Self-hosted team environment variable management with Docker, PostgreSQL, roles, and multi-auth.
The team/server version of EnvCP. Deploy with Docker, manage users and permissions via CLI, connect your AI tools via API.
git clone https://github.com/fentz26/EnvCP_selfhost.git
cd EnvCP_selfhost
cp .env.example .env # Edit JWT_SECRET and DB_PASSWORD
docker compose up -d
docker compose exec app node dist/cli/index.js initThis starts PostgreSQL + the EnvCP server, runs migrations, and prompts you to create an admin user.
npm install
npm run build
# Set DATABASE_URL and JWT_SECRET in .env
cp .env.example .env
npx envcp-server init # Run migrations + create admin
npx envcp-server start # Start server on port 3456envcp-server user list
envcp-server user add <username> --role developer --email user@example.com
envcp-server user remove <username>
envcp-server user deactivate <username>
envcp-server user activate <username>
envcp-server user set-role <username> <role>envcp-server token create <username> <token-name> --days 90
envcp-server token list <username>
envcp-server token revoke <token-id>envcp-server ssh-key add <username> <key-name> --file ~/.ssh/id_ed25519.pub
envcp-server ssh-key list <username>
envcp-server ssh-key remove <key-id>envcp-server ip allow 10.0.0.0/8 --global
envcp-server ip deny 192.168.1.100 --user john
envcp-server ip list
envcp-server ip remove <rule-id>envcp-server project create my-app --owner admin --description "Main app"
envcp-server project list
envcp-server project add-member my-app john --role developer
envcp-server project members my-appenvcp-server var set my-app API_KEY "sk-..." --description "OpenAI key"
envcp-server var list my-app
envcp-server var get my-app API_KEY --unmask
envcp-server var delete my-app API_KEYenvcp-server audit --project my-app --limit 50envcp-server role list| Role | manage_users | manage_roles | manage_projects | read_vars | write_vars | delete_vars | execute | export | view_audit |
|---|---|---|---|---|---|---|---|---|---|
| admin | x | x | x | x | x | x | x | x | x |
| manager | x | x | x | x | x | x | x | ||
| developer | x | x | x | x | |||||
| readonly | x |
Project members can have a role override that applies only within that project.
All API requests require one of:
- Bearer JWT - Obtained via
POST /api/auth/login - API Token -
Authorization: Bearer envcp_<token> - Basic Auth -
Authorization: Basic <base64(user:pass)>
# Login
curl -X POST http://localhost:3456/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "secret"}'
# Use token
curl http://localhost:3456/api/projects \
-H "Authorization: Bearer <jwt-token>"POST /api/auth/login - Login (returns JWT)
GET /api/users - List users (admin)
POST /api/users - Create user (admin)
GET /api/projects - List projects
POST /api/projects - Create project
GET /api/projects/:id/variables - List variables
GET /api/projects/:id/variables/:name - Get variable
POST /api/projects/:id/variables - Set variable
PUT /api/projects/:id/variables/:name - Update variable
DELETE /api/projects/:id/variables/:name - Delete variable
GET /api/roles - List roles
GET /api/audit - View audit log
GET /health - Health check
- AES-256-GCM encryption for all stored values
- PBKDF2-SHA512 key derivation (100,000 iterations)
- bcrypt password hashing (cost factor 12)
- JWT session tokens with configurable expiry
- IP allowlist/denylist (global and per-user)
- Full audit logging of all operations
- Per-project role-based access control
MIT