Scan, backup, and sync all your project API keys with one command. Powered by 1Password & Bitwarden.
.envfiles get lost when you switch machines- Secrets scattered across GitHub, Cloudflare, and local files
- New team members spend hours collecting API keys
- No one remembers which permissions a token needs
shipkey solves all of this.
# Install (standalone binary)
curl -fsSL https://shipkey.dev/install.sh | bash
# Scan your project and launch the setup wizard
shipkey setupTip:
shipkey setupwill automatically open a web-based wizard connected to a local API server, guiding you through each provider with step-by-step instructions and saving keys to your password manager (1Password or Bitwarden).
You can also install shipkey as a project devDependency to pin the version per project:
# npm
npm install -D shipkey
# bun
bun add -d shipkeyThen run via npx / bunx:
npx shipkey setup
bunx shipkey pullOr add scripts to your package.json:
{
"scripts": {
"setup": "shipkey setup",
"keys:pull": "shipkey pull",
"keys:push": "shipkey push"
}
}shipkey scan → Detect .env files, workflows, wrangler configs
Generate shipkey.json with providers & permissions
shipkey setup → Open browser wizard to enter API keys
Save to password manager + env-specific local files
shipkey pull → Restore all keys from password manager to local files
New machine ready in seconds
shipkey sync → Push secrets to GitHub Actions, Cloudflare Workers
One command, all platforms
| Backend | CLI | Read | Write | List |
|---|---|---|---|---|
| 1Password | op |
✅ | ✅ | ✅ |
| Bitwarden | bw |
✅ | ✅ | ✅ |
Set the backend in shipkey.json:
{
"backend": "bitwarden"
}Default is "1password" if omitted (backwards compatible).
shipkey auto-detects providers from your environment variable names. 40+ providers are supported with setup guides built in.
| Category | Provider | Env Pattern |
|---|---|---|
| AI | OpenRouter | OPENROUTER_* |
| OpenAI | OPENAI_* |
|
| Anthropic | ANTHROPIC_*, CLAUDE_API_* |
|
| Google AI | GEMINI_*, GOOGLE_AI_* |
|
| Replicate | REPLICATE_* |
|
| Hugging Face | HUGGINGFACE_*, HF_* |
|
| fal.ai | FAL_* |
|
| xAI | XAI_*, GROK_* |
|
| Payments | Stripe | STRIPE_* |
| Auth | Clerk | CLERK_* |
| Auth0 | AUTH0_* |
|
| Social / OAuth | GitHub | GITHUB_* |
GOOGLE_*, GCP_* |
||
| Discord | DISCORD_* |
|
| Slack | SLACK_* |
|
REDDIT_* |
||
| Product Hunt | PRODUCTHUNT_*, PH_* |
|
| Communication | Agora | AGORA_* |
| Twilio | TWILIO_* |
|
| SendGrid | SENDGRID_* |
|
| Resend | RESEND_* |
|
| Databases | Supabase | SUPABASE_* |
| Turso | TURSO_* |
|
| Upstash | UPSTASH_* |
|
| Neon | NEON_* |
|
| ClickHouse | CLICKHOUSE_* |
|
| Redis | REDIS_* |
|
| Database | DATABASE_*, DB_* |
|
| Dev Platforms | Expo | EXPO_* |
| Daytona | DAYTONA_* |
|
| Infrastructure | Cloudflare | CLOUDFLARE_*, R2_* |
| AWS | AWS_*, EC2_* |
|
| Vercel | VERCEL_* |
|
| Fly | FLY_* |
|
| npm | NPM_* |
|
| Sentry | SENTRY_* |
|
| Web3 | Coinbase | COINBASE_* |
| Alchemy | ALCHEMY_* |
|
| WalletConnect | WALLETCONNECT_* |
|
| Pimlico | PIMLICO_* |
|
| Etherscan | ETHERSCAN_* |
|
| CMS | TinaCMS | TINA_* |
| Notion | NOTION_* |
|
| Maps | Mapbox | MAPBOX_* |
| OpenWeather | OPENWEATHER_* |
|
| Analytics | Plausible | PLAUSIBLE_* |
| Forms | Formspree | FORMSPREE_* |
| Security | Turnstile | TURNSTILE_* |
| Sandbox | Sandbank | SANDBANK_*, SANDBOX_* |
Unrecognized variables are grouped under General. To request a new provider, open an issue.
Launch an interactive browser-based setup wizard.
shipkey setup # Current directory, prod env
shipkey setup -e dev # Dev environment
shipkey setup --port 3000 # Specify API port
shipkey setup --no-open # Don't auto-open browserThe wizard provides:
- Step-by-step guides for each provider (Cloudflare, AWS, Stripe, etc.)
- Auto-inferred permission recommendations from your project code
- One-click save to 1Password or Bitwarden
- CLI status checks (op/bw, gh, wrangler) with install instructions
Scan your project and generate shipkey.json.
shipkey scan # Scan and write config
shipkey scan --dry-run # Preview without writingDetects:
.env,.env.local,.env.example,.dev.vars,.envrc- GitHub Actions workflow secrets
- Wrangler bindings (KV, R2, D1, Queues, AI)
package.jsondependencies (AWS SDK, Supabase, Stripe, etc.)
Auto-infers required permissions per provider.
Push local env values to your password manager.
shipkey push # Push prod env (default)
shipkey push -e dev # Push dev env
shipkey push --vault myteam # Custom vaultPull secrets from your password manager and generate local env files.
shipkey pull # Pull prod env (default)
shipkey pull -e dev # Pull dev env
shipkey pull --no-envrc # Skip .envrc generation
shipkey pull --no-dev-vars # Skip .dev.vars generationGenerates environment-specific local files:
| Environment | Regular projects | Cloudflare Workers |
|---|---|---|
dev |
.env.development.local |
.dev.vars |
prod |
.env.production.local |
.dev.vars.production |
Also generates:
.envrcwithop://references for direnv (1Password) or direct values (Bitwarden)
Sync secrets to external platforms.
shipkey sync # Sync all targets
shipkey sync github # GitHub Actions only
shipkey sync cloudflare # Cloudflare Workers onlySupported targets:
- GitHub Actions — sets repository secrets via
gh secret set - Cloudflare Workers — sets secrets via
wrangler secret put
List all stored secrets in your password manager.
shipkey list # Current project
shipkey list --all # All projects
shipkey list -e prod # Filter by environmentshipkey.json is auto-generated by shipkey scan. You can also edit it manually.
{
"project": "my-app",
"vault": "shipkey",
"backend": "1password",
"providers": {
"Cloudflare": {
"fields": ["CLOUDFLARE_API_TOKEN", "CLOUDFLARE_ACCOUNT_ID"]
},
"Stripe": {
"fields": ["STRIPE_SECRET_KEY"]
}
},
"targets": {
"github": {
"owner/repo": ["CLOUDFLARE_API_TOKEN", "STRIPE_SECRET_KEY"]
}
}
}Secrets are stored as items in a vault, organized by section:
op://{vault}/{provider}/{project}-{env}/{FIELD}
Example:
op://shipkey/Cloudflare/my-app-prod/CLOUDFLARE_API_TOKEN
op://shipkey/Stripe/my-app-dev/STRIPE_SECRET_KEY
Secrets are stored as Secure Note items in a folder, using custom hidden fields:
Folder: {vault}
Item: {provider} (Secure Note)
Field: {project}-{env}.{FIELD} (Hidden)
Example:
Folder: shipkey
Item: Cloudflare
Field: my-app-prod.CLOUDFLARE_API_TOKEN = sk-xxx
Item: Stripe
Field: my-app-dev.STRIPE_SECRET_KEY = sk-xxx
- Bun runtime
- One of the following password manager CLIs:
- 1Password CLI (
op)brew install --cask 1password-cli
- Bitwarden CLI (
bw)npm install -g @bitwarden/cli
- 1Password CLI (
- GitHub CLI (
gh) — for GitHub Actions sync - Wrangler — for Cloudflare Workers sync
MIT