Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.envless.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Personal access keys (ev_live_…) authenticate Envless from environments that can’t run an interactive browser login — CI runners, Docker builds, production hosts, serverless platforms, and any tool calling the Envless API directly.

Each key is scoped to a workspace and can be named, rotated, or revoked from the dashboard at any time.

When you need one

https://mintcdn.com/envless-7b88c948/nR8RUPgNBtCF5SFI/assets/icons/duotone/gear.svg?fit=max&auto=format&n=nR8RUPgNBtCF5SFI&q=85&s=354d2949d17be7b46fb8b7f60df66292

CI / CD pipelines

GitHub Actions, GitLab, CircleCI, etc. — set ENVLESS_TOKEN and envless sync, envless run, and the runtime import all work.
https://mintcdn.com/envless-7b88c948/nR8RUPgNBtCF5SFI/assets/icons/duotone/terminal-window.svg?fit=max&auto=format&n=nR8RUPgNBtCF5SFI&q=85&s=59666127dd6ae7b6c5dd9fce7bd3e392

Production hosts

Long-running servers without a cached browser session.
https://mintcdn.com/envless-7b88c948/nR8RUPgNBtCF5SFI/assets/icons/duotone/stack.svg?fit=max&auto=format&n=nR8RUPgNBtCF5SFI&q=85&s=4dd9ad9eaf696af9dfa5a1c215ada25d

Docker builds

Mount the key as a build secret; never bake it into a layer.
https://mintcdn.com/envless-7b88c948/9f3dXE0TchC0LVM7/assets/icons/duotone/code.svg?fit=max&auto=format&n=9f3dXE0TchC0LVM7&q=85&s=fbd6ab5160f56cd28bd3af2bff1550eb

API access

Anything talking to the Envless API programmatically.

Create a key

1

Open the Keys page

Go to app.envless.cloud/keys and select the workspace you want a key for.
2

Generate

Click “Create Key”, give it a descriptive name (e.g. ci-production, vercel-preview, github-actions), and click “Generate Key”.
3

Copy the value immediately

The full ev_live_... value is shown once. Copy it into your CI/host secret store right away — the dashboard never shows it again.

Use the key

Expose the key as ENVLESS_TOKEN in the target environment. Every Envless command and the runtime loader pick it up automatically.

export ENVLESS_TOKEN=ev_live_xxxxxxxxxxxx

envless sync               # pull encrypted variables, write .env.<slug>
envless run -- npm start   # inject into a child process
node --import @goenvless/envless/register server.js   # runtime import

See CI/CD & Production for platform-specific setups (GitHub Actions, Vercel, Docker, Kubernetes).

Naming and rotation

Name keys for the place they live, not the person who created them:

GoodWhy
ci-productionOne key per pipeline, easy to revoke without breaking other things
vercel-previewScoped to a platform and environment
docker-buildTargeted revocation when the image registry changes
bardhyl-laptopBad — use envless login on laptops instead

Rotate keys whenever:

  • An employee with access leaves.
  • A CI provider you used was breached.
  • You’re not sure if a key leaked — rotate first, investigate second.

Revoking

From the dashboard, delete the key. The next call using it gets a 401 immediately. There’s no grace period — design pipelines around that (generate the new key, update the secret, then revoke the old).

Keep keys secret. Never commit them to git, paste them in chat, or print them in build logs. If you suspect a key has leaked, revoke it from the dashboard immediately — the old value stops working the moment you delete it.

Programmatic API access

Beyond authenticating the CLI and runtime, personal access keys let you call the Envless HTTP API directly. Pass the key as a bearer token:

curl https://api.envless.cloud/projects \
    -H "Authorization: Bearer ev_live_xxxxxxxxxxxx"

The API is read-only today — list workspaces, projects, environments, and (ciphertext) variables. See API Overview for the full surface, Authentication for the auth flow, and the Endpoints reference for every operation.