Documentation
Pro
PRO

New teammate

Add a teammate on dotenvx pro.

Sending the invitation

Navigate to your organization on Pro and click Team (left sidebar).

pro.dotenvx.com

Click Invite Member.

pro.dotenvx.com

Type their email address.

pro.dotenvx.com

If they already have a Pro account, you will see their username autocomplete. If not, that's ok, enter their email address, and they will receive an invitation.

Give them a role and click Send invitation.

pro.dotenvx.com

Great! They are listed under invitations.

pro.dotenvx.com

Next, tell your teammate to check their email.

Accepting the invitation

Your teammate will receive an email invitation to join your organization.

apple mail

Clicking 'Join @organization', takes them to a login screen.

pro.dotenvx.com

One final prompt let's them accept the invitation.

pro.dotenvx.com

Just like that, they are a member! But notice sync required.

pro.dotenvx.com

Pro is zero-knowledge so there are a few more steps to do around public key exchange. Tell your new team member to run dotenvx pro sync.

💡 Zero-Knowledge Encryption. Zero-knowledge is great because even Pro can't know your secrets. But that necessarily requires an additional first-time step (or two) for you and your teammates. We've done our best to compress these steps into running a single command dotenvx pro sync.

Running sync

Your newly added teammate, sees sync required in the UI.

pro.dotenvx.com

Clicking see more details brings them to their account page with instructions to run dotenvx pro sync.

pro.dotenvx.com

1. Teammate

Your teammate runs dotenvx pro sync to generate their public key (used in later steps).

$ curl -sfS https://dotenvx.sh/pro | sh
$ dotenvx pro sync
✔ [motdotenv] logged in
✔ [motdotenv] encrypted
✖ missing private key for organization [motdotla]. Ask your teammate to run [dotenvx pro sync] and then try again.

Under the hood, the cli generated a public/private keypair on the user's machine. The public key is additionally sent to the Pro service so that team members can use each other's public keys to encrypt and pass data securely without any third party (Pro) knowledge.

The private key NEVER leaves the user's machine and sits encrypted at rest. Pro's service NEVER has access to it. It is accessible solely by the cli during local decryption processes.

2. You

You run dotenvx pro sync.

At this point, under the hood, the cli is fetches your teammate's public key, encrypts the org private key with it, and pushes the encrypted payload to the Pro service.

3. Teammate

Lastly, the team member can run dotenvx pro sync a final time to complete the syncing of their copy of organization private key.

$ dotenvx pro sync
✔ [motdotenv] logged in
✔ [motdotenv] encrypted
⚠ [motdotenv] emergency kit recommended. Generate it with [dotenvx pro settings emergencykit --unmask].
✔ [@motdotla] encrypted
✔ [@motdotla] team (2)
✔ [@motdotla] logged in

Essentially, you both went through a key exchange process by running dotenvx pro sync after each other. Cool!

Next let's sync a project.

Bonus

The organization private key is an implementation detail that dotenvx pro obfuscates away for you, but you can optionally view it with dotenvx pro settings orgprivatekey --unmask.

$ dotenvx pro settings orgprivatekey --unmask
322c004271ac6ad1b548df3f316ff4e8f08e17e0b15f459db64f3f3b48b0efb7