Effortless & secure secrets management
Shelve - The Simple Way to Share Environment Variables Open-source platform that makes sharing env files with your team secure and effortless. No more Slack or emails! 🚀 Simple CLI 🎯 Drag & drop .env 👥 Team management 🏠 Self-hostable 🐙 Github Sync
Shelve is open-source and fully self-hostable on Vercel or other providers. Users own the Key Encryption Key (KEK), database, and audit trail end-to-end. Deployment guides and Docker images are provided for flexible infrastructure choices.
Shelve's official GitHub App automatically keeps GitHub Actions secrets and repository secrets synchronized with Shelve as the single source of truth, eliminating manual secret management in GitHub and reducing configuration drift.
Shelve provides a centralized dashboard to store all secrets encrypted with per-project AES-256-GCM envelope encryption, role-based access control, and team collaboration features. Users can organize secrets by project and environment (dev, preview, production) and sync them seamlessly via CLI or GitHub integration.
Shelve's `shelve init` command automatically provisions `.cursorignore`, `.aiderignore`, and `.codeiumignore` files to prevent AI agents from reading raw `.env` files. Tokens are stored in the OS keychain and runtime injection keeps secrets in memory only with zero disk writes.
Shelve maintains an immutable, append-only audit log capturing every security-relevant action (team changes, variable edits, token creation, deletions) with actor, IP, user agent, and resource context. Logs are queryable via filterable API and retained indefinitely on the hosted instance.