Shelve
Centralized secrets management with encryption and team synchronization
AI Summary
Shelve is a platform for secure secrets management that centrally manages API keys, tokens, and environment variables. The tool offers envelope encryption per project, automatic GitHub synchronization, and is compatible with AI coding agents like Cursor and Claude.
✓ Pros
- + Open source and free to self-host with full control over encryption keys
- + AES-256-GCM envelope encryption per project limits damage in case of compromise
- + Seamless integration with AI coding agents through automatic .cursorignore/.aiderignore configuration
✗ Cons
- − Hosted version still relatively new, long-term availability unclear
- − Limited third-party integrations beyond GitHub currently available
Use Cases
- → Centralized management of API keys and environment variables for development teams
- → Automatic synchronization of GitHub Actions Secrets with single source of truth
- → Secure secrets injection into CI/CD pipelines without .env files on disk
- → Audit logging of all access to sensitive configuration data with IP and user agent
Who is it for?
Development teams and DevOps engineers who need a secure, centralized solution for secrets management with complete audit control.
Tags
What is Shelve?
Shelve is a secrets management platform that stores and manages API keys, tokens, and environment variables in a central location. The core idea: no more .env files on local drives or in repositories, but an encrypted, versioned source for all configuration data a team uses. Shelve can be self-hosted. Those who do retain full control over the encryption keys.
Core features
- AES-256-GCM envelope encryption per project. If a single project is compromised, other projects remain protected because each key is managed separately.
- GitHub Actions synchronisation. Shelve acts as a single source of truth and writes secrets to GitHub Actions automatically. Manual maintenance in two places is no longer necessary.
- Secrets injection into CI/CD pipelines. Instead of
.envfiles on the build server, secrets land directly and in a controlled way inside the pipeline process. - Audit log with IP and User-Agent. Every access to sensitive configuration data is recorded, which makes forensic analysis easier after incidents.
- AI agent compatibility. Shelve automatically configures
.cursorignoreand.aiderignorefiles so that tools like Cursor or Claude cannot access secret files. - Open source and self-hostable. The full codebase is publicly visible and deployment is handled on your own infrastructure.
Who is Shelve for?
Developer teams that currently distribute secrets via shared .env files, password managers, or informal channels get a centralised alternative with an access log. The audit logging is particularly relevant for teams that need to meet compliance requirements. The AI agent integration addresses a concrete problem: many developers now work with coding assistants that, without explicit configuration, can access secret files.
Those considering the hosted version should bear in mind that Shelve is still relatively new and the long-term availability of the service remains unclear. For production-critical environments, the self-hosted variant is therefore the more straightforward choice.
Context & alternatives
Shelve sits in the developer-centric secrets manager segment, alongside HashiCorp Vault, Doppler, and Infisical. Vault is significantly more comprehensive but requires considerably more configuration effort. Infisical is also open source and offers more third-party integrations. That is where Shelve's most notable current limitation lies: beyond GitHub, very few integrations are available.
Teams that work primarily with GitHub, use AI coding agents, and want a lean self-hosted solution with a transparent audit trail will find Shelve a focused tool that covers exactly that stack.
