Team Collaboration

1. An owner or admin invites them via the dashboard. They receive an email with an accept link.
2. Once they accept, they belong to the organization and can sign in.
3. They install the CLI (install guide).
4. They generate a personal API key from /dashboard/api-keys and run envv login --token <KEY>.
5. From any project directory, they run envv use to pin a project + environment.

Two ways to share which project + environment a directory targets:

For CI runners and shared automation, use a dedicated API key rather than a personal one:

1. Create the key under a service-account name (e.g. github-actions-deploy) at /dashboard/api-keys.
2. Scope it to specific projects and (optionally) IP allowlist your runner.
3. Set an expiry that matches your rotation cadence.
4. Store the token in your CI provider's secret store and inject it as ENVVAULT_TOKEN.

# .github/workflows/deploy.yml
- name: Deploy
  env:
    ENVVAULT_TOKEN: ${{ secrets.ENVVAULT_TOKEN }}
    ENVVAULT_PROJECT: proj_2bk9
    ENVVAULT_ENV: production
  run: envv run -- npm run deploy

Use the encrypted local cache to keep working when the API is unreachable:

# Warm the cache while online
envv run --env-cache -- npm run dev

# Subsequent runs within 24h reuse the cached env
envv run --env-cache -- npm run dev

Cached payloads live at ~/.envv/cache/ with AES-256-GCM encryption. They expire after 24 hours.

When a teammate leaves, the dashboard owner / admin should:

1. Remove them from the organization at /dashboard/teams.
2. Revoke any API keys they personally created at /dashboard/api-keys.
3. Rotate any org secrets they had access to that were sensitive enough to warrant rotation.