Secrets managers for small teams: Doppler vs Infisical vs Klavex
If you run a small team and you're shopping for a secrets manager, three things decide it — and most comparisons bury all three under feature checklists. How simple is it to set up and live with? Does it actually keep your secrets out of .env? And what does it cost as you grow? This post leads with those.
Quick 2026 context on the .env part: coding agents (Cursor, Claude Code, MCP servers) read every file in your repo, .env included. So "keep secrets out of plaintext files" went from nice-to-have to the baseline — every tool here meets it some way. What's actually left to choose on is setup effort, where the secrets live, and price.
The short version
- Doppler — polished, hosted, great UX. Priced per seat (~$21/mo), which climbs as the team grows.
- Infisical — open-source, self-hostable, a full platform; the most powerful and feature-rich here. Priced per identity (~$18/mo). Trade-off: it's a platform you run.
- Klavex — the simplest of the three: three commands and your secrets never touch disk. Flat $29/mo for the whole team, no per-seat tax. Newest and least featureful — built for small teams who find the big platforms like overkill.
1. Simple
Klavex is three commands end to end: pip install klavex, klavex init, then klavex run -- your-command. No platform to operate, no SDK to wire into your app, no infrastructure to host. Doppler is also genuinely low-effort — it's hosted and the UX is the best of the three. Infisical asks the most of you, especially if you self-host: it's a real platform, which is the point if you want one and overkill if you don't.
2. Nothing on disk — no .env
This is the whole reason Klavex exists. It never writes a .env file. It pulls your variables from the backend and injects them straight into the process at runtime, so there's no plaintext file sitting in the repo for an agent to read, a git add . to commit, or a backup to quietly capture.
To be fair: Doppler (doppler run) and Infisical (infisical run) can both inject at runtime too, so all three let you avoid a committed .env. Klavex's difference is that there is no file mode to fall back to or forget about — no local .env ever exists, which is exactly what you want when the threat model is "an agent reads everything on disk."
3. Cheaper — and flat
Doppler and Infisical both bill per identity. Klavex is one flat price for the team. For a small team that mostly matters as you grow — every new teammate is another seat on the per-head tools, and $0 more on Klavex.
| Tool | Pricing model | 10 people |
|---|---|---|
| Doppler | Per seat (~$21/mo) | ~$210/mo |
| Infisical | Per identity (~$18/mo) | ~$180/mo |
| Klavex | Flat per team | $29/mo |
Who each is actually for
Pick Infisical if you want a full open-source platform, need self-hosting (compliance), or want the deepest feature set — including its open-source Agent Vault, which proxies agent API calls so the agent never even holds the real key. It's the most capable option here. Trade-off: it's a platform to run, and per-identity pricing scales up as you grow.
Pick Doppler if you want the most polished hosted UX and don't mind per-seat pricing. Trade-off: cost as you grow.
Pick Klavex if you're a small team that wants the simplest possible setup, secrets that never land in a .env, and one flat price instead of a per-seat bill. Trade-off: it's the newest, it's not open-source, and it doesn't do proxy-level agent isolation like Agent Vault — it keeps secrets out of an agent's reach by not having a .env at all and injecting at runtime.
Where Klavex is not the answer
If you need self-hosting, a full platform, or proxy-grade agent isolation today, Infisical is the stronger pick and we'll happily say so. Klavex's bet is narrower: the simplest setup, nothing on disk, and a flat price for a small team.