Klavex injects your environment variables into your process at runtime, so there's no .env for Cursor or Claude Code to read. Import your existing .env in one command — no rewriting. Free for solo devs, one flat price for teams, and every AI agent gets a read-only token scoped to only the envs you pick.
It might be in .gitignore, but it's still sitting plaintext on your disk — one read_file('.env') tool call away from a model's context window. And sharing it with the team is still a Slack DM.
The same .env that lets your dev server boot also feeds every coding agent in your editor — and getting a teammate set up is still a manual copy-paste ritual.
One encrypted vault — for you, or shared with the team. The CLI pulls the right secrets straight into the process you're running — they're never written to a file an agent can open.
Install, log in, point it at your repo once. Then every command you'd normally run gets klavex run -- in front of it.
One Python package, then a browser-based device login that binds the CLI to your machine. No long-lived API keys to leak.
Run it in your repo. klavex init finds your existing .env and imports every var — no retyping. Then delete the file.
Wrap your dev server, test runner, deploy script — anything. Secrets are injected only into that one child process, never to disk.
Your secrets aren't sitting in a .env for an agent to scrape. And when you do want Cursor, Claude Code, or a CI runner to have some, mint it its own token — read-only, scoped to the exact environments you pick. It reads Dev; Production stays invisible.
The essentials done well — strong encryption, environments, audit, rotation, scoped access. No sprawling platform to operate, no SDK to wire into your app, no feature bloat to learn.
Envelope-encrypted with a KMS-protected master key. Encryption context binds every ciphertext to its team and repo, so a stolen token can't unlock anyone else's data.
Production, Staging, Dev — and any custom env you need. Same keys, different values, the right one injected per run.
Every fetch and every membership change — by actor, IP, and timestamp. 7-day retention on Solo, 90-day on paid plans.
Rotate a key in the dashboard. Every shell, every CI runner, every agent picks it up on next exec. No redeploys.
Owner / Admin / Editor / Viewer roles across your team. Invite teammates by email, change a role or revoke access in a click.
klavex run works in GitHub Actions, GitLab CI, and Docker. Locally it's klavex run -- <cmd>; in CI a scoped KLAVEX_TOKEN injects the variables into that one process only.
Doppler and Infisical are powerful platforms — and overkill if you just want your secrets out of .env. Klavex does the one thing well: three commands, nothing on disk, one flat price.
| Klavex | Doppler | Infisical | |
|---|---|---|---|
| Pricing model | Flat per team — agents free | Per seat (~$21/user) | Per identity (~$18) |
| Cost at 10 people | $29/mo flat | ~$210/mo | ~$180/mo |
| Setup | 3 commands, no platform | Hosted, polished UX | A platform to run / self-host |
| Local .env on disk | Never — no file mode | Optional (can inject) | Optional (can inject) |
| Import your .env | One command, no rewriting | Yes | Yes |
| Scoped AI-agent tokens | Unlimited, free, per-env | Service tokens (per seat) | Yes — incl. Agent Vault |
Need self-hosting, a full platform, or proxy-grade agent isolation? Infisical is the stronger pick — and we'll say so. Klavex's bet is narrower: the simplest setup, nothing on disk, one flat price. Read the full comparison →
Every plan includes unlimited repos, environments, variables — and unlimited AI agents, free. You only pay for human teammates, and the price is flat — not per seat. Save ~17% annually.
For one developer. Everything you need to never write a .env again — no card, no trial clock.
For small teams sharing secrets across repos. $24/mo billed annually — save ~17%.
For larger teams running Klavex across multiple squads. $48/mo billed annually — save ~17%.
Custom contracts add SSO / SAML, custom audit retention, a DPA, and on-call support.
Klavex is a CLI-first secrets manager. Instead of keeping a .env file on disk, the Klavex CLI pulls your environment variables from an encrypted vault and injects them into your app's process at runtime — so the plaintext secrets never sit in a file.
Same core idea — a central vault instead of scattered .env files — but Klavex is built to be the simplest and cheapest option for solo developers and small teams: one command to import your existing .env, flat per-team pricing, and a deliberately small feature set.
Coding agents like Cursor, Claude Code, and Copilot can read any file in your project, including .env. Klavex removes the file — secrets live in the process environment at runtime, not on disk — so there's no plaintext file for an agent to open. You can also scope each agent to only the environments you choose.
Your secrets are envelope-encrypted in the Klavex vault and only decrypted into your process when you run a command. Access is scoped per environment, so a given token only ever sees the secrets you grant it.
Yes — Klavex is free for solo developers. Teams pay a flat per-team price as they grow, with no per-secret or per-request metering.
Yes. One command imports an existing .env into Klavex. From there you can delete the file and run your app with the same variables injected at runtime.
Install in 30 seconds. Migrate your first .env in 5 minutes. Sleep better tonight knowing the agents on your machine don't have a free copy of your AWS keys.