Like git, built for secrets.
Install
·
Quickstart
·
Documentation
·
Changelog
·
Issues
Capy is a secrets toolchain with git-style primitives — branch, sync, deploy, revoke — end-to-end encrypted on your machine and fully revocable for humans and agents. Your .env becomes versioned state your team can commit, roll back, and offboard without rotating a single key.
→ Compare Capy to Doppler, Infisical, dotenvx, AWS Secrets Manager, and SOPS.
Capy in its most basic form is just a CLI: no lengthy signup, account setup, or SDK to import.
npm install -g @capysc/cliOr with Bun:
bun add -g @capysc/cliOr with Homebrew:
brew install capysc/tap/capycapy # sync secrets
capy edit # inspect & edit secrets in a TUI
capy invite rachael@tyrell.com # add a teammate
capy kick roy@tyrell.com # remove a teammate
capy run -- npm run dev # run with decrypted secrets
capy deploy # ship to prodThat's the whole loop. Edit a secret, run capy, see this guy, redeploy.
- We hold ciphertext. You hold keys. A subpoena gets us nothing. Our service stores membership records and ciphertext. We don't hold your master key, your project keys, or any plaintext. Compromise of our service OR your local values yields nothing useful.
- Revocation is cryptographic, not a database flag.
capy kickmakes the kicked user's localkey.enccryptographically inert. Remaining members keep using the same keys; no rotation cascade. - Your code stays vanilla
process.env. No SDK to import, no daemon to run, no dashboard to maintain.capy runinjects decrypted values into Node, Python, Go, Ruby, or any process that reads env vars. - Branches that match git. Capy runs alongside git with its own branches and a committed
keep.lockmanifest. Each git branch pins to a Capy branch, so secrets travel with your code. - Source-available CLI. AGPL-3.0. Code is auditable on GitHub. (What AGPL means for your team in practice.)
Capy is a zero-trust secrets manager: we start by encrypting your .env on your machine. The encrypted secrets then sync to our service, and your team decrypts them on their own machines. We never see plaintext at any point.
Decryption is a two-party operation: our service strips the outer wrap of your key.enc, your machine strips the inner. Neither side has both keys.
For the full threat model, see docs.capy.sc/internals/zero-trust. For the cryptographic constructions, see docs.capy.sc/internals/cryptography.
Most secrets managers encrypt at rest on their servers. Capy is one of the few that encrypts at source. Every value in your .env is ciphertext on your machine before any of it crosses the wire, making Capy a uniquely zero-trust, end-to-end secrets control system built for humans and agents alike.
Each value is a capy:{resourceId}:{ciphertext} snippet only your team can decrypt, but with just enough characters surrounding the ciphertext for you to identify the items. Plaintext only exists in process memory while capy run has your app spawned.
Two ways to change a value. Both end up encrypted and synced — pick whichever fits the moment.
Open .env in your editor and overwrite a capy:... snippet with the new plaintext value. The next capy sync re-encrypts whatever changed and updates keep.lock.
Good when you're already in your editor, pasting a new key from a dashboard, or scripting a bulk change.
capy edit opens an interactive table of every variable on the current branch with sync status, drift, and conflicts visible at a glance. Reveal a value with r, edit with e, navigate with ↑↓, quit with q.
Good when you want to see drift across the whole branch, edit one variable without touching the file, or check what's in sync before a deploy.
| Command | Description |
|---|---|
capy |
Sync secrets. Initializes on first run. |
capy run -- <cmd> |
Run a command with decrypted secrets injected. |
capy edit |
Inspect and edit secrets in an interactive TUI. |
capy status |
Show drift between local, pinned, and remote. |
capy push |
Push local changes without pulling. |
capy lock |
Lock the local key so the passphrase is required next time. |
capy deploy |
Generate a deploy token and walk through platform setup. |
capy connect <provider> |
Pull a credential from a provider into .env. |
capy rotate [var] |
Rotate a managed credential. |
capy invite <email> |
Invite a teammate. |
capy redeem <code> |
Redeem an invite code. |
capy transport |
Move your account to another machine. |
capy kick <email> |
Remove a teammate. |
capy users |
Interactive member management. |
capy org |
List or switch organizations. |
capy branch |
List or switch branches. |
capy checkout <branch> |
Switch branches. -b to create. |
capy grant-branch |
Grant access to a protected branch. |
capy revoke-branch |
Revoke branch access. |
capy recover |
Restore access from your recovery phrase. |
capy end-recover |
End a recovery session. |
capy decrypt |
Decrypt secrets offline (owner only). |
capy use <profile> |
Switch between configured profiles. |
capy profile |
Manage CLI profiles. |
capy byoc [url] |
Connect to a self-hosted Capy instance. |
capy info |
Show current session info. |
capy logout |
Clear local session. |
capy cleanup |
Remove git hooks and local state. |
capy is a three-way diff between your local .env, the last pinned snapshot in keep.lock, and the latest on the service. Conflicts open an interactive resolver. See docs.capy.sc/using/syncing-secrets.
capy run -- <cmd> decrypts .env in memory and spawns your command with the values set as environment variables. Works in any runtime that reads env vars. See docs.capy.sc/using/running-your-app.
capy deploy walks through Vercel, Cloudflare, Docker, Fly, Railway, Render, Heroku, GitHub Actions, and AWS Lambda. See docs.capy.sc/using/deploying.
capy invite <email> to add a teammate; capy kick <email> to remove one. Invite codes travel out-of-band; kicks are O(1) with no key rotation. See docs.capy.sc/using/team/inviting.
Capy is a version control system for secrets that runs alongside git. You commit code, you sync secrets. Both have branches, both have a committed manifest (.git/, keep.lock), both pull and push to a remote. The difference: git's remote sees your code, Capy's remote only sees ciphertext.
A Capy branch is to your secrets what a git branch is to your code: a parallel state with its own values and its own access list. Switching branches changes which values capy run injects. As an example setup, you might keep a development branch open to every member while gating a production branch to only admins.
Because Capy branches are independent of git branches, each git branch pins to a Capy branch via the committed keep.lock file. Branch names are yours to choose, just like in git: a common pattern is sharing one shared dev branch across feature work and pinning release-* git branches to a separate staging or production branch.
For the full state model and protected-branch role enforcement, see docs.capy.sc/using/branches/overview.
What is zero trust?
Zero-trust is a cryptographic property: an attacker who fully compromises our service still can't decrypt your secrets, because every decryption requires a key share that lives only on your machine. Capy isn't asking you to trust us; the architecture ensures that compromising our service alone yields only ciphertext.
What if I lose my seed phrase?
If you're the org owner and you lose the seed phrase with no other device holding key.enc, you lose access to that org. Capy can't help; it's zero-trust by design, so recovery would require us to hold something we intentionally don't. Back the seed phrase up when it's shown (password manager, physical note in a safe).
How do I migrate from plain dotenv?
Run capy in a project that already has a .env. On first run, Capy treats your .env as authoritative, encrypts every value, uploads the ciphertext, and rewrites .env in place with capy:... snippets. A backup of your original .env is written to .env.pre-capy.old (gitignored).
Does it work offline?
The first sync needs network for authentication and key co-decrypt, but after that, capy run works offline against the local cache at ~/.capy/. You can develop on a plane; you just can't pick up changes other teammates pushed.
How fast does `capy kick` propagate?
Immediately. On the kicked user's next request, the service refuses to strip the outer wrap; their key.enc becomes cryptographically inert on disk. The master key never rotates because remaining members can keep using it.
Does this meet SOC 2 / GDPR requirements?
SOC 2 audit is in progress. GDPR-compliant. Trust posture and ongoing reports at trust.capy.sc.
What does Capy cost?
Free for individuals and small teams. Paid plans for orgs that need higher quotas, more projects, or more members.
Does it support SSO?
Yes. Configure your identity provider (Okta, Azure AD, Google Workspace, etc.) when creating your organization and your team authenticates via the same provider as the rest of your stack.
Can I self-host?
Not currently. The service component is closed. If self-hosting matters for your compliance posture, get in touch.
What if capy.sc goes down?
capy run keeps working from the local cache, so your running apps don't break. New syncs pause until the service comes back.
Does it work in CI?
Yes. capy deploy generates SECRETS_BLOB and PROJECT_KEY to set as CI env vars; capy run in your build/test step does the rest. See the GitHub Actions guide at docs.capy.sc/using/deploying/github-actions.
Capy ships with five runtime dependencies. Each is a load-bearing piece of the CLI; nothing is included for convenience or to save a few lines of code. A small dependency footprint keeps the supply-chain attack surface tight.
| Dependency | Purpose | Status |
|---|---|---|
commander |
CLI argument parsing | ✓ no known vulnerabilities |
dotenv |
.env file parsing |
✓ no known vulnerabilities |
inquirer |
Interactive prompts | ✓ no known vulnerabilities |
open |
OAuth browser launch | ✓ no known vulnerabilities |
proper-lockfile |
Atomic file locking | ✓ no known vulnerabilities |
Live audit status and the full transitive dep tree: github.com/capysc/capy-cli/network/dependencies.
Dependabot keeps dependencies current — see .github/dependabot.yml. It opens weekly PRs for npm and github-actions, with dev dependencies grouped into a single PR per ecosystem.
Don't file public GitHub issues or discussions for security vulnerabilities. Those channels are public.
Capy takes security issues seriously. If you've found a vulnerability, email security@capy.sc with a description and ideally a way to reproduce it. We'll respond as soon as possible.
This address is for undisclosed vulnerabilities only. Please report security problems to us before disclosing them publicly.
You can fork this repo and create pull requests:
github.com/capysc/capy-cli - bugs and discussions
AGPL-3.0-only. Copyright © Incentv Technologies Inc.
See LICENSE for the full text. For what AGPL means for your team in practice — when it imposes obligations and when it doesn't — see docs.capy.sc/using/license.