Changelog

Rate Limiting

We added lenient rate limiting today to keep attackers at bay and make sure our systems serve you well.

Team Avatars

You can now change the avatar for your organization under Settings.

$ dotenvx encrypt
? Select key storage
  Local (.env.keys)
› Armored ⛨

Choose Key Storage

When using Ops ⛨, get prompted for a local or armored key when creating for the first time.

Python UV

We added a new guide for encrypting secrets in Python projects using uv.

Trust Page

We launched trust.dotenvx.com as the home for Dotenvx security, compliance, and trust resources.

Google Login

Users can now sign in with Google, making it faster for teams to get into Dotenvx and start managing their workflows.

Pentest - May 2026

We ran an automated security assessment against ops.dotenvx.com and supporting application code, covering public network exposure, TLS posture, passive web behavior, dependency vulnerabilities, static analysis, and secret exposure.

Evidence was retained from HostedScan, Nuclei, OWASP ZAP, Nmap, testssl.sh, Gitleaks, Trivy, and Semgrep. Remediation work will get its own follow-up entry.

$ dotenvx armor up
⟐ select team
› acme-team
  orbit-labs
  northstar

Team Armor

Ops ⛨ now prompts for the right team when armoring, pushing, pulling, or restoring keys across multi-team accounts.

KEYSEE⎔ Whitepaper

Published the KEYSEE whitepaper for deterministic visual identity from compressed public keys.

Dotenvx Armor

armor up, armor down, armor push, armor pull, and armor move shipped for moving private keys under Ops ⛨ control.

KEYSEE⎔

KEYSEE released as a deterministic visual identity system for public keys.

500,000,000 Installs

dotenv reached half a billion monthly npm installs.

Cloudflare Workers Support

Use encrypted dotenvx env files cleanly in Cloudflare Workers and Wrangler workflows.

Dotenvx Ops ⛨ [beta]

Dotenvx Ops ⛨ opened to early teams testing hardened private keys, access control, and agent-driven secret workflows.

15,000,000 Installs

@dotenvx/dotenvx reached 15,000,000 monthly npm installs.

Next.js Setup

Published a practical guide for using encrypted .env files with Next.js and Vercel, including the serverless runtime gotcha around instrumentation.ts.

Vestauth

Research began into removing secrets entirely from agent workflows by giving agents durable identity. Instead of passing long-lived credentials around, Vestauth explores signed agent identity as the trust primitive.

Gateway [beta]

dotenvx-ops gateway start launched with initial OpenAI support.

6,000,000 Installs

@dotenvx/dotenvx reached 6,000,000 monthly npm installs.

Backup [beta]

Ops ⛨ added secure .env.keys backup, automatic login, project opening, and path settings for smoother recovery workflows.

Rotation [beta]

Rotation tokens, rotate, URI rotation, and npm, GitHub, and OpenAI connection flows landed in Ops ⛨.

Ops ⛨ Command

The first Ops ⛨ command landed in dotenvx, introducing operational primitives for teams, infrastructure, agents, and more.

2,000,000 Installs

@dotenvx/dotenvx reached 2,000,000 monthly npm installs.

Whitepaper

Published the dotenvx whitepaper draft.

Decryption at Access

Added main.get and main.set, enabling programmatic encrypted value access and write workflows.

1,000,000 Installs

@dotenvx/dotenvx reached 1,000,000 monthly npm installs.

Monorepo Support

Added --env-keys-file so monorepos can share one .env.keys file across many apps.

Strict Mode

Added strict failure behavior and ignore controls for CI-safe missing-file and decryption-error handling.

500,000 Installs

@dotenvx/dotenvx reached 500,000 monthly npm installs.

Feature Complete

With decrypt added in dotenvx 1.6.0, dotenvx reached feature-complete status across its five core commands: run, get, set, encrypt, and decrypt.

Dotenvx 1.0

Dotenvx 1.0 shipped as the next generation of configuration management for dotenv, built around three problems developers kept running into: inconsistent env behavior across platforms, juggling multiple environments, and the risk of leaking .env files.

It introduced a cross-platform dotenvx run -- your-cmd workflow, first-class multiple environment files, and public-key encryption for .env values, replacing the older .env.vault path with a simpler encrypted .env format.

Encrypted .env

.env.vault helped prove that encrypted environment files could work in real teams. It got dotenv users much farther than plaintext secrets alone.

With dotenvx, that mechanism became deprecated in favor of the new encrypted .env format: public-key encryption, safe-to-commit secret values, and local .env.keys for decryption.

Dotenvx Begins

From the creator of dotenv, the first dotenvx work began as a next-generation approach to configuration. The goal was to keep the simplicity developers loved about .env files while solving the problems that show up as teams and systems grow.

That early work laid the foundation for cross-platform env loading, multiple environment files, encrypted environment values, and safer secrets workflows built for modern teams.