Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.envless.cloud/llms.txt

Use this file to discover all available pages before exploring further.

The auth model

On a developer machine, envless login caches a token and decryption key at ~/.envless/config.json. CI and production hosts don’t have that, so they authenticate with a personal access key: 
export ENVLESS_TOKEN=ev_live_xxxxxxxxxxxx
Generate keys in the dashboard at app.envless.cloud/keys. Give each key a descriptive name (ci-production, vercel-preview) so revocation is targeted.

GitHub Actions

.github/workflows/deploy.yml
jobs:
    deploy:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4
            - uses: actions/setup-node@v4
            - run: npm ci
            - run: npm run build
              env:
                  ENVLESS_TOKEN: ${{ secrets.ENVLESS_TOKEN }}
                  ENVLESS_ENV: production
ENVLESS_ENV picks which environment from .envless to fetch. If you only linked one, it’s not needed.

Vercel

  1. Generate a key in the dashboard.
  2. Add ENVLESS_TOKEN to your Vercel project’s environment variables.
  3. The @goenvless/envless/next plugin picks it up during next build automatically.
For preview deployments, set ENVLESS_ENV=staging (or whichever environment you mirror previews against).

Docker

Dockerfile
FROM node:20-slim AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN --mount=type=secret,id=envless_token \
    ENVLESS_TOKEN=$(cat /run/secrets/envless_token) \
    npm run build

FROM node:20-slim
WORKDIR /app
COPY --from=build /app .
CMD ["node", "--import", "@goenvless/envless/register", "server.js"]

docker build --secret id=envless_token,env=ENVLESS_TOKEN -t myapp .
The token is mounted as a build-time secret — it never enters the image layers.

Fly.io, Railway, Render

Set ENVLESS_TOKEN as a platform secret. Set ENVLESS_ENV=production (or whatever you named the environment). Build and run as normal.

Kubernetes

env:
    - name: ENVLESS_TOKEN
      valueFrom:
          secretKeyRef:
              name: envless
              key: token
    - name: ENVLESS_ENV
      value: production
The loader runs at pod startup. For zero-downtime variable rotation, pair with an ExternalSecret operator (separate guide coming).

Choosing the environment

The loader picks the environment in this order:
  1. ENVLESS_ENV env var if set.
  2. The single environment in .envless, if there’s only one.
  3. The first environment in .envless, with a warning.
In CI, always set ENVLESS_ENV explicitly — relying on order is brittle.

What ships to the runtime

ComponentDevCI buildProduction runtime
.envlesscommittedcommittedcommitted
envless-env.d.tscommittedcommittedcommitted
ENVLESS_TOKEN— (uses cached key)requiredrequired
Encrypted bundlefetched + cached on diskfetched at buildfetched at boot
Plaintext valuesin memory onlyinlined into client chunksin process.env