# varsafe

> Secure secrets management for developers and teams. CLI-first, observable by design.

varsafe stores, injects, and manages secrets (environment variables) for applications. Secrets are encrypted at rest, injected ephemerally into processes, and every access is audited.

## Docs

- [Getting Started](https://docs.varsafe.dev/getting-started): Install CLI, login, inject secrets in under 5 minutes
- [Core Concepts](https://docs.varsafe.dev/concepts): Teams, projects, environments, roles, ephemeral injection, audit trail
- [CLI Reference](https://docs.varsafe.dev/cli): Commands — login, use, list, set, unset, run, export, update
- [Docker](https://docs.varsafe.dev/docker): Inject secrets into containers via CLI-in-image, env_file export, host injection, or stdin pipe
- [Dashboard Guide](https://docs.varsafe.dev/dashboard): Secrets CRUD, bulk import, diff, history, rollback, rotation, team/member management, audit log
- [Authentication](https://docs.varsafe.dev/authentication): Email/password, OAuth (Google/GitHub/GitLab/Bitbucket), passkeys (WebAuthn), 2FA (TOTP), device trust, sessions
- [Single Sign-On](https://docs.varsafe.dev/sso): SAML 2.0 and OIDC configuration for enterprise IdPs
- [API Tokens](https://docs.varsafe.dev/api-tokens): Programmatic access for CI/CD — create, rotate, revoke, CI examples
- [MCP Server (AI Agents)](https://docs.varsafe.dev/mcp): Connect Claude Code, Cursor, and other AI tools via Model Context Protocol with OAuth 2.1
- [Encrypted .env Files](https://docs.varsafe.dev/encrypted-env): ECIES encryption (X25519 + AES-256-GCM), per-environment keypairs, auto-rotation
- [Security Model](https://docs.varsafe.dev/security): Encryption, RBAC, audit trail, rate limiting, multi-tenant isolation, compliance
- [Operations](https://docs.varsafe.dev/operations): Secret rotation, key management, access reviews, incident response, compliance exports
- [Philosophy](https://docs.varsafe.dev/philosophy): Design principles — encrypted pipeline, observable by default, CLI-first
- [Changelog](https://docs.varsafe.dev/changelog): Release history and user-facing changes

## Key Concepts

- **Teams** own projects and members. Each member has a role (Owner, Admin, Developer, Operator, Viewer, Billing).
- **Projects** represent applications or repos. Each project has multiple **environments** (development, staging, production, custom).
- **Secrets** are key-value pairs. Values are encrypted at rest in a secrets vault; only metadata (keys, versions) is in the database.
- **Ephemeral injection**: `varsafe run -- <command>` injects secrets as env vars in process memory. Nothing written to disk.
- **Encrypted .env**: `varsafe export` produces encrypted files (ECIES) safe to commit. Decrypt with `varsafe run --env-file`.
- **Protected environments**: Production is protected by default — only Owner/Admin can write; Developer gets read-only.
- **Audit trail**: Every action (access, create, update, delete, export) is logged immutably with actor, IP, timestamp.

## Access Methods

| Method | Best For | Auth |
|--------|----------|------|
| CLI (`varsafe run`) | Local dev, CI/CD | Browser login or API token |
| Dashboard | Management, audit | Browser session |
| API Token | CI/CD pipelines | `VARSAFE_API_TOKEN` env var |
| MCP Server | AI agents (Claude Code, Cursor) | OAuth 2.1 with PKCE |

## MCP Server

The MCP server at `https://api.varsafe.dev/mcp` lets AI agents manage secrets. 9 tools available:

- `varsafe_whoami` — identity and granted scopes
- `varsafe_list_projects` — list team projects
- `varsafe_list_environments` — list project environments
- `varsafe_list_secrets` — list secret keys (no values)
- `varsafe_diff_secrets` — compare environments
- `varsafe_get_secret_values` — read decrypted values
- `varsafe_export_secrets` — export as key-value pairs
- `varsafe_set_secret` — create or update a secret
- `varsafe_unset_secret` — delete a secret

Scopes: `identity:read`, `projects:read`, `secrets:read`, `secrets:read_values`, `secrets:write`, `secrets:run`, `audit:read`

## Optional

- [Full documentation](https://docs.varsafe.dev/llms-full.txt): Complete docs concatenated into a single file for LLMs with large context windows