Encrypted password and environment storage

Secure Vault

A focused vault for project `.env` files, API keys, database URLs, deployment secrets, saved passwords, and operational notes.

Built with Next.js, Drizzle ORM, Supabase Postgres, Supabase Realtime, database-backed sessions, shadcn UI, and Microsoft Graph password reset mail.

Create account Read security model

production.env

AES-256-GCM

DATABASE_URLmasked

SUPABASE_SERVICE_ROLE_KEYmasked

NEXTAUTH_SECRETmasked

MICROSOFT_GRAPH_SENDERvisible note

Why it exists

Stop treating secrets like loose notes.

Real projects accumulate values across local machines, cloud dashboards, staging deploys, production deploys, and old chat messages. Secure Vault gives those values a home with owner-scoped access and deliberate reveal controls.

Encrypted vault values

ENV values and saved passwords are encrypted server-side before they are saved to Supabase Postgres.

Hashed auth gates

Account passwords, vault keys, and reset tokens are stored as hashes, not reusable plaintext.

Realtime vault updates

Open vaults refresh when project variables change through Supabase Realtime.

Daily workflow

Simple enough for daily use, strict enough for production.

Create ENV project vaults and Password Vault folders for different contexts.

Import local `.env` files from storage and choose whether duplicate keys should be overwritten.

Reveal or copy individual ENV values and saved passwords only when you need them.

Attach notes so the next person knows owner, purpose, rotation timing, and deployment scope.

Key-value editing

Add and update ENV variables with notes.

Typed migrations

Drizzle-generated SQL is checked into the repo.

Operational context

Notes help document why each secret or password exists.

Owner scoped

Users only access their own project vaults.