at runtime without ever writing them to disk, and stop pinging teammates for the new Stripe key.
gethandoff.dev · Docs · Pricing
- Zero-knowledge. Every secret is encrypted in your browser or CLI before it touches our servers (XChaCha20-Poly1305 with X25519 sealed-box wrapping and Argon2id passphrase derivation). We literally cannot read your data.
- CLI-first.
handoff runinjects env vars into your process at startup; no.envsits on disk for a straygit addor DockerCOPY .to leak. - Version history so you can roll back a bad rotation.
- Priced for teams, not procurement. $20/mo for up to 10 seats.
See /security for the threat model and what zero-knowledge does and does not get you.
# Standalone binary (no Node/Bun required)
curl -fsSL https://raw.githubusercontent.com/jtljrdn/handoff-env/main/install.sh | sh
# Or via npm
npm i -g handoff-env # bun add -g handoff-env / pnpm add -g handoff-env
# Or run on demand, no install
npx handoff-env loginThe binary on your $PATH is handoff in every case.
See packages/cli/README.md for full install details, including pinned versions and standalone Windows/Linux/macOS binaries.
handoff login # browser auth, one time
handoff init # link this repo to a project
handoff push # upload .env
handoff run -- npm start # run your app with secrets injected| Command | What it does |
|---|---|
handoff login [--token <t>] |
Sign in via browser, or paste a token for CI. |
handoff logout |
Clear the saved token. |
handoff whoami |
Print signed-in user, org, and plan. |
handoff init |
Link the current repo to a project; writes .handoff/config.json. |
handoff pull [-e env] [-o path] |
Download an environment to a .env.<env> file. |
handoff push [-e env] [-f path] [-y] |
Upload a .env file (with diff preview). |
handoff diff [-e env] [-f path] |
Show local-vs-remote differences without writing. |
handoff run [-e env] [-p slug] [--token …] -- <cmd> … |
Recommended. Inject env vars into a subprocess at runtime. |
- Introduction · what Handoff is and why
- Installation · all install channels
- Your first project · 5-minute walkthrough
- CLI reference
- CI/CD integration guides: GitHub Actions · VPS with systemd · Docker · Kubernetes · Serverless
- API tokens
apps/web/ TanStack Start app (marketing, dashboard, API, docs)
packages/cli/ The `handoff` CLI (published to npm as handoff-env)
packages/api/ Shared HTTP client used by the CLI
packages/types/ Shared Zod schemas / TS types
bun install
bun --filter web dev # web app at http://localhost:3000
bun --filter handoff-env dev --help # run the CLI from sourceSee packages/cli/README.md for release workflow and binary-compile scripts.
MIT