Early AccessMeowPass is in public beta. All features free during early access.Join the community →
CLI-first secret management
Early Access

Stop copy-pasting
.env files.

MeowPass keeps your team's .env files in sync. One command to pull the right secrets for any project, environment, or teammate. E2E encrypted. Open source.

$brew install meowrithm/tap/meowpass
Quick Start GuideView Pricing
Free forever tier Open source 2-min setup
Built for developers who ship fast

Open source. Zero-knowledge. Works with your stack.

E2E Encrypted
Zero-knowledge. We can't read your secrets.
CLI-First
mp init → mp pull → done
Team Sync
One vault, every developer
Open Source
Audit every line of encryption

Integrates with

Claude CodeCursorWindsurfHomebrewnpmAWSVercelNetlifyDocker
.meowpass.yaml

One file connects your repo to its secrets

mp init creates a .meowpass.yaml file in your project root. Commit it to git. It contains no secrets — just a pointer to your vault.

  • Safe to commit — no secrets, no keys
  • CLI auto-detects vault per repo
  • Teammates clone → mp pull → done
  • Supports multiple environments
.meowpass.yamlsafe to commit
# MeowPass project config
version: 1
vault: e96920be-91e7-466e-...
default_env: default

Three steps to synced secrets

Set up once. Every teammate pulls automatically.

1

Import your .env

mp init

Scans .env files, encrypts each as a separate environment, writes .meowpass.yaml (safe to commit).

2

Share with team

git push

.meowpass.yaml is committed to git. It contains only the vault ID — no secrets. Teammates see it on clone.

3

Pull on any machine

mp pull

Every developer runs mp pull. Right secrets, right environment. No Slack DMs, no copy-paste.

How MeowPass compares

Honest comparison. Pick what fits your workflow.

MeowPassdotenvxAWS Secrets Manager
Setup time2 min (install + init)1 min (encrypt)30+ min (IAM + SDK)
ArchitectureEncrypted vault + APIEncrypted .env files in gitCloud KMS service
EncryptionAES-256-GCM + Argon2idECIES + secp256k1 + AES-256AWS KMS (AES-256)
Zero-knowledgeYes — server never sees plaintextNo — Ops stores your private keysNo — AWS holds keys
Team sharingX25519 key exchange per memberShare raw DOTENV_PRIVATE_KEYIAM policies
Secret versioningPer-secret history + rollbackGit history (encrypted diffs)Per-secret versions
Key rotationOne command, re-encrypts allPer-file keypair rotationAutomatic rotation
AI integration14-tool MCP + redacted modeBasic MCP (blog post)None
Runtime injectionmp run (in-memory)dotenvx run (in-memory)SDK required in code
Drift detectionmp diff + git hooksgit diff on encrypted filesNone
Offline supportEncrypted local cacheFully offline (file-based)Requires network
Web dashboardapp.meowpass.dev (read-only)None (file-based)AWS Console
CI/CDGitHub Action + export-keyCommit .env + CI secretAWS SDK in pipeline
Node.js SDK@meowlabs/meowpass (E2E)@dotenvx/dotenvx (drop-in)aws-sdk
Secret TTLAuto-expire (--ttl 24h)NoneNone
Audit trailBuilt-in per actionGit log only (free tier)CloudTrail
Open sourceFully open sourceCore open, Ops closedClosed source
Account requiredYes (free)No (free tier)Yes (AWS account)
PricingFree (early access)Free + $2.99-90/mo$0.40/secret/mo

TL;DR: Use dotenvx if you want zero-config local encryption with no account. Use MeowPass if you need zero-knowledge team sharing, per-secret versioning, AI agent integration, or audit trails.

Use MeowPass when:

  • You have 2+ developers sharing secrets
  • Your .env files drift between machines
  • New devs ask "where's the .env?" on day one
  • You sync secrets via Slack, Notion, or 1Password
  • You have staging and production environments
  • You use Claude Code or Cursor with secrets

dotenvx is enough when:

  • You work solo on one project
  • You only need one environment
  • You want encrypted .env in git with zero account
  • You don't need team sharing or versioning

Both tools are good. MeowPass adds team sync, multi-env, versioning, and AI integration on top.

Built for how developers actually work

Stop copying secrets from Slack. Stop grepping through old emails for that database URL. MeowPass fits into your workflow.

Secret Vault

Store API keys, tokens, certificates, and connection strings. Organized by project, environment, and team.

.env Sync

Pull secrets directly into your .env files. One command syncs staging, production, or any custom environment.

Team Sharing

Share vaults with your team. Role-based access, audit logs, and automatic key rotation for enterprise security.

Enterprise-grade security

Your engineering team's secrets, actually secure

Every secret is encrypted before it leaves your device. Zero-knowledge architecture means even we can't read your API keys. Built for teams that ship fast without compromising security.

  • AES-256-GCM + Argon2id encryption (same as 1Password)
  • X25519 key exchange for team vault sharing
  • Full audit log of every secret access and mutation
  • One-command key rotation (mp rotate)
  • Secret TTL with auto-expiry for temporary credentials
Vault: acme-productionEncrypted
STRIPE_SECRET_KEY
sarah2h ago
DATABASE_URL
mike1d ago
OPENAI_API_KEY
sarah3d ago
AWS_SECRET_ACCESS_KEY
alex5d ago
REDIS_URL
sarah1w ago
5 secrets · 3 team members E2E encrypted

Everything you need to ship securely

Everything you need to keep your team's secrets in sync.

One-Command Setup

mp init imports all .env files, creates a vault, and writes .meowpass.yaml. Each file gets its own environment tag.

Team Sync

Commit .meowpass.yaml. Teammates clone → mp pull → right secrets in seconds. No Slack DMs.

Multi-Environment

.env, .env.local, .env.production — each pushed as a separate env. mp pull --env local writes .env.local.

Drift Detection

mp diff shows what's out of sync. Per environment. Use --exit-on-drift in CI to block deploys.

In-Memory Injection

mp run injects secrets into your process without writing .env to disk. Zero artifacts.

Version History

Every secret change is versioned. mp history shows the timeline. mp rollback restores any version.

AI Agents (Bonus)

14-tool MCP server for Claude Code and Cursor. Redacted mode keeps secrets out of LLM context.

Open Source

Every encryption operation is auditable. CLI, API, SDK — all open source. MIT license.

your-reality.env
# Where was that Stripe key again?
STRIPE_KEY=sk_live_...check_slack_dm_from_march
# TODO: rotate this, it's been 2 years
DATABASE_URL=postgres://root:password123@...
# Mike had this, he left 6 months ago
AWS_SECRET=AKIA...ask_devops_channel
# Is this staging or prod? Nobody knows
OPENAI_KEY=sk-...from_my_personal_account_lol
# 47 API keys across 12 services
# 4 teammates who "have the key somewhere"
# 0 rotation policy
# 1 breach away from disaster

This is your codebase.
We both know it.

You have 47 API keys scattered across Slack DMs, sticky notes, and .env files you're terrified to touch. Your last "rotation" was copying a key from a coworker who left 6 months ago.

MeowPass replaces the chaos with a single encrypted vault. Every secret, every project, every teammate — one source of truth.

Fix this in 2 minutes

We literally cannot read your secrets

MeowPass is zero-knowledge by design. Your master password derives the encryption key on your device. We never receive it. Even if our database leaked, attackers get meaningless ciphertext.

Zero-Knowledge

Your master password is hashed with Argon2id (same as 1Password). The derived key never leaves your machine. We store only encrypted blobs.

Fully Open Source

Every encryption operation is auditable. CLI, API, SDK, MCP server — all open source. No black boxes. No trust-me-bro.

View source

No Vendor Lock-in

mp pull writes a standard .env file. Leave anytime with one command. Your secrets, your format, no proprietary encoding.

Read our full security architecture

Simple, developer-friendly pricing

Start free. Scale when you're ready. No surprises.

Developer

$0/month

Everything unlocked. No credit card. No catch.

  • Unlimited vaults (early access)
  • Unlimited secrets (early access)
  • CLI access
  • Web app + Chrome extension
  • MCP server access
  • .env sync
  • Community support
Get Started Free
Most Popular

Pro

$3/month

Less than a coffee. Unlimited everything.

  • Unlimited vaults
  • Unlimited secrets
  • .env sync
  • MCP server access
  • API keys
  • Priority support
Coming SoonFree during early access

Team

$6/user/month

Shared vaults, audit logs, role-based access.

  • Everything in Pro
  • Shared team vaults
  • Role-based access
  • Audit logs
  • SSO / SAML
  • Secret rotation
  • Admin console
Coming SoonFree during early access
Get Started

Up and running in 2 minutes

Four commands. That's it.

First time setup
$brew install meowrithm/tap/meowpass
$mp login
$mp init
Pushed 12 secrets. Created .meowpass.yaml
$git add .meowpass.yaml && git push
New developer joins
$git clone git@github.com:acme/api.git
$mp login
$mp pull
Synced 12 secrets to .env
Ready to code. No Slack DM needed.
Full CLI ReferenceReal-World Workflows

Your team's .env
should not live in a Slack DM.

MeowPass is early and opinionated. We ship fast and fix faster. Install it, use it for a real project, and tell us what's missing.

$brew install meowrithm/tap/meowpass && mp init
Star on GitHubJoin Discord