> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage Node.js Environment Variables Securely (Capy)

> Encrypt and sync .env files in your Node.js app with Capy. Install the CLI, invite teammates, and ship to Vercel without exposing plaintext secrets.

By the end of this page your `.env` is end-to-end encrypted, shared with your team, and ready to deploy from a Node.js app. Five commands.

<Steps>
  <Step title="Install the CLI">
    <CodeGroup>
      ```bash brew theme={null}
      brew install capysc/tap/capy
      ```

      ```bash npm theme={null}
      npm install -g @capysc/cli
      ```

      ```bash bun theme={null}
      bun add -g @capysc/cli
      ```
    </CodeGroup>

    Capy is a single binary - no daemon, no background service.
  </Step>

  <Step title="Sync your secrets">
    From any project that has a `.env`:

    ```bash theme={null}
    capy
    ```

    On the first run, Capy authenticates you in the browser, creates a project, encrypts every value in your `.env`, and uploads the ciphertext. Capy rewrites `.env` in place with `capy:…` snippets, gitignores it, and commits only `keep.lock` - a small versioning manifest that lets teammates find the right project.

    Run `capy` again whenever you want to pull or push changes.
  </Step>

  <Step title="Invite a teammate">
    ```bash theme={null}
    capy invite teammate@example.com
    ```

    Capy prints a one-line redeem code. Send it out-of-band. They run `capy redeem <code>` and now share access - no key material ever touches Capy's backend in plaintext.
  </Step>

  <Step title="Run your app">
    Wrap your command with `capy run`:

    ```bash theme={null}
    capy run -- node server.js
    capy run -- next dev
    capy run -- bun test
    ```

    Capy decrypts `.env` in memory and spawns your process with plaintext values available as `process.env`. Your code reads env vars the standard way - no library to import:

    ```ts theme={null}
    const db = process.env.DATABASE_URL;
    ```

    Add it to your `package.json` scripts and forget it:

    ```json theme={null}
    "scripts": {
      "dev": "capy run -- next dev",
      "start": "capy run -- node server.js"
    }
    ```
  </Step>

  <Step title="Deploy">
    ```bash theme={null}
    capy deploy
    ```

    Capy opens a setup page in your browser, asks where you're deploying, and shows you the exact env vars to paste into that platform's secret store. The deploy token is double-wrapped: half lives with your platform, half lives with the Capy service, and your app reconstructs the project key at boot time.
  </Step>
</Steps>

That's the whole loop. Edit a secret locally, run `capy`, redeploy. Anyone you've invited stays in sync. Anyone you've kicked loses access immediately, with no re-encryption needed.

## What's next

<Columns cols={2}>
  <Card title="How it works" icon="shield-halved" href="/internals/cryptography" horizontal>
    The full cryptographic design.
  </Card>

  <Card title="CLI Reference" icon="terminal" href="/cli/capy" horizontal>
    Every command, every flag.
  </Card>
</Columns>
