Node.js

By the end of this page your .env is end-to-end encrypted, shared with your team, and ready to deploy from a Node.js app. Five commands.

Install the CLI

brew install capysc/tap/capy

Capy is a single binary - no daemon, no background service.

Sync your secrets

From any project that has a .env:

capy

On the first run, Capy authenticates you in the browser, creates a project, encrypts every value in your .env, and uploads the ciphertext. Capy rewrites .env in place with capy:… snippets, gitignores it, and commits only keep.lock - a small versioning manifest that lets teammates find the right project.Run capy again whenever you want to pull or push changes.

Invite a teammate

capy invite teammate@example.com

Capy prints a one-line redeem code. Send it out-of-band. They run capy redeem <code> and now share access - no key material ever touches Capy’s backend in plaintext.

Run your app

Wrap your command with capy run:

capy run -- node server.js
capy run -- next dev
capy run -- bun test

Capy decrypts .env in memory and spawns your process with plaintext values available as process.env. Your code reads env vars the standard way - no library to import:

const db = process.env.DATABASE_URL;

Add it to your package.json scripts and forget it:

"scripts": {
  "dev": "capy run -- next dev",
  "start": "capy run -- node server.js"
}

Deploy

capy deploy

Capy opens a setup page in your browser, asks where you’re deploying, and shows you the exact env vars to paste into that platform’s secret store. The deploy token is double-wrapped: half lives with your platform, half lives with the Capy service, and your app reconstructs the project key at boot time.

That’s the whole loop. Edit a secret locally, run capy, redeploy. Anyone you’ve invited stays in sync. Anyone you’ve kicked loses access immediately, with no re-encryption needed.

Getting started

Using Capy

Deploying

Organizations

Branches

Team

CLI reference

Under the hood

What’s next

How it works

CLI Reference