CLI & CI/CD Integration
The dotenvar CLI lets you pull secrets from your vault directly into any local project or CI/CD pipeline without touching the web UI. One command. Any language. Any platform.
Overview
The CLI gives every developer and pipeline a first-class way to consume secrets securely. Instead of copy-pasting environment variables into CI settings or committing .env files, you run dotenvar pull and get a freshly decrypted .env file every time.
dotenvar initGenerate a deploy key and seal your secrets for local or CI use. Once per project.
dotenvar pullDecrypt and write secrets to a .env file. Local dev, staging, production.
dotenvar execInject secrets into any process. No file written. Works with every language.
Installation
Via npm
npm install -g @dotenvar/cliVia Homebrew (macOS)
brew install dotenvarVia Chocolatey (Windows)
choco install dotenvarStandalone binary
Pre-built binaries for macOS (ARM & x64), Linux (ARM & x64), and Windows are available on the GitHub Releases page. Useful for non-Node environments or Docker multi-stage builds.
Verify the install:
dotenvar --versionAuthentication
Authentication is done once per machine using your existing Google account.
dotenvar auth logindotenvar auth status # show currently logged-in user
dotenvar auth logout # revoke sessiondotenvar auth login. Instead, use a Deploy Key. See the Deploy Keys section below.Project Setup
Run dotenvar init once inside each project that needs to pull secrets. This generates a deploy key for the project, re-seals your secrets for that key, and stores everything locally.
cd my-project
dotenvar initThe interactive wizard will ask for your Env ID (copy it from the group in the web app) and optionally your passphrase if one is set on your account. Everything after that is automatic:
? Enter your Env ID (copy from app.dotenvar.com): grp_abc123
? Passphrase: ••••••••
✓ Deploy key created and sealed
✓ Created dotenvar.json
✓ Created dotenvar.key
✓ dotenvar.key added to .gitignore
✓ .env added to .gitignore
Ready. Run: dotenvar pullAdding a second environment
To add another env (e.g. staging vs production) to the same project, run init with the --env flag. It appends a new line to dotenvar.key without touching the rest.
dotenvar init --env grp_def456Pulling Secrets
After init, pull your secrets at any time. dotenvar reads dotenvar.json, resolves each env ID against dotenvar.key, decrypts locally, and writes a .env file.
dotenvar pull # pull all envs in dotenvar.json
dotenvar pull --env grp_abc # pull one specific env
dotenvar pull --out .env.local # override output path (single env only)✓ 12 secrets written to .envdotenvar pull as a pre-dev script in your package.json so your team always has fresh secrets before running the dev server. dotenvar init can do this automatically.Running Commands with Secrets Injected
dotenvar exec injects secrets as environment variables into any child process without writing a .env file to disk. Ideal for production deployments or environments where you want zero plaintext on disk.
dotenvar exec -- node server.js
dotenvar exec -- python app.py
dotenvar exec -- go run main.go
dotenvar exec -- php artisan serve
dotenvar exec --env grp_abc -- npm run startThe process receives exactly the same environment variables as if you had sourced a .env file.
Deploy Keys
A deploy key is a scoped machine credential tied to a single environment. It is generated during dotenvar init and stored in dotenvar.key as a single base64 blob. Store it as a CI secret and the CLI handles the rest.
Print a deploy key for CI
Copy the blob for a specific env and store it as a CI environment secret (e.g. DOTENVAR_DEPLOY_KEY).
dotenvar deploy-key print --env grp_abc123
# DOTENVAR_DEPLOY_KEY=eyJ0b2tlbiI6ImRsa194eHh4IiwicHJpdmF0ZV9rZXkiOiItLS0tLUJFR0lO...
# ↑ paste this value into your CI secrets panelRotate a deploy key
Re-generates and re-seals the key without touching any other env.
dotenvar deploy-key rotate --env grp_abc123Revoke a deploy key
Deletes the key on the server and removes the local entry. Any pipeline using that key will immediately stop working.
dotenvar deploy-key revoke --env grp_abc123CI/CD Integration
Generate a deploy key with dotenvar deploy-key print --env <id>, store the blob as a CI secret named DOTENVAR_DEPLOY_KEY, then call dotenvar pull in your pipeline. That's it.
GitHub Actions
jobs:
deploy:
runs-on: ubuntu-latest
env:
DOTENVAR_DEPLOY_KEY: ${{ secrets.DOTENVAR_DEPLOY_KEY }}
steps:
- uses: actions/checkout@v4
- name: Install dotenvar CLI
run: npm install -g @dotenvar/cli
- name: Pull secrets
run: dotenvar pull
- name: Build
run: npm run buildGitLab CI
deploy:
variables:
DOTENVAR_DEPLOY_KEY: $DOTENVAR_DEPLOY_KEY # set in project CI/CD settings
before_script:
- npm install -g @dotenvar/cli
- dotenvar pull
script:
- npm run buildDocker
Pass DOTENVAR_DEPLOY_KEY to the container at runtime via the -e flag. dotenvar exec reads it, fetches and decrypts your secrets from the server, injects them into the child process, and starts your app — nothing is written to disk.
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci && npm install -g @dotenvar/cli
COPY . .
RUN npm run build
# DOTENVAR_DEPLOY_KEY is passed at container run time (see below)
CMD ["dotenvar", "exec", "--", "node", "dist/server.js"]# Pass your deploy key at run time — this is the only secret the container needs
docker run \
-e DOTENVAR_DEPLOY_KEY="eyJ0b2tlbiI6ImRsa194eHh4..." \
-p 3000:3000 \
my-appCOPY dotenvar.key into your image and never run dotenvar pull in a RUN layer — secrets baked into image layers are readable by anyone with image access. Always use dotenvar exec at container startup. See the Docker guide in Platform Guides below for Docker Compose and multi-stage build examples.Vercel / Netlify
Set DOTENVAR_DEPLOY_KEY in your project's environment variables panel, then use a custom build command:
# Vercel build command
dotenvar pull && next build
# Netlify build command
dotenvar pull && npm run buildPlatform Guides
Step-by-step instructions for every CI/CD platform, deployment target, and language or framework. Select your platform to see the exact commands, config files, and where to store your deploy key.
Pass your deploy key as a repository secret. The CLI reads DOTENVAR_DEPLOY_KEY automatically — no extra flags needed.
dotenvar deploy-key print --env <your-env-id> locally to get your deploy key blob, then store it as a secret named DOTENVAR_DEPLOY_KEY in the platform below. That blob is the only credential your pipeline needs.Get your deploy key
dotenvar deploy-key print --env grp_abc123
# Outputs one line — copy the full value including "eyJ..."Add to GitHub — Settings → Secrets and variables → Actions → "New repository secret"
Name: DOTENVAR_DEPLOY_KEY. Paste the printed blob as the value. To scope to a single environment, use a GitHub Environment Secret instead.
Use in your workflow
Pass the secret as an env variable. The CLI automatically picks it up — no --key flag required.
name: Deploy
jobs:
deploy:
runs-on: ubuntu-latest
env:
DOTENVAR_DEPLOY_KEY: ${{ secrets.DOTENVAR_DEPLOY_KEY }}
steps:
- uses: actions/checkout@v4
- name: Install Node
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dotenvar CLI
run: npm install -g @dotenvar/cli
# Option A — write secrets to .env for subsequent build steps
- name: Pull secrets
run: dotenvar pull
- name: Build
run: npm run build
# Option B — inject secrets into a specific process (no file written)
- name: Run tests with secrets
run: dotenvar exec -- npm testdotenvar pull when build tools read from a .env file. Use dotenvar exec -- when you want zero secrets written to disk.Config Files
dotenvar.json - safe to commit
This file maps environment IDs to output paths. It contains no credentials and is safe to commit to version control.
{ "envId": "grp_abc123", "out": ".env" }{
"envs": [
{ "envId": "grp_abc123", "out": ".env" },
{ "envId": "grp_def456", "out": ".env.staging" }
]
}dotenvar.key - never commit
This file stores one deploy key blob per environment ID. It is automatically added to .gitignore by dotenvar init. Each line is an env ID mapped to its base64-encoded deploy key blob.
grp_abc123=eyJ0b2tlbiI6ImRsa194eHh4IiwicHJpdmF0ZV9rZXkiOiItLS0tLUJFR0lO...
grp_def456=eyJ0b2tlbiI6ImRsaxyz...dotenvar.key. Anyone with this file can pull secrets for those environments. dotenvar init adds it to .gitignore automatically, but double-check before your first commit.Command Reference
| Command | Description |
|---|---|
| dotenvar auth login | Browser OAuth → stores session to ~/.dotenvar/credentials.json |
| dotenvar auth logout | Revoke current session |
| dotenvar auth status | Show currently logged-in user |
| dotenvar init | Full setup wizard — first env in the project |
| dotenvar init --env <id> | Add another env to an existing project |
| dotenvar pull | Pull all envs defined in dotenvar.json |
| dotenvar pull --env <id> | Pull one specific env |
| dotenvar pull --out <path> | Override output file (single env only) |
| dotenvar exec -- <cmd> | Run a command with secrets injected (no file written) |
| dotenvar exec --env <id> -- <cmd> | Run for a specific env |
| dotenvar deploy-key print | Print all deploy key blobs from dotenvar.key |
| dotenvar deploy-key print --env <id> | Print one key blob (for pasting into CI) |
| dotenvar deploy-key rotate --env <id> | Re-generate key, re-seal secrets, replace local entry |
| dotenvar deploy-key revoke --env <id> | Revoke from server + remove from dotenvar.key |
| dotenvar list | List all groups / envs you have access to |
| dotenvar status | Show project config and deploy key statuses |