Appearance
Changelog
All notable changes to varsafe.
[1.4.0] - 2026-05-27
Added
- Multi-team support — users who belong to multiple teams can now switch between them from the dashboard and CLI. The active team is remembered per-project.
- MCP multi-team grants — authorize an AI agent across multiple teams in a single consent flow.
- Bulk-revoke MCP connections — select and revoke multiple AI agent connections at once from the dashboard.
- Session management — "Revoke all sessions and keep current" option when hitting the session limit.
varsafe get <key>— retrieve a single secret by key with a display-width-aware table.- Database-level tenant isolation — additional layer of protection ensuring teams can never access each other's data, even if an application bug bypasses normal access checks.
Changed
- Encryption key rotation policy is now configured at the team level instead of per-environment.
Fixed
- Password reset emails now link to the correct URL.
- Switching accounts no longer leaks the previous team context.
- Bulk import textarea clears after a successful add.
- Dashboard pages retry automatically on network interruption.
- Security hardening across authentication, webhooks, and rate limiting.
[1.3.0] - 2026-04-07
Added
- Open-source MCP server — the local MCP server source code is available for inspection and self-hosting. Authenticate with an API token to manage secrets from Claude Code, Cursor, or any MCP-compatible client.
VARSAFE_MCP_DEBUGenvironment variable to log MCP API calls for troubleshooting.
[1.2.0] - 2026-03-31
Added
- MCP server (Model Context Protocol) — AI agents can now manage secrets through a standard OAuth 2.1 flow. Supports Claude Code, Cursor, and any MCP-compatible client.
- 9 built-in tools: list projects, environments, and secrets; get, set, and unset values; diff and export.
- Granular scope presets (Read Only, Secrets Full, Full Access) with optional project and environment restrictions.
- MCP consent screen in the dashboard with client verification badges.
- MCP Connections page to view and revoke active AI agent connections.
[1.1.0] - 2026-03-08
Added
- End-to-end encrypted
.envfiles —varsafe exportnow encrypts values by default using per-environment keypairs (X25519 + AES-256-GCM). Only your team can decrypt. --plainflag to opt out of encryption when needed.--tmpfsflag to write exports to RAM instead of disk.--env-fileflag onvarsafe runto decrypt and inject secrets from encrypted.envfiles.- Encryption Keys page in the dashboard — view keypair status, trigger rotation, and configure auto-rotation.
- Automatic key rotation when a team member is removed (configurable per team).
Changed
varsafe export -f envencrypts by default. Use--plainfor the previous plaintext behavior.
[1.0.56] - 2026-03-05
Added
--includeoption onvarsafe run— filter secrets by glob pattern (e.g.,--include 'VITE_*,CRISP_*').
Fixed
- API token authentication now works end-to-end — tokens created in the dashboard can authenticate CLI and API requests.
varsafe login --tokenvalidates against the API instead of silently failing.
Added
varsafe login -T— secure masked prompt for API token input (avoids shell history exposure).varsafe login -t -— read token from stdin pipe for CI/automation.VARSAFE_TOKENenvironment variable triggers token login automatically.
[1.0.52] - 2026-02-14
Added
varsafe set <key> <value>— create or update a secret from the command line.varsafe unset <key>— remove a secret from the command line.- Checksum verification on CLI install and update.
[1.0.0] - 2026-01-21
Added
- Initial release — CLI-first secrets manager for developers and teams.
varsafe login— authenticate via browser or API token.varsafe use— select a project and environment.varsafe ls— list secrets with masked values.varsafe export— export secrets as.env, JSON, or Docker format.varsafe run <command>— inject secrets as environment variables into any process.- Dashboard for managing projects, environments, secrets, teams, and API tokens.
- One-line install:
curl -fsSL https://varsafe.dev/install.sh | sh.