env files on disk. It addresses the risks associated with plaintext environment files, particularly in contexts involving AI coding agents and collaborative development teams, by ensuring secrets are never accessible to unauthorized tools or stored in a way that can be easily read or leaked.
env files in a single command, after which those files can be deleted from disk. Klavex stores secrets in an encrypted vault, using AES-256-GCM encryption at rest and envelope encryption with a KMS-protected master key. Each ciphertext is bound to its team and repository, providing additional security. Environment variables are managed as first-class entities, supporting multiple environments such as Production, Staging, and Dev, as well as custom environments, with the correct values injected per run. For team usage, Klavex offers role-based access control (Owner, Admin, Editor, Viewer) and allows inviting teammates by email for quick onboarding. Key rotation is streamlined, with updates propagating to all shells and CI runners on the next execution, and every fetch or membership change is logged with actor, IP, and timestamp for auditing purposes.
Klavex is particularly suited for developers and teams working with AI agents like Cursor, Claude Code, Copilot, Aider, and Continue, as well as those deploying to MCP servers. It allows the creation of read-only, environment-scoped tokens for agents, ensuring they only access secrets relevant to their assigned environments. These agent tokens are read-only, cannot modify or delete secrets, and can be revoked instantly, with all access logged for review. Agents do not count against team seat limits, and unlimited tokens can be issued for different use cases.
The tool is distributed as a Python package, installable via pip, and supports macOS, Linux, and WSL. Solo developers can use Klavex for free without a credit card, while teams are offered a single flat price. Audit log retention is seven days for solo users and ninety days for paid plans.
In the Other infrastructure space, Klavex takes a focused approach. It focuses on securing and managing environment secrets without storing them in plaintext .env files. Klavex is a B2B product aimed at developers and engineering teams. There is a free tier, and paid plans start at $10. It runs on the command line.
Klavex first shipped in 2026. Across PulseGate's embedding index, Klavex has few near neighbours, marking it as relatively distinct. Among its 5 catalogued features are secrets injection, no .env on disk, and team management. It exposes integrations via an MCP server.
Latest indexed changes and source events
Stop AI coding agents from reading your .env secrets discovered by the PulseGate indexer
Other apps tracked under the same category.