Skip to content
varlock

Varlock - AI-safe .env files

 ██▒   █▓ ▄▄▄       ██▀███   ██▓     ▒█████   ▄████▄   ██ ▄█▀
 ▓██░   █▒▒████▄    ▓██ ▒ ██▒▓██▒    ▒██▒  ██▒▒██▀ ▀█   ██▄█▒ 
  ▓██  █▒░▒██  ▀█▄  ▓██ ░▄█ ▒▒██░    ▒██░  ██▒▒██    ▄ ▓███▄░ 
   ▒██ █░░░██▄▄▄▄██ ▒██▀▀█▄  ▒██░    ▒██   ██░▒██▄ ▄██▒▓██ █▄ 
    ▒▀█░   ▓█   ▓██▒░██▓ ▒██▒░██████▒░ █████▒░▒ ████▀ ░▒██▒ █▄
    ░ ▐░   ▒▒   ▓▒█░░ ▒▓ ░▒▓░░ ▒░▓  ░░ ▒░▒░▒░ ░ ░▒ ▒  ░▒ ▒▒ ▓▒
    ░ ░░    ▒   ▒▒ ░  ░▒ ░ ▒░░ ░ ▒  ░  ░ ▒ ▒░   ░  ▒   ░ ░▒ ▒░
      ░░    ░   ▒     ░░   ░   ░ ░   ░ ░ ░ ▒  ░        ░ ░░ ░ 
       ░        ░  ░   ░         ░  ░    ░ ░  ░ ░      ░  ░

AI-safe .env files:
Schemas for agents,
Secrets for humans.

.env.schema
# Declarative schema — AI agents get full context, never secret values
# @sensitive @required @type=string(startsWith=sk-)
OPENAI_API_KEY=


# @type=enum(development, preview, production, test)
APP_ENV=development # set non-sensitive default values directly


# use function calls to securely fetch data from external sources
XYZ_TOKEN=exec('op read "op://api-prod/xyz/auth-token"')

Unlike .env.example, your .env.schema is a single source of truth, built for collaboration, that will never be out of sync. AI agents can read your schema for full context — without accessing your secrets.

Get Started Reference Docs

Stay in the loop

Come chat with us

AI Tools

Plugins

Integrations

Languages

AI-Safe Config

Your .env.schema is readable by AI agents — they get full context on your config without ever seeing secret values. Prevent leaks to AI servers by design.

Leak Scanning

Proactively scan your codebase for leaked secrets with varlock scan. Set up git hooks to catch leaks before they're committed.

Runtime Protection

Redact sensitive values from logs and console output. Detect leaks in bundled client code and outgoing server responses at runtime.

Redaction demo

Validation

Powerful validation capabilities, without custom logic. Misconfiguration errors are surfaced much earlier in your development cycle, with clear error messages.

Validation demo

Type-safety

Automatically generate types according to your schema - the single source of truth - instead of writing them by hand.

IntelliSense demo

Environments

Combine defaults, environment-specific .env files, local git-ignored overrides, and process env vars. Compose values together using functions.

Multi-env demo

Secure secrets

Load secrets from 6 provider plugins — 1Password, Infisical, AWS Secrets Manager, Azure Key Vault, Google Secret Manager, and Bitwarden — or any CLI tool.

External providers demo
Get Started Reference Docs

Installation

Terminal window
# Install as a dependency in a js project
npx varlock init


# OR install as standalone binary via homebrew
brew install dmno-dev/tap/varlock
# OR via cURL
curl -sSfL https://varlock.dev/install.sh | sh -s

Drop-in replacement for dotenv

my-app.ts
 import 'dotenv/config';
 import 'varlock/auto-load';


// *optional* type-safe env access
 import { ENV } from 'varlock/env';
 const client = new AbcApi(process.env.ABC_API_KEY);
 const client = new AbcApi(ENV.ABC_API_KEY);

varlock can be used as a direct replacement for dotenv in most projects. Just swap your import and get validation, security, and more. No other code changes required!

Run anywhere - with any language

Terminal window
varlock run -- python my_script.py

Use varlock run to inject resolved, validated env vars into another process.

Come chat with us

© 2026 DMNO Inc. All rights reserved.