envref replaces plaintext secrets with ref:// references that resolve at runtime from your OS keychain, 1Password, Vault, or AWS SSM. Your .env stays safe to commit.
ref://secrets/api_key
→
resolve sk-abc...xyz
Your .env holds config values and references. Secrets live in secure backends. envref bridges the gap at runtime.
API_KEY=ref://secrets/api_key
Config values and secret references. Committed to git. No plaintext secrets.
keychain | vault | 1password | ssm
OS keychain, local vault, 1Password, AWS SSM, HashiCorp Vault, OCI, or custom plugins.
config + secrets → env vars
Resolves references, merges layers, interpolates variables. Output to shell, direnv, or JSON.
Secrets stay in your OS keychain or password manager. The .env file holds only references — safe to commit, share, and review.
Run envref init --direnv and secrets resolve automatically when you cd into the project. Sub-50ms startup.
OS keychain out of the box. Add 1Password, AWS SSM, HashiCorp Vault, OCI, or write a plugin — backends chain with fallback.
Layer .env ← .env.staging ← .env.local. Profile-scoped secrets keep environments isolated.
Share secrets with teammates via age encryption. envref sync push encrypts for the whole team. New members run envref onboard.
Validate .env against .env.example or a JSON schema. --ci flag returns exit code 1 for pipeline integration.
Every envref resolve call follows a deterministic pipeline from file loading to formatted output.
Three-layer merge: .env (base) ← .env.<profile> (environment) ← .env.local (personal). Later files override earlier ones.
Expand ${VAR} references within values. DB_URL=postgres://${DB_HOST}:${DB_PORT}/app becomes a complete connection string.
Parse ref:// URIs and look up each secret through the backend chain. Backends are tried in order; first match wins. Results are cached per-call.
A second pass catches ${ref://secrets/key} patterns embedded in interpolated values. Supports arbitrary nesting depth.
Emit as KEY=VALUE (plain), export KEY=VALUE (shell/direnv), JSON, or bordered table. Pipe to direnv, inject into commands, or use in CI.
Two built-in backends, four CLI wrappers for enterprise tools, and a plugin system for everything else. Chain them with ordered fallback.
| Backend | Type | Use case |
|---|---|---|
| OS Keychain | keychain | Default — uses macOS Keychain, Linux Secret Service, or Windows Credential Manager. Zero setup. |
| Local Vault | vault | SQLite + age encryption. For headless servers, containers, and CI environments. |
| 1Password | 1password | Teams already using 1Password. Wraps the op CLI. |
| AWS SSM | aws-ssm | AWS Systems Manager Parameter Store. For AWS infrastructure. |
| HashiCorp Vault | hashicorp-vault | Enterprise secret management with KV v2 secrets engine. |
| OCI Vault | oci-vault | Oracle Cloud Infrastructure Vault for OCI workloads. |
| Plugin | plugin | Custom external executables via a JSON protocol. Extend to any secret store. |
Four steps from install to resolved environment variables.
28 commands organized by workflow. Run envref <cmd> --help for full details.
Available for macOS and Linux via multiple package managers. Pre-built Windows binaries on GitHub Releases.
$ brew install xcke/tap/envref
$ go install github.com/xcke/envref/cmd/envref@latest
$ nix run github:xcke/envref
$ git clone https://github.com/xcke/envref.git $ cd envref && make build
Pre-built binaries for all platforms on GitHub Releases.
In-depth guides for each feature area.
Installation, project initialization, storing and resolving secrets, output formats, and shell completions.
→ Read guideConfiguration for all seven backend types. Multi-backend chains, plugin protocol spec, and troubleshooting.
→ Read guideThree-layer merge strategy, profile-scoped secrets, environment switching, and recommended workflows.
→ Read guideAutomatic env loading, watch mode, strict mode for CI, performance optimization, and troubleshooting.
→ Read guide