Keyline: Secrets your whole team can share
We host your secrets. We can't read them.<br>AES-256 Β· client-side encryption Β· audit everything
# engineeringtoday, 2:47 PM
JD
Jordan 2:46 PM
hey can someone send me the prod keys real quick? deploy is broken π©
MR
Maria 2:47 PM
here you go, don't share lol<br>OPENAI_API_KEY=sk-proj-51Hb...9aQ2<br>DATABASE_URL=postgres://admin:hunter2@β¦
β now lives in Slack forever
The problem
Your live keys are in a chat thread right now.
Every small team starts the same way. It works, until it doesn't.
βSlack & DMs keep an unencrypted, searchable copy of your credentials forever. That includes anyone you offboard.
βShared drives & pinned docs drift out of date, so half the team runs the wrong key.
β.env in the repo means one bad git push from a public leak and a 3am rotation scramble.
βNo record of who saw what, when. A leak becomes an unanswerable question.
How it works
Up and running in five minutes.
Keyline speaks .env natively. If your app reads environment variables today, nothing in your code changes. Here is the whole journey, no hidden steps.
Youabout 2 minutes
Install the CLI
One command. macOS, Linux, or Windows.
$ curl -fsSL keyline.sh/install | sh
Create your account
Two questions: team name and your email. No card, no browser.
$ keyline login
Link this folder
Once per project. Keyline remembers.
$ keyline link acme-api --env prod
Push your .env
Encrypted on your laptop before it leaves. We store ciphertext.
$ keyline push
the invite email<br>carries the join code
Your teammateabout 1 minute
Invite your teammate
You run this. They get an email with a one-time join code.
$ keyline members invite sam@acme.com
They join
Their machine gets its own key. Nothing shared over chat.
$ keyline join QVJX-3F9K-TX2M
They pull
The same .env, decrypted only on their machine.
$ keyline pull βΊ wrote .env
Day two and beyond: someone leaves, you cut them off in one command. Every read and write lands in a tamper-evident audit log.<br>$ keyline revoke jordan@acme.com
The mental model
One workspace. A project per repo.
Your folders stay exactly where they are. keyline link binds each one to a project and an environment, and from then on push and pull just know where to go.
On your laptop
~/code
ββ acme-api/
β ββ .env gitignored
β ββ .keyline.json safe to commit
ββ acme-web/
ββ .env gitignored
ββ .keyline.json safe to commit
keyline link<br>binds folder to environment
In your workspace
Acme workspace Β· your team
ββ acme-api project
β ββ prod β this laptop
β ββ staging
ββ acme-web project
ββ prod β this laptop
Workspace Your team. Members, billing, and the audit log live here. You need exactly one.
Project One per repo or app. Created on the fly the first time you link a folder.
Environment prod, staging, dev. Each holds one .env, and access is granted per environment.
.keyline.json holds ids only, never secrets. Commit it and teammates who pull the repo are one keyline pull away from running the app.
The demo
Forty-four seconds. Nothing sped up.
A real install, push, and pull. Recorded as-is.
install β login β link β push β pull β run Β· 44s
Built for agents
Agents run your code. They don't need your keys.
Claude Code, Cursor, CI bots. An agent needs your app to run, not your secrets to read. keyline run keeps values out of prompts, logs, and diffs.
Out of the context window
The agent starts your app through Keyline. Secrets are injected in memory, into the app process. Never into the prompt.
$ keyline run -- npm test
Scoped like any teammate
Give an agent read on dev and nothing on prod. Tokens expire on their own. Revoke in one command.
$ keyline members grant agent@ci --env dev --role read
Audited like production
Every pull an agent makes lands in the tamper-evident log. Who, what, when.
$ keyline audit --env dev
k_
Your machine<br>encrypt with your workspace key
β¬ a8f3..d91c (ciphertext only)
Keyline servers<br>store + sync, can't decrypt
β¬ a8f3..d91c (ciphertext only)
k_
Teammate's machine<br>decrypt locally β .env
Zero-knowledge architecture
Secrets are sealed before they leave your laptop.
Encryption and decryption happen entirely on your machines. Our servers only ever hold ciphertext.
βWe can't see your secrets The encryption key is derived from a workspace secret you control. It never touches our servers.
βA breach of us isn't a breach of you If someone stole our entire database, they'd get a pile of unreadable bytes.
βNo subpoena, no insider, no accident You can't hand over data you mathematically cannot read. Neither can we.
Everything a small team needs
Boring infrastructure. Flawlessly executed.
One-command CLI<br>Install in seconds, no concepts to learn. keyline pull and you're working.
Per-environment access<br>Scope people to dev, staging, or prod. Interns never see live keys; seniors get everything.
Tamper-evident audit log<br>Every read, write, and denied attempt is recorded with who, what, and...