Stop sharing .env files on Slack. GitHub access = secret access.
You're still doing this:
- Pasting secrets in Slack DMs
- Emailing
.envfiles to new devs - Rotating every secret when someone leaves
- Manually copying vars to Vercel/Railway/Netlify
keyway pullThat's it. If you have access to the repo, you have access to the secrets. No invites, no training, no friction.
brew install keywaysh/tap/keywaycurl -fsSL https://get.keyway.sh | shnpx @keywaysh/cli initGrab the binary for your platform from Releases.
keyway initThis will:
- Authenticate with GitHub
- Create an encrypted vault for your repo
- Push your local
.envto the vault
New teammate joins? They run keyway pull. Done in 30 seconds.
keyway init # First time: create vault, push secrets
keyway push # Update remote secrets
keyway pull # Get latest secrets
keyway sync vercel # Deploy to Vercel, Railway, NetlifyNever write secrets to disk. Inject them directly into your process:
keyway run -- npm start
keyway run --env production -- ./my-appSecrets exist only in memory. When the process exits, they're gone.
Your secrets are protected by:
| Layer | Protection |
|---|---|
| Encryption | AES-256-GCM with random IV per secret |
| At Rest | Encrypted in database, keys in isolated service |
| In Transit | TLS 1.3 everywhere |
| Access Control | GitHub collaborator API — no separate user management |
| Audit Trail | Every pull and view is logged with IP and location |
We can't read your secrets. Even if our database leaks, attackers get encrypted blobs.
Read our security whitepaper →
| Command | Description |
|---|---|
keyway init |
Create vault and push initial secrets |
keyway push |
Push local secrets to vault |
keyway pull |
Pull secrets from vault |
keyway set KEY=VALUE |
Set a single secret in the vault |
keyway run |
Run command with secrets injected (zero-trust) |
keyway diff |
Compare local vs remote secrets |
keyway sync |
Sync to Vercel, Railway, Netlify |
keyway connect |
Connect to a provider (Vercel, Railway) |
keyway connections |
List connected providers |
keyway disconnect |
Remove a provider connection |
keyway scan |
Scan repo for leaked secrets |
keyway login |
Authenticate with GitHub |
keyway logout |
Clear stored credentials |
keyway doctor |
Diagnose environment issues |
| Variable | Description |
|---|---|
KEYWAY_TOKEN |
Auth token for CI/CD (use keyway login --ci) |
KEYWAY_API_URL |
Custom API endpoint |
KEYWAY_DISABLE_TELEMETRY=1 |
Disable anonymous analytics |
- 30 seconds to onboard a new developer
- 0 secrets to rotate when someone leaves (just revoke GitHub access)
- 1 command to deploy secrets to production
- GitHub-native — no new accounts, no new permissions to manage
Use an API key for automation:
# Generate an API key (Dashboard > Settings > API Keys)
# Use scope "read:secrets" for CI — least privilege principle# GitHub Actions example
env:
KEYWAY_TOKEN: ${{ secrets.KEYWAY_TOKEN }}
run: keyway pull --env productionOr use the GitHub Action:
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: production# Prerequisites: Go 1.22+
make build # Build → ./bin/keyway
make test # Run tests
make lint # Run golangci-lint
make install # Install to /usr/local/bin/keywayReleases are automated via GoReleaser on tag push.
MIT — see LICENSE