Zero-knowledge by default

Ship secrets,
not screenshots.

Keyline is the dead-simple secrets manager for small teams. Share your .env files with one command, lock down access per environment, and audit every change — encrypted so completely that not even we can read your keys.

Start free → See how it works No card. Free for solo devs.
~/acme-api — bash
We host your secrets. We can't read them. AES-256 · client-side encryption · audit everything
# engineeringtoday, 2:47 PM
JD
Jordan 2:46 PM
hey can someone send me the prod keys real quick? deploy is broken 😩
MR
Maria 2:47 PM
here you go, don't share lol
STRIPE_SECRET_KEY=sk_live_51Hb...9aQ2
DATABASE_URL=postgres://admin:hunter2@…
⚠ now lives in Slack forever
The problem

Your live keys are in a chat thread right now.

Every small team starts the same way. It works — until it doesn't.

  • Slack & DMs keep an unencrypted, searchable copy of your credentials forever — including for anyone you offboard.
  • Shared drives & pinned docs drift out of date, so half the team runs the wrong key.
  • .env in the repo means one bad git push from a public leak and a 3am rotation scramble.
  • No record of who saw what, when — so a leak becomes an unanswerable question.
How it works

Three commands. No new format to learn.

Keyline speaks .env natively. If your app reads environment variables today, you're already done — just change where they come from.

01

Link your project

Point a directory at a workspace and an environment. Keyline remembers it.

$ keyline link acme-api --env prod
02

Push & pull

One person pushes the .env. Everyone else pulls it. Always current, never in Slack.

$ keyline pull › wrote .env
03

Rotate, revoke, audit

Cut access the moment someone leaves. Every read and write is logged for good.

$ keyline revoke jordan@
k_
Your machine
encrypt with your workspace key
⬇ a8f3..d91c   (ciphertext only)
Keyline servers
store + sync — can't decrypt
⬆ a8f3..d91c   (ciphertext only)
k_
Teammate's machine
decrypt locally → .env
Zero-knowledge architecture

Secrets are sealed before they leave your laptop.

Encryption and decryption happen entirely on your machines. Our servers only ever hold ciphertext.

  • We can't see your secretsThe encryption key is derived from a workspace secret you control. It never touches our servers.
  • A breach of us isn't a breach of youIf someone stole our entire database, they'd get a pile of unreadable bytes.
  • No subpoena, no insider, no accidentYou can't hand over data you mathematically cannot read — and neither can we.
Everything a small team needs

Boring infrastructure. Flawlessly executed.

One-command CLI

Install in seconds, no concepts to learn. keyline pull and you're working.

Per-environment access

Scope people to dev, staging, or prod. Interns never see live keys; seniors get everything.

Tamper-evident audit log

Every read, write, and denied attempt is recorded with who, what, and when.

Git-safe by design

Secrets sync through Keyline, never your repo. Commit your code, not your credentials.

Instant revoke & rotate

Someone leaves? Pull their access in one command and rotate what they touched.

Deploy anywhere

Vercel, Railway, Fly, your own boxes — if it reads env vars, Keyline feeds it.

Accountability

Answer "who touched prod?" in one glance.

When something goes wrong — or an auditor asks — you have a clean, exportable record instead of a frantic scroll through DMs.

keyline · acme-api · audit live
14:52:09maria@pulled prod · 14 keysREAD
14:48:31maria@rotated STRIPE_SECRET_KEYWRITE
14:41:02jordan@denied · prod not in scopeDENY
11:09:55sam@pulled staging · 9 keysREAD
09:17:40maria@revoked access for leo@WRITE
Pricing

One flat price. No per-seat math.

We don't charge you more as your team grows. Pick a plan, share your secrets, get back to building.

Solo
$0 /forever
For individual developers and side projects.
  • 1 developer
  • Up to 2 environments
  • Full CLI & zero-knowledge encryption
  • 7-day audit history
Get started
FOR TEAMS
Team
$19 /month, flat
For 2–10 person teams that share secrets daily.
  • Up to 10 members — no per-seat fees
  • Unlimited environments & projects
  • Per-environment access control
  • Unlimited, exportable audit log
  • Instant revoke, rotate & SSO-ready
Start 14-day trial
Questions

The things you're right to ask.

If it's zero-knowledge, what happens if we lose our key?

Your workspace key is recoverable through any active admin's device, and we offer an optional sealed recovery file you store yourself. We genuinely can't reset it for you — that's the whole point — so recovery stays in your hands.

Do I really not have to change my app code?

Correct, with one honest caveat: instead of a committed .env, your team runs keyline pull (or wraps startup in keyline run). Your app still just reads environment variables — nothing in your codebase changes.

How is this different from Doppler or Vault?

Those are powerful and can feel heavy for a 3-person team. Keyline is deliberately narrow: .env-native, one flat price, zero-knowledge, and nothing to configure. If you outgrow simple, they're great — we won't pretend otherwise.

What's your security posture?

Client-side AES-256 encryption, TLS everywhere, scoped access tokens, and a full audit trail. SOC 2 Type II is in progress; our encryption design is documented publicly so you can verify the claims rather than trust them.

Get your keys out of Slack today.

Free for solo devs. $19 flat for your whole team. Two minutes to set up.

$ curl -fsSL keyline.sh/install | sh click to copy
Start free → Read the docs