Structured metadata for every secret — capabilities, constraints, expiration, and fleet health — so agents operate within their boundaries instead of flying blind.
A metadata sidecar that gives AI agents and CI pipelines structured awareness of their secrets
Scan your environment, build a catalog, sync via cloud drive, and load secrets per terminal with eval "$(envpkt env export)".
Gate deployments with audit --strict, encrypt with seal, deploy with exec --strict, and monitor with fleet.
Built-in MCP server gives AI agents structured awareness of their credentials without exposing secret values. Works with Claude, Cursor, VS Code.
Architecturally enforced trust boundaries. MCP server never accesses secret values. Runtime injection stays outside the LLM context. Fleet-wide audit trails.
Every credential gets structured metadata — service, purpose, capabilities, expiration, rotation URL — plus optional age-encrypted sealed packets, safe to commit to git.
Auto-discover credentials from your shell with envpkt env scan. Matches ~45 known services, ~13 suffix patterns, and ~29 value shapes with confidence scoring.
Scan an entire directory tree of agents with envpkt fleet. Get aggregated health status, expiration warnings, and stale credential detection.
TypeScript library built on functype. All functions return Either or Option — no thrown exceptions. Use programmatically for boot, audit, fleet scan, and more.
The only credential manager with a native MCP server. Your AI agents can check credential health, capabilities, and expiration — without ever seeing a secret value.
Learn about MCP IntegrationFrom install to sealed deployment in 5 steps
npm install envpktAlso works with yarn, pnpm, and bun
npx envpkt initCreates envpkt.toml with your project's secrets
npx envpkt env scanAuto-discover credentials from your environment
npx envpkt auditCheck health, expiration, and lifecycle status
npx envpkt seal && npx envpkt exec -- node app.jsEncrypt secrets with age, then inject at runtime
Ready to learn more?