Share.env
FeaturesUse casesPricingCLI
Log inStart for free

Your team's secrets deserve better than Slack

Upload your first .env file and see what secret sharing looks like with real access control.

Product

  • CLI
  • API documentation
  • Service status

Legal

  • Privacy policy
  • Terms of service
  • Cookie policy
  • Security
Send an email

share.env

© 2026 share.env. All rights reserved.

Built for teams who take secrets seriously.

Security

Built on access control, not obscurity

AES-256 at rest

Every table has Row Level Security. Every file is encrypted at rest. Here's the detail behind that, and how to report a problem if you find one.

Security enforced at the database, not the UI

Every table in share.env has Row Level Security turned on. A hidden button in the interface is not a permission boundary. A policy is.

Row Level Security on every table

Postgres policies decide who can read or write a row before your application code ever runs, so a bug in the UI can't leak another team's secrets.

create policy "workspace_members_select"
on public.env_files for select
using (is_workspace_member(workspace_id, auth.uid()));

AES-256 encryption at rest

File contents are encrypted in Supabase Storage. Nobody, including us, reads a .env file outside of an authorized request.

High-entropy share tokens

Links are generated with cryptographically secure tokens, always carry an expiry date, and can be revoked the moment access should end.

Full audit trail

Every change to a file is recorded with who made it and when, so security reviews take minutes instead of days.

Infrastructure and sub-processors

share.env runs on a small, named set of providers, each under a data processing agreement:

  • Supabase Postgres database, authentication, and encrypted file storage. Row Level Security policies run inside the database itself, so authorization holds even if application code has a bug.
  • Vercel application hosting and edge network for the web app and API routes.
  • A transactional email provider used only for invite and account emails.

How access is enforced

  • Row Level Security is enabled on every table with no exceptions; the default is deny-all, and every operation needs an explicit policy.
  • Workspace roles (owner, editor, viewer) are enforced by those database policies, not just hidden in the UI a missing button is UX, not a security boundary.
  • Share links use cryptographically generated, high-entropy tokens, always carry an expiry, and can be revoked instantly.
  • Password-protected environments layer a scrypt-hashed password with TOTP or a passkey, and optionally a workspace-issued Access Key, before any content is returned.

Data protection

File contents are encrypted at rest in Supabase Storage. We don't log the contents of your .env files or access tokens in application logs, error trackers, or analytics.

Compliance status

share.env is an early-stage product. We haven't pursued SOC 2 or ISO 27001 certification yet, and we won't claim we have. What we do have is enforced from day one: database-level RLS, encryption at rest, and least-privilege use of service-role credentials. We'll update this page if that changes.

Reporting a vulnerability

If you find a security issue, email kpzsproductionscontact@gmail.com with details and, if possible, steps to reproduce. We don't yet run a paid bug bounty program, but we will acknowledge reports, fix confirmed issues promptly, and credit reporters who want credit.

Please don't test against other users' data or workspaces you don't own; use your own account and environments.