Open Source · MIT License

Store your keys once.
Pour them everywhere.

Vial is an encrypted local vault for your API keys. One command auto-populates any project's .env from a single source of truth.

Get Started View Source →
~/projects/my-saas-app
$ vial pour
  ✓ OPENAI_API_KEY → matched from vault
  ✓ STRIPE_SECRET_KEY → matched from vault
  ✓ NEXT_PUBLIC_SUPABASE_URL → matched (prefix-stripped: SUPABASE_URL)
  ✓ SUPABASE_ANON_KEY → matched (variant: SUPABASE_KEY)
  ✗ DATABASE_URL → not found in vault
  → .env created with 4/5 keys populated
The problem

You've got 30 projects and one sanity

You're vibe coding. AI assistants are spinning up repos faster than you can populate .env files. Every project needs the same keys — copy-pasted from a password manager, an old Notion doc, three stale .env files, and a Slack DM to yourself.

Then you rotate a key. Good luck updating all 30 projects.

  • 📋
    Copy-paste ceremony for every new project. Find keys, open template, transcribe one by one.
  • 🔑
    No single source of truth. Keys scattered across dashboards, text files, and stale .env files.
  • 🔄
    Key rotation is intractable. One rotated key means manually updating every project that uses it.
  • 🏗
    Existing tools don't fit. Vault needs clusters. Doppler caps at 10 projects. 1Password needs per-var URIs.
Capabilities

Everything a vault should be

One encrypted file. One command. Zero ceremony.

🫗

Pour

Reads your .env.example, matches keys against your vault, writes a .env. One command, zero config.

🧠

5-Tier Matching

Exact match → normalization → alias variants → comment parsing → LLM reasoning. It understands your keys.

🔐

Encrypted at Rest

Argon2id KDF → AES-256-GCM per-value encryption. Keys in memguard locked memory. Secrets never in CLI args.

Zero-Config Setup

vial setup scans your code, generates .env.example, pours secrets, and installs git hooks — one command.

🔄

Rotate Once

Update a key in your vault, run pour --all. Every registered project gets the new value instantly.

🍺

Brew

Run any command with secrets injected as env vars. No .env written to disk. vial brew -- node app.js

🧪

Distill & Import

Import from .env files, 1Password, Doppler, or Vercel. vial distill --from=1password

🤖

MCP & Claude Code

MCP server for AI coding tools. Claude Code skill for autonomous project setup. vial mcp

🛡

Secret Health & Hooks

Rotation tracking, staleness alerts, git pre-commit hooks to catch leaked secrets before they ship.

📦

Share & Export

Encrypted bundles for teammates. Export to Docker, Kubernetes, GitHub Actions, or shell formats.

🖥

Dashboard

Local web UI embedded in the binary. Browse secrets, manage aliases, track key health.

🔁

Sync & CI/CD

Vault sync via iCloud, Dropbox, or git. Headless mode with VIAL_MASTER_KEY for pipelines.

Intelligence

Matching that thinks

Your .env.example says OPENAI_KEY. Your vault has OPENAI_API_KEY. Framework prefixes, naming variants, even comments — Vial resolves them all.

TierMethodExample
1Exact matchOPENAI_API_KEY = OPENAI_API_KEY
2Prefix strippingNEXT_PUBLIC_SUPABASE_URLSUPABASE_URL
3Alias & variantsOPENAI_KEYOPENAI_API_KEY
4Comment-informed# Your Stripe secret keySTRIPE_SECRET_KEY
5LLM-assistedCalls an inference API for truly ambiguous cases
Get started

One install. Zero dependencies.

Single static binary. ~9 MB. macOS and Linux, arm64 and amd64.

brew install cheesejaguar/tap/vial

Or from source: git clone && make build