Work has started on Key Guard, a new Armor feature for approving private-key access only when a workflow needs it. Early development includes approval requests, approve and deny decisions, expiration, and helpful request context like command, device, and location.
We started our SOC 2 Type 2 observation process. This begins the formal period where controls are operated, evidence is collected, and Dotenvx moves toward independent assurance for security, confidentiality, and availability.
Visit Trust Centerdotenvx run now accepts an optional --token for Armor users, making it easier to run approved secret workflows from automation, CI, and agentic environments.
Dotenvx Ops has been renamed to Dotenvx Armor ⛨. Product copy, docs, CLI references, service constants, account messaging, and URLs now use Armor ⛨ naming.
We added lenient rate limiting today to keep attackers at bay and make sure our systems serve you well.
You can now change the avatar for your organization under Settings.
When using Ops , get prompted for a local or armored key when creating for the first time.
We added a new guide for encrypting secrets in Python projects using uv.
Encrypt secrets in uvWe launched trust.dotenvx.com as the home for Dotenvx security, compliance, and trust resources.
Users can now sign in with Google, making it faster for teams to get into Dotenvx and start managing their workflows.
We ran an automated security assessment against armor.dotenvx.com and supporting application code, covering public network exposure, TLS posture, passive web behavior, dependency vulnerabilities, static analysis, and secret exposure.
Evidence was retained from HostedScan, Nuclei, OWASP ZAP, Nmap, testssl.sh, Gitleaks, Trivy, and Semgrep. Remediation work will get its own follow-up entry.
Ops now prompts for the right team when armoring, pushing, pulling, or restoring keys across multi-team accounts.
Published the KEYSEE whitepaper for deterministic visual identity from compressed public keys.
Read Whitepaperarmor up, armor down, armor push, armor pull, and armor move shipped for moving private keys under Ops control.
dotenv reached half a billion monthly npm installs.
Use encrypted dotenvx env files cleanly in Cloudflare Workers and Wrangler workflows.
Read documentationDotenvx Ops opened to early teams testing hardened private keys, access control, and agent-driven secret workflows.
@dotenvx/dotenvx reached 15,000,000 monthly npm installs.
Published a practical guide for using encrypted .env files with Next.js and Vercel, including the serverless runtime gotcha around instrumentation.ts.
Research began into removing secrets entirely from agent workflows by giving agents durable identity. Instead of passing long-lived credentials around, Vestauth explores signed agent identity as the trust primitive.
Visit Websitedotenvx-ops gateway start launched with initial OpenAI support.
@dotenvx/dotenvx reached 6,000,000 monthly npm installs.
Ops added secure .env.keys backup, automatic login, project opening, and path settings for smoother recovery workflows.
Rotation tokens, rotate, URI rotation, and npm, GitHub, and OpenAI connection flows landed in Ops .
The first Ops command landed in dotenvx, introducing operational primitives for teams, infrastructure, agents, and more.
@dotenvx/dotenvx reached 2,000,000 monthly npm installs.
Added main.get and main.set, enabling programmatic encrypted value access and write workflows.
@dotenvx/dotenvx reached 1,000,000 monthly npm installs.
Added --env-keys-file so monorepos can share one .env.keys file across many apps.
Added strict failure behavior and ignore controls for CI-safe missing-file and decryption-error handling.
@dotenvx/dotenvx reached 500,000 monthly npm installs.
With decrypt added in dotenvx 1.6.0, dotenvx reached feature-complete status across its five core commands: run, get, set, encrypt, and decrypt.
Dotenvx 1.0 shipped as the next generation of configuration management for dotenv, built around three problems developers kept running into: inconsistent env behavior across platforms, juggling multiple environments, and the risk of leaking .env files.
It introduced a cross-platform dotenvx run -- your-cmd workflow, first-class multiple environment files, and public-key encryption for .env values, replacing the older .env.vault path with a simpler encrypted .env format.
.env.vault helped prove that encrypted environment files could work in real teams. It got dotenv users much farther than plaintext secrets alone.
With dotenvx, that mechanism became deprecated in favor of the new encrypted .env format: public-key encryption, safe-to-commit secret values, and local .env.keys for decryption.
From the creator of dotenv, the first dotenvx work began as a next-generation approach to configuration. The goal was to keep the simplicity developers loved about .env files while solving the problems that show up as teams and systems grow.
That early work laid the foundation for cross-platform env loading, multiple environment files, encrypted environment values, and safer secrets workflows built for modern teams.
