MeowPassE2E encrypted secrets.Join →
Zero-knowledge encryption
Open Source

E2E encrypted
secrets for
developers.

The secret vault your team and AI agents actually use. Argon2id + AES-256-GCM encryption. X25519 key exchange for sharing. One command to sync, run, or deploy.

$brew install meowrithm/tap/meowpass
Quick Start GuideView Pricing
Zero-knowledge Open source Free tier included
From git clone to running in one command

Your secrets sync with your code. New teammate? mp pull — done in seconds.

Zero-Knowledge
Argon2id + AES-256-GCM. Even we can't read your secrets.
One Command
mp init → mp pull → mp run. That's it.
Team Sharing
X25519 key exchange. No raw key sharing.
AI-Native
14-tool MCP server for Claude, Cursor, Windsurf.

Integrates with

Claude CodeCursorWindsurfHomebrewnpmAWSVercelNetlifyDocker
.meowpass.yaml

One file connects your repo to its secrets

mp init creates a .meowpass.yaml file in your project root. Commit it to git. It contains no secrets — just a pointer to your vault.

  • Safe to commit — no secrets, no keys
  • CLI auto-detects vault per repo
  • Teammates clone → mp pull → done
  • Supports multiple environments
.meowpass.yamlsafe to commit
# MeowPass project config
version: 1
vault: e96920be-91e7-466e-...
default_env: default

Three steps to synced secrets

Set up once. Every teammate pulls automatically.

1

Import your .env

mp init

Scans .env files, encrypts each as a separate environment, writes .meowpass.yaml (safe to commit).

2

Share with team

git push

.meowpass.yaml is committed to git. It contains only the vault ID — no secrets. Teammates see it on clone.

3

Pull on any machine

mp pull

Every developer runs mp pull. Right secrets, right environment. No Slack DMs, no copy-paste.

How MeowPass compares

Honest comparison. Pick what fits your workflow.

MeowPassdotenvxAWS Secrets Manager
Setup time2 min (install + init)1 min (encrypt)30+ min (IAM + SDK)
ArchitectureEncrypted vault + APIEncrypted .env files in gitCloud KMS service
EncryptionAES-256-GCM + Argon2idECIES + secp256k1 + AES-256AWS KMS (AES-256)
Zero-knowledgeYes — server never sees plaintextNo — Ops stores your private keysNo — AWS holds keys
Team sharingX25519 key exchange per memberShare raw DOTENV_PRIVATE_KEYIAM policies
Secret versioningPer-secret history + rollbackGit history (encrypted diffs)Per-secret versions
Key rotationOne command, re-encrypts allPer-file keypair rotationAutomatic rotation
AI integration14-tool MCP + redacted modeBasic MCP (blog post)None
Runtime injectionmp run (in-memory)dotenvx run (in-memory)SDK required in code
Drift detectionmp diff + git hooksgit diff on encrypted filesNone
Offline supportEncrypted local cacheFully offline (file-based)Requires network
Web dashboardapp.meowpass.dev (read-only)None (file-based)AWS Console
CI/CDGitHub Action + export-keyCommit .env + CI secretAWS SDK in pipeline
Node.js SDK@meowlabs/meowpass (E2E)@dotenvx/dotenvx (drop-in)aws-sdk
Secret TTLAuto-expire (--ttl 24h)NoneNone
Audit trailBuilt-in per actionGit log only (free tier)CloudTrail
Open sourceFully open sourceCore open, Ops closedClosed source
Account requiredYes (free)No (free tier)Yes (AWS account)
PricingFree (3 vaults) / $3/mo ProFree + $2.99-90/mo$0.40/secret/mo

TL;DR: Use dotenvx if you want zero-config local encryption with no account. Use MeowPass if you need zero-knowledge team sharing, per-secret versioning, AI agent integration, or audit trails.

Use MeowPass when:

  • You have 2+ developers sharing secrets
  • Your .env files drift between machines
  • New devs ask "where's the .env?" on day one
  • You sync secrets via Slack, Notion, or 1Password
  • You have staging and production environments
  • You use Claude Code or Cursor with secrets

dotenvx is enough when:

  • You work solo on one project
  • You only need one environment
  • You want encrypted .env in git with zero account
  • You don't need team sharing or versioning

Both tools are good. MeowPass adds team sync, multi-env, versioning, and AI integration on top.

One vault for your entire workflow

CLI, web dashboard, Chrome extension, AI agents, CI/CD — all E2E encrypted, all synced.

Secret Vault

Store API keys, tokens, certificates, and connection strings. Organized by project, environment, and team.

.env Sync

Pull secrets directly into your .env files. One command syncs staging, production, or any custom environment.

Team Sharing

Share vaults with your team. Role-based access, audit logs, and automatic key rotation for enterprise security.

Enterprise-grade security

Your engineering team's secrets, actually secure

Every secret is encrypted before it leaves your device. Zero-knowledge architecture means even we can't read your API keys. Built for teams that ship fast without compromising security.

  • AES-256-GCM + Argon2id encryption (same as 1Password)
  • X25519 key exchange for team vault sharing
  • Full audit log of every secret access and mutation
  • One-command key rotation (mp rotate)
  • Secret TTL with auto-expiry for temporary credentials
Vault: acme-productionEncrypted
STRIPE_SECRET_KEY
sarah2h ago
DATABASE_URL
mike1d ago
OPENAI_API_KEY
sarah3d ago
AWS_SECRET_ACCESS_KEY
alex5d ago
REDIS_URL
sarah1w ago
5 secrets · 3 team members E2E encrypted
Audit Trail
setSTRIPE_SECRET_KEY
sarah192.168.1.422m ago
revealDATABASE_URL
mike10.0.0.151h ago
rotatevault key
sarah192.168.1.423h ago
deleteOLD_API_KEY
alex172.16.0.81d ago

Everything you need to ship securely

CLI, SDK, MCP, GitHub Action — secrets managed everywhere you code.

One-Command Setup

mp init imports all .env files, creates a vault, and writes .meowpass.yaml. Each file gets its own environment tag.

Team Sync

Commit .meowpass.yaml. Teammates clone → mp pull → right secrets in seconds. No Slack DMs.

Multi-Environment

.env, .env.local, .env.production — each pushed as a separate env. mp pull --env local writes .env.local.

Drift Detection

mp diff shows what's out of sync. Per environment. Use --exit-on-drift in CI to block deploys.

In-Memory Injection

mp run injects secrets into your process without writing .env to disk. Zero artifacts.

Version History

Every secret change is versioned. mp history shows the timeline. mp rollback restores any version.

AI-Native

14-tool MCP server. Your AI agent deploys with production secrets — without ever seeing the values.

Audit Trail

Every action is logged — who accessed what, when, from where. IP, user agent, timestamps. SOC 2 ready.

your-reality.env
# Where was that Stripe key again?
STRIPE_KEY=sk_live_...check_slack_dm_from_march
# TODO: rotate this, it's been 2 years
DATABASE_URL=postgres://root:password123@...
# Mike had this, he left 6 months ago
AWS_SECRET=AKIA...ask_devops_channel
# Is this staging or prod? Nobody knows
OPENAI_KEY=sk-...from_my_personal_account_lol
# 47 API keys across 12 services
# 4 teammates who "have the key somewhere"
# 0 rotation policy
# 1 breach away from disaster

This is your codebase.
We both know it.

You have 47 API keys scattered across Slack DMs, sticky notes, and .env files you're terrified to touch. Your last "rotation" was copying a key from a coworker who left 6 months ago.

MeowPass replaces the chaos with a single encrypted vault. Every secret, every project, every teammate — one source of truth.

Fix this in 2 minutes

We literally cannot read your secrets

MeowPass is zero-knowledge by design. Your master password derives the encryption key on your device. We never receive it. Even if our database leaked, attackers get meaningless ciphertext.

Zero-Knowledge

Your master password is hashed with Argon2id (same as 1Password). The derived key never leaves your machine. We store only encrypted blobs.

Fully Open Source

Every encryption operation is auditable. CLI, API, SDK, MCP server — all open source. No black boxes. No trust-me-bro.

View source

No Vendor Lock-in

mp pull writes a standard .env file. Leave anytime with one command. Your secrets, your format, no proprietary encoding.

Read our full security architecture

Simple, developer-friendly pricing

Start free. Scale when you're ready. No surprises.

Developer

$0/month

Get started with no credit card required.

  • 3 vaults
  • 50 secrets
  • CLI access
  • Web app + Chrome extension
  • MCP server access
  • .env sync
  • Community support
Get Started Free
Most Popular

Pro

$3/month

Less than a coffee. Unlimited everything.

  • Unlimited vaults
  • Unlimited secrets
  • .env sync
  • MCP server access
  • API keys
  • Priority support
Upgrade to Pro

Team

$6/user/month

Shared vaults, audit logs, role-based access.

  • Everything in Pro
  • Shared team vaults
  • Role-based access
  • Audit logs
  • SSO / SAML
  • Secret rotation
  • Admin console
Get Team Plan
Get Started

Up and running in 2 minutes

Four commands. That's it.

First time setup
$brew install meowrithm/tap/meowpass
$mp login
$mp init
Pushed 12 secrets. Created .meowpass.yaml
$git add .meowpass.yaml && git push
New developer joins
$git clone git@github.com:acme/api.git
$mp login
$mp pull
Synced 12 secrets to .env
Ready to code. No Slack DM needed.
Full CLI ReferenceReal-World Workflows

Your secrets deserve
real encryption.

Zero-knowledge vault. X25519 team sharing. AI-native MCP server. One CLI for your entire team. Install in 60 seconds.

$brew install meowrithm/tap/meowpass && mp init
Star on GitHubJoin Discord